Secure and simple access to digital resources is a fundamental need for organizations. However, to achieve that can be difficult via public key infrastructure (PKI) alone. FIDO offers an excellent alternative but for many organizations there is a requirement to have more management of the FIDO credential.
In this blog post we look into what consolidated PKI and FIDO authentication is, its benefits to organizations for securing workforce and supply-chain authentication, and how it can be best deployed and managed.
Consolidated strong authentication
Organizations need to have a whole view over their authentication deployment, ensuring the right people have access to the right systems in a timely manner with minimal overheads.
Ideally, this is achieved by a single system to ensure consistency between processes and policies, in turn simplifying deployment and minimizing ongoing costs.
For those responsible for maintaining information security, having a single point of administration is essential to providing consistent security.
The drivers behind issuing and managing PKI and FIDO credentials
Organizations want to use appropriate security, striking a balance between security and usability. Weak or compromised passwords are a primary cause of more than 81% of data breaches and removing this threat is a top priority. Passwords and OTPs are also frustrating from a user experience perspective.
PKI and FIDO both offer crypto-based authentication, the most secure method of multi-factor authentication available but how can organizations already using PKI also manage FIDO, and how about organizations who want to move away from passwords and OTPs to FIDO?
Internally an organization may wish to use PKI where many systems (network infrastructure, operating systems, Wi-Fi etc.) already have built-in PKI support, or where use cases lend themselves to a PKI based solution such as signed and encrypted email. However, there are some applications that do not lend themselves easily to PKI based authentication, e.g. legacy applications that are difficult to PKI enable, or SaaS solutions where the organization itself is not in control of the end application. PKI is also heavily policy driven with certificates being issued by a trusted authority to a defined security process. It is often difficult to extend these processes to contractors or the supply chain where the organization is not in control of the employee onboarding process. FIDO can provide a suitable alternative means of strong authentication to PKI as it combines highly secure crypto based security with a simple standards based approach. This makes it suitable for modern applications, including SaaS, in addition to not having the policy constraints associated with PKI, making it a viable option for contractors and supply chain.
This means organizations will need to manage the deployment of two types of authentication technology. Having separate, disconnected systems to manage both FIDO and PKI would lead to:
- inconsistency of policy between systems
- extra complexity and overheads to manage two systems
The solution to issuing and managing PKI and FIDO credentials
Intercede’s MyID software manages deployment and lifecycle events for both PKI, FIDO and combined PKI / FIDO devices. This brings simplicity to control the complex requirements and policy control.
MyID provides a unified approach, ensuring that:
- the right credentials end up with the right people
- lifecycle events are auditable
- end users with active FIDO credentials are visible
- usage of FIDO credentials is controlled
- operators have a single point to revoke, replace, and set policies for end user FIDO credentials
MyID offers the flexibility to manage all of your authentication from one software package, giving you consistency over policy, reporting and user experience.
To find out more or arrange a free demo of MyID’s new FIDO management capability contact us now using the form below.