Password security is lacking in most businesses. 57% of users write their passwords on “sticky notes,” and 67% admit to losing those notes, 2021 data from Keeper Security shows. Using certificate-based authentication makes your business more secure while providing a better user experience. Here’s how PKI authentication works & what IT admins need to know to implement it within their organizations
Password-based security in many organizations is a problem. Sure, part of this stems from employees practicing poor password hygiene (such as creating weak passwords or sharing their credentials with colleagues). However, a large part of it comes from employers practicing poor access management. Recent data from Keeper Security and Pollfish shows that 32% of their 1,000 survey respondents say they’ve accessed accounts belonging to their former employers. So, how do you mitigate these password-related vulnerabilities? By eliminating passwords altogether through the use of client authentication certificates.
Client certificate authentication, or more accurately certificate-based authentication, is an easy way for users to access resources and data securely. Unlike traditional password-based security methods, which consist of typing in usernames and passwords every time you want to access something, this way of proving your identity doesn’t require multiple login attempts or the (inevitable) dreaded password reset option. It also doesn’t need you to type in any annoying one-time passwords (OTPs), PINs, or other prompts.
Instead, this method of authentication relies on PKI cryptographic technologies and processes to make authentication a breeze. Using a client authentication certificate means that users can authenticate on the backend without dealing with insecure or hard-to-remember passwords.
But what is certificate authentication and how does it work? How is using a client authentication certificate more secure than using traditional password-based authentication and some multi-factor authentication (MFA) methods? And how do you implement PKI authentication within your IT environment using these certificates?
Let’s hash it out.
What Is Client Certificate Authentication? PKI Authentication Explained
Certificate-based authentication allows users to log in to various systems without typing in a traditional username and password. Instead, the user’s browser (i.e., their client) automatically logs them in using a digital certificate (and a PKI key pair — more on that later) that’s saved on their individual computer or device.
This method of authentication allows authorized users to access everything from specific files and services to your network and other IT systems. To put it another way, client authentication:
- Doesn’t require the use of confusing or hard-to-remember passwords.
- Provides a better user experience for users and simplified account access for your IT admin.
- Eliminates credential-phishing vulnerabilities that could otherwise snare your employees.
- Mitigates the password security risks that cybercriminals love to exploit in brute force and rainbow table attacks.
- Is more secure than token- and SMS-based MFA methods alone when you use a client authentication certificate in conjunction with a trusted platform module (TPM).
- Doesn’t require additional hardware (although it’s most secure when you use it in conjunction with a TPM — which comes equipped with most Windows 10 devices).
Authentication Over the Internet Requires Verifiable Identity
Authentication, at its core, is about verifying that someone or something (in the case of devices) is who or what they claim to be. So, when we talk about certificate-based authentication, or what’s also known as PKI authentication over the internet, what we’re really discussing here is the use of X.509 digital certificates and public key infrastructure to identify individuals and their devices remotely in public channels.
This is where client authentication certificates fit into the picture. In a nutshell, these digital files make user authentication and machine-to-machine communication more secure. It’s also a way to restrict access to systems to only authenticated users or devices.
User authentication is critical to access management and developing a zero-trust security architecture for your business. After all, you don’t want random employees accessing your servers, networks, web apps, or other digital resources willy-nilly, right? This means you always need to be sure that users who request access to protected sites or resources are legitimate before giving them access. PKI certificate-based authentication is a way to do this without using traditional password-based login methods.
Because certificate-based authentication doesn’t require users to enter their password again once they’ve logged into their device, this user authentication method is considered a type of passwordless authentication. Essentially, it ties an individual user’s digital identity (their machine identity or identifying digital attributes) to a special file — the digital certificate we mentioned earlier. But just what are digital certificates?
Digital Certificates Are Your Digital ID Card on the Internet
Digital certificates are files that serve as your ID card in the digital world. Much like how your government-issued driver’s license or ID card identifies you in an official capacity, these certificates do the same for you on the internet. And much like how your driver’s license has a unique letter-number combo that represents you, every digital certificate has unique characteristics that differentiate it from others.
These certificates are the essential and trusted elements of public key infrastructure (PKI — which we’ll talk more about later). They’re trusted because they require a reputable and publicly trusted third party (known as a certification authority, certificate authority, or simply a “CA”) to verify your identity prior to issuing the certificate.
Public CAs Are Like the DMV…
We’re not going to go over everything CAs do, but we’ll give you a quick overview so we can keep this topic rolling. (Check out the link embedded in the paragraph above for a more in-depth look at what CAs are and how they work.)
A public CA is like the PKI digital identity equivalent of your local Department of Motor Vehicles office. Much like how a DMV official checks out your application and makes sure your individual identity is real before issuing you an ID card, a CA reviews your certificate signing request (CSR) for new digital certificates. They take the paperwork and documentation you provide and check it against various official resources to ensure they’re legitimate. (CAs are all about crossing those Ts and dotting those Is.) Once they verify that everything matches up (i.e., that you’re really you), they issue your client authentication certificate.
Of course, some companies opt to use local (private) CAs to issue their own client authentication certificates. The certificate issuance for private certificates is different because the process doesn’t require a publicly trusted CA to verify information first. As a result, these certificates aren’t publicly trusted. This means that private client authentication certificates should only be used to secure access to internal-facing resources — never external (public-facing) ones.
Client Authentication Certificates Have Many Names…
Okay, this is where things can get a bit confusing for those who aren’t IT admins or who don’t interact with PKI systems regularly. Remember earlier when we said that client authentication certificates and PKI authentication certificates are the same? Well, they are, but they also go by a few other names as well.**
- User identity certificates.
- Device certificates.
- Mutual authentication certificate.
- Two-way authentication certificate.
- Email signing certificates, Email authentication certificates, and S/MIME certificates.
(** There’s a lot of overlap between these different certificates, but depending on the situation, they’re not always identical. For example, some S/MIME certificates can be used for client authentication while others cannot. And some IoT device certificates are typically issued by private CAs, meaning that public CAs can’t validate them.)
Why so many (seemingly unrelated) names? In some cases, it’s because people have many different ways of saying the same thing. In others, it’s because these certificates wear a lot of hats (i.e., they serve multiple functions). For example, the same PKI digital certificate that you install on your device to authenticate your computer to a web server might be the same certificate that you can use to sign and encrypt your emails.
Now, of course, this cross-use capability isn’t the case for all X.509 digital certificates. For example, you can’t use a website security certificate to authenticate a user because that’s used to authenticate web servers to users’ clients (browsers) and create encrypted connections. You also can’t use a document signing certificate to sign a piece of software for the same reason — they’re different X.509 certificates that were created for different purposes. (Although, it’s also important to note that some PKI authentication certificates have the cross-functionality to sign some types of documents.)
This is where a PKI authentication certificate is rather unique. Unlike the other types of PKI certificates, a PKI authentication certificate can sometimes be used for a variety of different purposes — one of which is mutual authentication. And that’s the purpose that we’ll focus on in this article.
Why Certificate-Based Authentication Matters
Scaling your network securely and setting up remote access for a bunch of employees can be tricky and time-consuming under normal circumstances. The onset of the COVID-19 global pandemic last spring, which forced businesses to close their offices and millions of employees to work from home remotely, made this even more of a critical issue for IT admins across the globe. And even now, a year later, businesses are still trying to roll out better and more secure user access methods.
And considering how often employees don’t follow password safety best practices, you sometimes need to take the initiative to shore up your defenses through other means. Of course, opting to use a client authentication certificate may not be a good fit for all situations. But it can come in handy in many circumstances — particularly for larger organizations.
Setting up certificate-based authentication requires a little more time to set up, but it saves time in the long run and is significantly more secure. When you put PKI authentication certificates to work, you:
- Simplify the authentication process. By no longer requiring users to remember usernames and passwords, you make it easier for your authorized users to access privileged sites or services. An added bonus is that you reduce employee frustration and IT support time!
- Block sloppy password practices. Certificate-based authentication makes it impossible for users to share account logins, and they’ll no longer have a reason to leave sticky notes with passwords on them lying around.
- Make your organization immune to brute force and other password-related attacks. If your users don’t have passwords, then there’s nothing for cybercriminals to brute force. Because certificate-based authentication uses a 2048-bit key pair, it’s too impractical for even a modern supercomputer to break it.
- Improve your…
Client Authentication Certificate 101: How to Simplify Access Using PKI Authentication