Can zero-knowledge cryptography solve our password problems?

While multi-factor authentication, single sign-on infrastructure, and more stringent password requirements have improved the security of most enterprise identity and access management (IAM) environments, the longevity of passwords continues to pose challenges for businesses, especially in granting temporary access to third-party contractors and partners.

Various vendors are trying to solve this problem. Last week, for example, data security firm Keeper Security announced one-time shared passwords that allow companies to grant third-party partners temporary access to data and resources without adding them to the overall enterprise computing environment. The approach allows specific document types to be shared on a single user device, automatically removing access when the time expires.

The business case is to secure the access granted to contractors, says Craig Lurey, chief technology officer and co-founder of Keeper Security.

“We are constantly asked to allow short-term temporary access to third parties without requiring them to join us as a licensed user,” he says. “With this new feature, there are no more 20 steps. It’s just instantaneous, but preserving that encryption, simplifying the secure sharing process, and eliminating the need to text private information.”

Credential theft is big business

Supply chain breaches, stolen credentials, and the proliferation of software keys and secrets continue to undermine IT and data security. In March, secrets detection firm GitGuardian found that developers leaked 50% more credentials, access tokens, and API keys in 2021 compared to 2020. Overall, 3 out of 1,000 commits exposed a sensitive password, key or credentials, the company said at the time.

Failure to protect software secrets, user passwords, and machine credentials can lead to compromised application infrastructure and development environments. Attackers are increasingly targeting identities and credentials as a way to gain initial access to corporate networks. Last week, for example, software security firm Sonatype discovered that at least five malicious Python packages attempted to exfiltrate secrets and environment variables for Amazon environments.

“It remains to be seen who the actors are behind these packages and what their ultimate goal is,” Sonatype said in a notice on the matter. “Were the stolen credentials intentionally exposed on the web or a consequence of poor OpSec practices?”

How zero-knowledge encryption protects credentials

Managing data access credentials means avoiding centralized storage of sensitive keys – a security benefit of zero-knowledge encryption (ZKE) – and periodically expiring keys so that former contractors, partners and employees don’t have to. more access to data. ZKE breaks down keys in specific ways, using both cryptography and tokenization, to prevent any device or database from having all the information needed to piece together master keys to unlock data.

Source: Keeper Security

The decision to reduce the importance of passwords and master keys is part of the cybersecurity industry’s efforts to create a passwordless security infrastructure. Yet, at the end of the day, most companies rely on some kind of password to secure huge keystores or unlock cloud IAM services, Lurey says.

“Every year, platforms try to invent new schemes to bury the password, [but] Ultimately, these platforms still rely on passwords, especially for account recovery,” he says. “There are an increasing number of passwords and secrets that everyone has to deal with, whether you are on the technical side and have to deal with API keys and software secrets, or on the personal side and the number growing number of sites that require personal or private information. »

Creating a zero-knowledge way to manage secrets and offer temporary one-time passwords requires significant design effort and a move away from consolidation between large brands that take on the role of identity providers, Lurey says.

“The reason the password continues to be popular is because it’s something you have that can be used to encrypt and decrypt data at the end of the day,” he says. “Access keys, which are just passwords, are stored by Apple, Google and Microsoft, so they are synchronized with other devices and in-vehicle devices, but how do you synchronize these secrets? It’s basically ‘a rabbit hole of authentication issues.’

The Passwordless Way Ahead

The focus on ZKE is relatively new, and the vast majority of companies protect their secrets using key management systems, says Andras Cser, vice president and principal analyst for security and risk at Forrester Research. The focus on passwordless technologies typically involves biometrics, QR code-based authentication, passing authentication tokens to mobile devices, and sending one-time passwords via email or SMS, he says.

“Due to phishing issues, OTP and passwordless are slowly replacing static password for authentication. Identity Management and Governance (IMG) for onboarding, reviewing, and excluding contractors and third parties for access are very important in this flow,” says Cser. .

ZKE’s take-off will likely depend on the popularity of third-party identity services using de facto standards, such as FIDO2 and WebAuthn passwordless standards. In a white paper acknowledging FIDO’s slow adoption and future integration with WebAuthn, the FIDO Alliance outlined what its passwordless future would look like, using mobile devices as standardized authenticators and enabling synchronization of credentials between devices.

The changes will make “FIDO the first authentication technology capable of addressing password ubiquity, without the inherent risks and phishing,” the white paper states.

Donald E. Patel