Want to learn the best practice for configuring Chromebooks with 802.1X authentication?

Sign up for a Webinar!

Can PKI Replace Passwords?

There is a new trend that’s taking the IT world by storm: Passwordless Authentication.

NordPass estimates that the average user has between 70 and 80 passwords. That’s why people so often reuse, share, or choose easy-to-remember passwords. While this may seem harmless, it’s actually a massive security threat, especially for users that have access to valuable data.

The solution many organizations originally implemented was constant password reset, but this can be a major hassle to both the users and IT departments, who have to remember even more passwords. That’s why the development of passwordless authentication is so beneficial, and in order to achieve passwordless authentication you’ll need to implement a PKI (Public Key Infrastructure.)

The definition for a PKI varies between security professionals, but the general consensus is that a PKI is a handful of components that give everything an organization needs to issue, revoke and manage X.509 Digital Certificates. It’s these certificates that replace passwords as a form of identification for those logging into your network.

Cloud Managed PKIs, like SecureW2, outrank on-premise PKIs like AD CS, because they are more scalable and come at a third of the cost. Plus, they are simple to implement if you choose the right PKI solution.

In this article, we’ll take a look at the pros and cons of PKI to see if it can really replace passwords.

Pro #1: No Password Resets

radius server

Passwords put the responsibility of network security on the shoulders of the users, namely through password-change policies that set dates for passwords to expire. For college students, that could be up to seven different devices that need to change passwords every few months. These policies can clog up an IT department with support tickets and take time away from other projects.

Certificates remove the onus from the end-user and streamline the configuration process. Certificates eliminate the necessity of any sort of reset policy. Once a user is equipped with a certificate, they are granted network access until it expires. For example, many universities will distribute 4-year certificates to incoming students because they need network access for the 4 years they attend.

Simply put, password change policies are a hassle, and a PKI can completely eliminate them with certificates.

Pro #2: Identify Network Activity

Passwords fail to identify users on a network because they can be shared easily. You may share a unique password with Person 1, but he could give it to Person 2 and you would have no idea.

Certificates can easily put a name on every network connection. Certificates contain a host of identifying information; MAC Address, email, username, and any other attribute that is contained in your Identity Provider.

Many K-12 schools use a PKI solution like us because they can issue Wi-Fi & SSL Inspection certificates to students simultaneously, significantly increasing their visibility into what traffic students are browsing.

Pro #3: You Don’t Need to Worry About Password Theft

With passwordless authentication, you don’t need to worry about password theft or data breaches that result from password compromises because passwords are no longer part of the equation.

A man-in-the-middle (MITM) attack could easily infiltrate a credential-based network, steal a password, and then get a bonus to all of the victim’s other accounts that use the same password. MITM attacks are frightening and can lead to the loss of valuable data; certificates can eliminate that risk.

Certificates utilize public-private key encryption to encrypt information sent over-the-air and are authenticated with EAP-TLS, the most secure authentication protocol. They can’t be shared between people which inherently gets rid of passwords’ greatest flaw.

Con #1: Complexity of Infrastructure

Setting up a PKI by yourself is no easy task and generally is expensive in both deployment and maintenance, so much so that it can only be used for large/expensive systems.

Luckily, A cloud PKI solution, like the PKI offered by SecureW2, requires no forklift upgrades to integrate directly with existing infrastructure. IT need only connect the PKI to the network and configure the settings and onboarding software to distribute certificates. Since the PKI is externally hosted, the responsibility of maintaining and securing the PKI falls to the vendor.

Con #2: Certificate Management Can Be A Challenge

One of the most important functions of managing a PKI is controlling who has certificates and access to the network. If you’re unable to control who has network access, the benefits of certificates go out the window and there will be a significant risk of a data breach.

That’s why investing in a PKI that has easy-to-use management tools is essential to sound security. SecureW2 makes it easy to track and manage certificates. Certificate policies allow the administrator to determine the lifecycle and permissions of client certificates, as well as automated notifications to users, administrators, and external systems regarding the issuance, revocation, and expiration of certificates.

PKI Made Easy With SecureW2

PKI’s are known for creating an efficient authentication experience for users but can be difficult to maintain without help; with a plug-and-play PKI from SecureW2, the amount of control given to admins allows them to create a set-n-forget certificate network.

Once the network is configured for certificates, the amount of hands-on work that needs to be done to manage certificates is minimal, especially compared to password-backed networks. Check out our pricing page to see if SecureW2’s certificate solutions can be an effective solution for your network.

 

 

 

 

Key Takeaways:
  • A PKI can be a challenge to manage on your own.
  • With an effective PKI solution, you can make passwords a thing of the past.
Learn about this author

Eytan Raphaely

Eytan Raphaely is a digital marketing professional with a true passion for writing things that he thinks are really funny, that other people think are mildly funny. Eytan is a graduate of University of Washington where he studied digital marketing. Eytan has diverse writing experience, including studios and marketing consulting companies, digital comedy media companies, and more.

Can PKI Replace Passwords?