Did you know that 57% of people still haven’t changed their passwords after being scammed in a cyberattack? What’s more, according to a report by IBM, the most common cause of a data breach is stolen or compromised credentials. So, let’s be honest usernames and passwords alone are no longer a reliable method of user authentication, especially for enterprise businesses.
When combined with the ever-present risk of “bring your own device” (BYOD) and the growing threat of rogue machines, many in IT are wondering how they can ensure only approved users and devices can get access to company networks and systems. Fortunately, digital certificates address both user and machine use cases. Let’s take a closer look at certificate-based authentication and why and how it can be used as access control.
- What is Certificate-based Authentication?
- The Benefits of Certificate-based Authentication
- How Certificate-based Authentication Works
What is Certificate-based Authentication?
Certificate-based Authentication (CBA) uses a digital certificate, acquired via cryptography, to identify a user, machine or device before granting access to a network, application or other resource.
By itself, certificate‐based authentication can verify that devices connected to the organization’s network are those that are authorized. When combined with multi-factor authentication, organizations can clearly verify that ‘User A’ logged on with ‘LAPTOP-1234’ and can make a determination if in fact that laptop is registered to user A before granting access to the network on that device.
What are the Benefits of Certificate-based Authentication?
- Block poor password hygiene – makes it near impossible for users to share account logins, and they’ll no longer have a reason to leave written credentials lying around
- Improve organizational cybersecurity defences – by eliminating the need for numerous passwords that can be phished, stolen, intercepted, shared or otherwise compromised, reduces the risk of a cyberattack
- Ease of deployment – digital certificates can often be installed automatically
- Supportive lifecycle management – certificate-based solutions can be coordinated through a cloud-based management platform that makes it easy for administrators to issue certificates to new employees, renew certificates and revoke certificates when an employee leaves the organization
- Implementation with no burden on users – once a certificate is installed there is often no further action required from the user
- Covers all endpoints - one differentiator of certificate-based authentication is that unlike some solutions that only work for users, such as one time passwords (OTP), the same solution can be used for all endpoints – users, machine, devices and even the growing Internet of Things (IoT)
- Leverage existing access control policies to control which users and machines can access different applications and networks. This way you can ensure only privileged users can access sensitive or critical operations
- Mutual authentication – both parties involved in the communication are identifying themselves. This could be user-to-user, or machine-to-machine
- Extends to external users – certificates can be also applied to users outside of your organization (e.g. partners, independent contractors and freelancers) who may need to access your networks. They won’t need additional software on their local machine and the ease-of use means minimal training will be required
How Certificate-based Authentication Works
Certificate-based authentication is quite flexible and can be used in a number of ways, but here are some of the most common use cases.
- Windows Login
- Accessing corporate email, internal networks, or intranets
- Accessing cloud-based services, such as Google Apps, SharePoint and Salesforce
Machine and device authentication
- Identifying on-location/in-field machines that need to communicate with back-end services Identifying all employee laptops and mobile devices before allowing access to WiFi networks, VPNs, Gateways, etc.
- Identifying all servers within the enterprise to enable mutual authentication
Read also: White Paper - Using Certificate-based Authentication for Access Control
How Can I Implement Certificate-based Authentication to My Business?
Whilst you can implement certificate-based authentication manually through a great number of steps which take up time and resources, or alternatively, you look at investing in an authentication management solution.
Discover how GlobalSign’s authentication management solutions, Auto Enrollment Gateway (AEG) and Edge Enroll, can strengthen your enterprise.
Editor's Note: This article was originally published in 2018 and updated in October 2022.