It’s not a secret that passwords are no longer a reliable method of user authentication. This issue combined with the ever-present risk of bring your own device (BYOD) and the growing threat of rogue machines has many in IT wondering how they can ensure only approved users and devices can get access. Fortunately, Digital Certificates address both user and machine use cases. Let’s take a closer look at certificate-based authentication and why and how it’s used.
Note: this post assumes a basic understanding of Digital Certificates. For introductory information about certificates and public-key cryptography, check out our article here.
What Is Certificate-Based Authentication?
Certificate-based authentication is the use of a Digital Certificate to identify a user, machine, or device before granting access to a resource, network, application, etc. In the case of user authentication, it is often deployed in coordination with traditional methods such as username and password.
One differentiator of certificate-based authentication is that unlike some solutions that only work for users, such as biometrics and one time passwords (OTP), the same solution can be used for all endpoints – users, machine, devices and even the growing Internet of Things (IoT).
Why Is Certificate-Based Authentication Used?
Ease of deployment and ongoing management
Most certificate-based solutions today come with a cloud-based management platform that makes it easy for administrators to issue certificates to new employees, renew certificates and revoke certificates when an employee leaves the organization. Solutions that integrate with Active Directory can make the enrollment and issuance process even easier, by enabling auto enrollment and silent installations.
Unlike some authentication methods like biometrics or OTP tokens, there is no additional hardware needed. Certificates are stored locally on the machine or device. This not only saves on costs, but can also alleviate management pains around distributing, replacing and revoking tokens.
There’s always a tradeoff between increasing security and the costs involved and burden on end users. Most people don’t think of it, but using certificates is very easy for end users. After the certificate is installed (and in some cases, this can happen automatically), there is nothing further to be done. Additionally, most enterprise solutions already support certificate-based authentication.
Leverage existing access control policies
You can also easily leverage existing group policies and permissions to control which users and machines can access different applications and networks. This way you can ensure only privileged users can access sensitive or critical operations.
Another benefit of using certificates is that it allows for mutual authentication, meaning both parties involved in a communication are identifying themselves, whether that communication is from a user-to-user or a user-to-machine or machine-to-machine. For example, a client must prove its identity to a company intranet and the intranet must prove its identity to the client, before a connection can be made.
Extending to external users
Certificates are also easy to roll out to users outside of your organization (e.g. partners, independent contractors and freelancers) who may need to access your networks. They won’t need additional software on their local machine and the ease-of use means you won’t need to provide much additional training.
How Is Certificate-Based Authentication Used?
Certificate-based authentication is quite flexible and can be used in a number of ways, but here are some of the most common use cases we hear from our customers. You’ll notice the common theme with all of these and certificate-based authentication in general, is to allow access only to approved users and machines and prevent unauthorized users or rogue machines.
- Windows Logon
- Accessing corporate email, internal networks, or intranets
- Accessing cloud-based services, such as Google Apps, SharePoint and Salesforce
Machine and device authentication
- Identifying on-location/in-field machines that need to communicate with back-end services (e.g. payment kiosks located in convenience stores)
- Identifying all employee laptops and mobile devices before allowing access to WiFi networks, VPNs, Gateways, etc.
- Identifying all servers within the enterprise to enable mutual authentication
For more information on certificate-based authentication, I invite you to check out our webinar Certificate-based authentication to support BYOD and IoT.