Client-side Transport Layer Security certificates may not be new, but experts said these certs could find new life...
to ensure secure connections in the boom of internet-of-things devices, while multifactor authentication is better for humans.
Experts told SearchSecurity that historically, TLS client authentication was thought of as a way to allow humans to avoid using something like a password for authentication when connecting to a website, but it ended up being a complex process.
Jason Pappalexis, distinguished research director for NSS Labs Inc., based in Austin, Texas, said, "TLS client authentication is a means to achieve mutual authentication at the initial SSL [or] TLS handshake level."
"In other words, [it's] validation of both identities desiring to communicate -- the website and the client -- through the sharing of X.509 certificates. TLS client authentication provides a lower-level authentication for the client than login [or] password, and occurs before any application content (any data -- for example, text, music, photos) is shared between the two parties. This is its intrinsic value," Pappalexis told SearchSecurity via email. Pappalexis said the trouble with TLS client authentication was there were "multiple workflow challenges that [made] it less attractive for mainstream human use."
"As with many technologies, if it's difficult to use, it won't be used."
Robert Hamilton, director of product marketing at Imperva Incapsula, based in Redwood Shores, Calif., told SearchSecurity that TLS client authentication is extremely secure, but can be costly to provision and maintain the necessary certificates.
"With consumer devices, there is a need to authenticate people, so it's a different story -- the human user must be involved in the installation and maintenance of the certificate, and therein [lies] the additional support complexity," Hamilton told SearchSecurity. "We don't see a trend toward broad adoption of TLS client certificates for consumer apps. Compliance requirements will continue to drive the need for TLS client authentication in apps where it is absolutely essential that you make sure whoever is connecting to your site is who you believe they are. However, much of this can be done today with two-factor authentication."
Pappalexis said any company that provides internet-connected services is likely already considering mutual authentication, and "TLS client authentication is one mechanism to provide it."
"The technology as a means to authenticate is sound; however, adapting it for mainstream use to accommodate modern needs for end users and system administrators requires work," Pappalexis said. "The current push is that multifactor authentication is the next step up from just login [and] passwords. Time will tell if authentication using client certificates is the next evolution."
TLS client authentication for IoT security
However, Cloudflare Inc. recently said there is a new and much more productive way to use TLS client authentication: identifying and authenticating internet of things (IoT) and mobile devices.
"TLS Client Authentication is useful in cases where a server is keeping track of hundreds of thousands or millions of clients, as in IoT, or in a mobile app, with millions of installs exchanging secure information," Dani Grant, product manager for Cloudflare, based in San Francisco, wrote in a blog post. "For example, an IoT company can issue a unique client certificate per device, and then limit connections to their IoT infrastructure to only their devices by blocking connections where the client doesn't present a certificate signed by the company's certificate authority."
Kevin Bocek, chief security strategist for Venafi, based in Salt Lake City, said, "This is part of a trend to identify machines. You can't give out usernames and passwords to machine -- you give keys and certificates."
"We have seen challenges with keeping keys and certificates up to date. More specifically, many machines find it difficult to change keys and certificates on the fly. The industry has put a great deal of effort into username and password automation, but almost no effort in automating TLS keys and certificates," Bocek said. "TLS client authentication uses the strongest forms of cryptography to ensure that you are connecting with the right machines. TLS client authentication also eliminates use of passwords. It's perfect for machine authentication, including software containers in the cloud and IoT devices floating around in the real world."
Dave Coxe, CEO of ID DataWeb in Vienna, Va., said any company that wants to protect the privacy of its stakeholders "needs to move to strong adaptive authentication."
"Persistent credentials like TLS client authentication are one dimension of accomplishing this; however, TLS client authentication alone is not enough. Multiple credentials and attributes must be evaluated simultaneously to make high assurance authentication and authorization decisions," Coxe told SearchSecurity. "There is tremendous value that can be gained from device certificates, and TLS client authentication is an established protocol that is widely supported."
Pappalexis said TLS client authentication is such an obstacle with human use "because it requires pre-thinking of the access a user wants almost before they request it."
"Nonhuman clients (IoT) do not have this challenge," Pappalexis said. "The train has already left the station regarding a desire for mutual authentication and development of technologies [and] workflows to support it. Security and positive user experience have not traditionally gone hand in hand. However, use cases for IoT objects -- i.e., SCADA for monitoring and control -- do not have this challenge and would benefit from the additional layer of protection."
Learn how to keep email safe with Exchange TLS and cloud-based ATP.
Find out how to improve IoT security through discovery, identity and testing.
Get info on why identity is critical to IoT.