Managing passwords is a hard thing to do, as they have steadily become one of the most popular targets of phishing...
attacks. Unfortunately, keeping passwords secure is the foundation of securing systems. While there have been alternatives to keep passwords more secure since Kerberos and public key infrastructure, none have surpassed passwords in widespread usage.
Let's explore using cryptographic keys to replace passwords, as well as the risks that could follow.
Using cryptographic keys to replace passwords
There is an abundance of guidance on how to manage digital identities and how to identify the best option for your enterprise depending on your current environment and available resources. While using the strongest authentication available may be the most secure option, this could result in significant costs -- enterprises should focus on continuous improvement to manage risk at a reasonable price.
One example of an area an enterprise could evaluate for improvements is privileged accounts that are accessing remote systems, especially if they have had a security incident resulting from a compromised privileged account.
Privileged accounts are used all throughout IT systems, and a compromised password could have a negative impact. There are incremental improvements you can make that could help reduce the risk of those privileged accounts being compromised.
For example, an enterprise could use SSH keys to authenticate interactive logins and automated jobs; this would also be beneficial because there are several benefits of using SSH keys, such as removing the need for managing account passwords and being more resistant to phishing and malware. When an account is set up to use an SSH key, it can be configured to disallow password logins, which would eliminate the possibility of a compromised privileged account password being used to access a system.
SSH keys are typically secured with a password to access the key, but the password cannot be captured and reused to login without the private SSH key -- this would further prevent malware or phishing attacks from capturing the password. Likewise, if a system was compromised, then you would only need to generate new SSH key pairs for the individual system rather than all of the systems on the account. Additional background on how to securely implement SSH keys can be found here, as well as from vendors such as SSH Communications Security.
Risks of replacing passwords with cryptographic keys
Enterprises should critically evaluate assumptions about how they secure their systems and consider the root causes of security incidents in their environment as part of a risk assessment. There have been numerous security incidents related to compromised accounts that could prompt an enterprise to evaluate where passwords are used.
When cryptographic keys replace passwords for privileged accounts, there are several risks that should be weighed, including accidental key exposure, insecure configurations and keys being stolen. Just as passwords can accidentally be embedded in config files or scripts, SSH keys can be insecurely handled, and even accidentally copied to public GitHub repositories when sharing source code.
Furthermore, SSH keys can be insecurely configured if you don't require a password on the private SSH key or make changes to how the cryptography is used by SSH, which is a risk. There are even malware and NSA tools in Vault 7 for capturing SSH keys. The SSH key risks should be weighed against the risk of using passwords for systems in an enterprise environment in order to determine an effective plan.
As systems get more secure and enterprises adopt more cloud services for which they may only need to manage access to the service, authentication and authorization are growing increasingly important. Ensuring that your enterprise is using the appropriate authentication and authorization processes as the environment and risks change is critical when managing IT security risks.
Overall, this may even require planning for how authentication and authorization are handled for major updates. Ultimately, changing password use to use alternative methods of authentication, such as cryptographic keys for specific systems and moving general users over to two-factor authentication, may be the right choice.