Everyone reading this has probably heard that old rule of thumb that security and convenience are inversely proportional. In other words, increasing security comes with the cost of less convenience, while making things easier to use also means less security. This isn’t just in the context of computing, by the way. An unlocked door is easier to use (more convenient) than one that is locked (more secure). A door that you can unlock with a key is easier to use (but less secure) than a door that requires both a key and a keypad code, etc.
In the context of end-user computing, we all see this trade-off daily. Longer passwords are seen as more secure than shorter ones, but they’re also harder to remember and type. Six-digit phone PINs are more secure but less convenient than four-digit ones. Multifactor authentication leveraging both a password and one-time code is more secure than just a password but annoying every time we have to switch over to the authenticator app to get that code. Requiring a PIN to unlock the authenticator app is more secure than not, but with the expense of additional steps and user annoyance.
There’s never really been any kind of standard for how this should all work and what should be used where. Different companies, policies, regulations, governance, organizational cultures, and sales rep effectiveness drive most of it, and things are different everywhere. What’s been historically consistent is that more security has correlated to more hassle for the users.
Finding the balance between security and convenience has always been about tradeoffs. I’ve always thought of the “security versus convenience” model as a sliding scale, like the one below. You can draw a vertical line anywhere you want in the diagram below to get a certain level of security for a certain level of convenience, and increasing one decreases the other, and vice versa.
By the way, most large organizations don’t have a single balance point that’s used for everyone and in every situation across the company. Customer medical data might be protected with two-factor authentication and only accessible from company-managed devices, financial data might require two-factor authentication but be accessible from any device, the internal social calendar might only require a username and password, and the PowerPoint template at the agency might be accessible via a single shared password that everyone uses.
What’s been consistent for decades is that more security has meant less convenience. But more recently, that de facto relationship has started to change, thanks to the concept of Zero Trust security.
How Zero Trust balances security and experience
I won’t go into the details of what Zero Trust security is in this post since we’ve written a lot about it over the years, and enabling it is a big reason people buy Workspace ONE. (You could start with my blog post from two years ago, “What is zero trust and how real is it today?”) We also had quite a few sessions on Zero Trust at VMworld 2021 last month.
Instead, today I want to dig into how using Zero Trust allows you to maximize your security while also maximizing convenience. It literally changes the relationship of the traditional model to something more like this:
With Zero Trust, you can still apply varying levels of security. It’s just that the convenience remains the same (that is to say, “high”) regardless of whether you’re applying a little or a lot of security.
How is this possible?
Think back to how end-user computing security works in the first place. I already mentioned two-factor authentication, a term that implies there’s such a thing as “one-factor authentication.” A “factor” in this case is a technique you use to prove you’re who you’re claiming to be. The most classic example of one-factor authentication is a password. (But wait, isn’t a password two factor since you need your username and password? Actually no, your username is the identity you’re claiming to be, and the password is the security factor you’re using to prove that claim.) So, a password is a type of factor that is something you know.
Another factor could be something you have. This is what those one-time passcodes which are texted to your phone are doing (since they prove you have the phone that belongs to the person whose identity you’re claiming). This is also how those authenticator apps work.
Another factor could be a physical trait of the person whose identity you’re claiming to be. In the old days, this was a photo on an ID badge. Today it’s something like a biometric fingerprint or face scanner.
Still another factor could be your location. This could be your IP address, network, MAC address or the location service from the device belonging to the person you’re claiming to be.
Even something like a specific skill you have could be an authentication factor. (“Are you really Brian Madden? He’s good at pinball. Prove it to me by beating me in pinball right now.”) Obviously, that’s a nonsensical example, but we’re seeing the emergence of skill-based authentication with devices that scan for specific body movements. (Kind of like those “draw on the grid” Android phone unlock screens but in 3D space with entire arm or hand and finger movements.)
So, technically speaking, the classic two-factor authentication (password plus one-time code) is just an implementation of, “we want to secure this resource with two factors instead of one, and of the five-factor types available, we are choosing to implement it via (1) something you know, and (2) something you have.” But with the evolution of technology over the past few years, today’s two-factor authentication could be any two of the five factor types I listed above. (And for even more security, you could choose to implement three-, four-, or even five-factor authentication if you wanted!)
Where this gets interesting is that the different types of factors have different levels of user experience and convenience depending on the specifics of the situation. Typing a password is extremely convenient if you’re sitting at a desk with a full keyboard, but not when you’re on a phone, whereas the biometric Face ID authentication is more convenient when using an iPhone since you only need to look at the screen versus banging out a password on the on-screen keyboard.
Now think about how these concepts thread into the Zero Trust security model. Zero Trust is about trusting nothing and verifying everything. This means that Zero Trust implementations will incorporate user directories (passwords), device management (certificates, authenticator apps, tokens, location services, biometrics), networks (location) and all the other elements of an EUC estate. If you have a resource you want to protect with two factors of authentication and you’ve implemented Zero Trust, you can use different combinations of factors depending on the scenario.
For UEM-managed mobile devices, you could deploy a certificate via UEM which is unlocked via biometrics. Then when the user needs to authenticate, they just look at their screen. Face ID authenticates the factor of the claimed user’s physical trait, and the certificate authenticates the factor of the device they have. You get the security of two-factor authentication, with no passwords or PINs!
If the user is connecting from a managed device that does not have biometrics (like a laptop), then the first factor could be something they have (their laptop, authenticated via a UEM-delivered certificate), and the second factor could be something they know (their password, which is convenient since the user has a keyboard).
For a user connecting from an unmanaged device (like from home), the first factor could be something they know (password), and the second factor could be something they have (authenticator app on their phone).
The bottom line is that when you have a proper Zero Trust implementation, you can implement two-factor authentication across your enterprise, for every user, from every location, across every device, for every use case, while choosing unique combinations of factors that are most convenient for the user for each scenario. You get the full security of multifactor authentication while your users enjoy the maximum level of convenience. Full security and full convenience, together, thanks to Zero Trust and Workspace ONE!