When considering the importance of authentication security and establishing device trust to protect your network, it’s no wonder organizations are moving away from credentials in droves. A solution that many are turning to is replacing credentials with certificates for authentication. Read here how an app startup experienced numerous user experience and security benefits by replacing passwords with certificates.
Of course, if your organization plans on implementing certificates, they must be prepared for a more involved management process. If properly handled with the right tools, certificate management can be a breeze.
Benefits of Effective Certificate Management
In order to experience the entirety of the benefits of certificates, they must be properly managed during every stage of the process. Without proper management, both users and admins will have difficulty completing their tasks. But the organizations that are prepared for certificates experience the greatest benefit.
Authentication Security
When users are configured with certificates on their devices, authentication is far easier and more secure than with credentials. First and foremost, certificates do not need to be repeatedly reset. For password best practices, passwords should be reset approximately every 3 to 6 months.
In contrast, certificates can be set to last for years. A common example is to equip a university student with a new certificate that has a 4 year lifespan. Because certificates are protected by public key cryptography and cannot be stolen and used by outsiders, they do not need to be constantly reset.
Additionally, certificates are known to be far more secure than credentials at protecting against outside attacks. With server certificate validation, they cannot be stolen over-the-air. And because they are tied to the device, they cannot be used fraudulently. A certificate is not something you know, it’s something you have which cannot be removed from the device.
Network Visibility
One of the greatest failings of credentials is that you cannot confirm without a doubt who is using a set of credentials. Any user can share credentials with another user or guest or unknowingly with a credential thief.
On the other hand, certificates are tied to the identity of a device and user. When a user onboards to the network, the certificate is imprinted with identifying information. This allows network admins to confirm conclusively who is accessing the network. And with the SecureW2 management portal, admins can see who is accessing which applications, which helps greatly with the management of apps and infrastructure to avoid outages.
Implementing and Managing Certificates
The basic infrastructure setup for certificate authentication requires an endpoint, RADIUS server, and PKI. From here, admins can begin designing their network and how it will operate for end users. The main consideration is how they manage each stage in the certificate lifecycle: enrollment, distribution, validation, and expiration.
Enrollment
The enrollment stage involves how a user actually requests a certificate for authentication. This stage must be set up so that only approved network users are able to obtain a certificate. To do this, the onboarding software must be connected to the IDP containing all valid network users.
To ensure all users obtain a certificate, the process of requesting a certificate must be extremely user friendly. The goal is to avoid all IT support tickets. SecureW2 supports several methods for users to request certificates, including an onboarding SSID, a vanity URL, or a time-restricted SSID. Once the user completes the request, they will move on to the next step to gain a certificate from the Certificate Authority (CA).
Distribution
There are three primary options for obtaining a certificate: manual configuration, admin configuration, or onboarding software. For the average network user, manual configuration will be too difficult. To configure a device for a certificate involves procedures they will likely not have come across before and can easily result in misconfiguration.
For small organizations, allowing admins to configure users’ devices is an option, but it is labor-intensive. The average network user likely has multiple devices, each requiring a unique certificate. Even in an organization of 20 people, this begins to add up to a large time commitment.
An onboarding software is often the best choice. The JoinNow Suite enables users to configure their devices for certificates in just a few clicks. The dissolvable client primarily requires that users confirm their identity while the client does the rest. In minutes, the device is provisioned with a certificate and the user is ready to be authenticated.
When the user’s identity is confirmed, that identity and the accompanying settings are imprinted on the certificate. Whichever user group they are assigned to is identified when they authenticate and allows admins to implement Zero Trust Network Access policies. After using JoinNow, every user is identified and has access to the resources they need.
Validation
The longest section of the certificate lifecycle is certainly validation. Here is where the day-to-day authentication takes place. There are many options for authentication methods, but the most highly recommended is EAP-TLS for a WPA2-Enterprise network.
When a user sends their certificate over-the-air with EAP-TLS, it is protected by the EAP tunnel that encrypts communications sent through it. This prevents any outsiders from viewing the contents of communications sent over-the-air.
From the end user standpoint, EAP-TLS is incredibly easy because they are not involved in the process. As the user enters the range of the network, their certificate is automatically sent to the RADIUS via EAP-TLS.
During this stage, admins are monitoring network activity to ensure everything runs smoothly and no one is accessing resources they shouldn’t. With certificates, this is simplified because their user group will be immediately applied and prevent users from accessing resources they do not need. When every user is properly authenticated, it is easy to control which resources are available to them.
SecureW2 also provides the ability to perform Dynamic RADIUS Authentication. This allows the RADIUS to communicate directly with the IDP when a user authenticates. This is especially useful in the case of a user needing updated network permissions, say in the case of a promotion. In the past, that user would need all new certificates with updated permissions on every device. With dynamic authentication, the admin simply has to update their permissions in the IDP and the RADIUS applies the updated settings when they authenticate with their certificate.
Expiration
Certificates are set to expire after a set period of time that is determined by the organization. This can be uniform across the board or customized on a user group basis. An effective certificate solution like SecureW2 provides expiration alert software so no certificate unexpectedly expires and leaves a hole in their security. Exploiting expired certificates is a common route used by hackers, like in the case of the Equifax leak.
When a user’s certificate expires, they can either renew a certificate or allow it to stay expired because it is no longer needed. An expired certificate cannot be used to authenticate. On occasion, a certificate needs to be revoked before it expires. In this case, SecureW2 uses a Certificate Revocation List (CRL). The CRL is a continuously updating list of certificates that have been revoked access to the network. This list ensures there are no unaccounted for certificates that could potentially be used for nefarious purposes.
Simplify Network Management with Certificates
While certificates certainly do require more effort to implement and use effectively, the benefits they provide far exceed the effort. The ease of applying network settings to users, the security and authentication benefits, and the confidence of accurately identifying everyone on the network is miles ahead of credential-based authentication.
Check out our pricing page to see if SecureW2’s certificate solutions can fit your network.
