Teleport Workload Identity with SPIFFE: Achieving Zero Trust in Modern Infrastructure
May 23
Virtual
Register Today
Support
LOG IN
Teleport logoTry For Free
Contact SalesTry for Free
Support
LOG IN
Home > Teleport Academy > Cryptographic Identity

Credentials vs. Cryptographic Identity

Posted 25th Feb 2024 by Travis Swientek
What is Cryptographic Identity?
What are short-lived certificates?
Credentials vs. Cryptographic Identity
What is Secretless (Passwordless) Authentication?
What are Access Requests?
What is Authorization?
What are Ephemeral Privileges?
What is Just-In-Time (JIT) access?
Principle of Least Privilege: What It Is & How to Implement It
What is RBAC?
Configure RBAC for Kubernetes EKS
RBAC for Google Cloud Kubernetes Engine (GCP GKE)
What is ABAC?
What is MAC (Mandatory Access Control)?
What is OAuth 2.0 (Open Authorization)?
What is FIDO (Fast IDentity Online)?
What is U2F (Universal 2nd Factor)?
What is WebAuthn?
What is OIDC (Open ID Connect)?
What Is SAML (Security Assertion Markup Language)?
The Failures of Shared Secrets and How We Can Replace Them
How to Configure Single Sign-On (SSO) for Accessing AWS EKS Clusters
Just-in-Time Access for Amazon EKS
Authenticating GCP GKE with Google Workspace SSO
Authenticating AWS EKS Kubernetes Clusters with Google Workspace SSO
Authenticating AWS EKS Kubernetes Clusters with GitHub SSO
Authenticating Azure AKS Kubernetes Clusters with GitHub SSO
Authenticating Google Kubernetes Engine Clusters with Okta SSO
Authenticating AWS EKS Kubernetes Clusters with Okta SSO
Authenticating Azure AKS Kubernetes Clusters with Okta SSO
Configuring Okta as an Identity Provider for Kubernetes Clusters
Azure AKS RBAC

With cyberthreats evolving and now centering on identity, there is a need for methods of authentication that are resilient to phishing and human error. This article compares the use of credentials and cryptographic identity.

Credentials vs. Cryptographic Identity

The use of usernames and passwords as a traditional method of authentication has long been the norm. However, with cyberthreats evolving and now centering on identity, there is a need for methods of authentication that are resilient to phishing and human error. This article compares the use of credentials and cryptographic identity, exploring their strengths, weaknesses, and the implications for security.

Credentials

Credentials, primarily usernames and passwords, have been the bedrock of authentication systems. They act as the first line of defense in protecting user accounts and sensitive data across various service providers. Despite their widespread use, credentials face critical challenges:

  • Susceptibility to Phishing and Social Engineering: Hackers exploit human psychology through deceptive tactics to gain unauthorized access to user accounts, making credentials particularly vulnerable.
  • Password Reuse and Management Issues: The habit of reusing passwords or managing them poorly compromises security across multiple platforms.
  • Centralized Storage Risks: Credentials stored in centralized databases become prime targets for cyberattacks, aiming to exploit a single point of failure to gain extensive access.
  • Scalability Concerns: With the proliferation of digital accounts, managing an ever-growing list of credentials becomes impractical, pushing users towards insecure practices.

Cryptographic Identity

Cryptographic identity, leveraging public key infrastructure (PKI) and decentralized identifiers (DIDs), offers a robust alternative. By employing advanced cryptographic algorithms and digital signatures, it ensures a higher level of security and identity verification.

  • Encryption and Digital Signatures: Utilizing a key pair (public and private keys), cryptographic identity enables users to generate verifiable digital signatures, enhancing authentication methods without the pitfalls of password-based systems.
  • Decentralized Authentication: This model removes central points of vulnerability, distributing identity verification across a decentralized network, potentially utilizing blockchain technology for added security and transparency.
  • Enhanced Security Features: With cryptographic identity, the risk of unauthorized access is significantly reduced. The private key remains securely stored, making it nearly impossible for attackers to impersonate the user without access to the private key itself.

Exploring Key Concepts

  • Public Key Infrastructure and Interoperability: The foundation of cryptographic identity, PKI, ensures secure electronic transfers of information. Interoperability across various systems and platforms is crucial for a seamless user experience, from accessing control systems to verifying digital credentials in real-world scenarios like driver’s license verification.
  • Federated Identity and Self-Sovereign Identity (SSI): These models provide a user-centric approach to identity management, where users have control over their identity information, akin to a digital wallet. SSI, in particular, promotes privacy-preserving principles, allowing users to reveal only the information necessary for a transaction or interaction.
  • Decentralized Identifiers and Verifiable Credentials: DIDs and verifiable credentials represent the next evolution in digital identity, enabling selective disclosure and enhancing data protection. This framework supports a variety of use cases, from simple access control to complex interactions requiring a high level of trust and privacy.
  • Real-World Applications and Use Cases: Cryptographic identity transcends traditional authentication to offer diverse applications. From digital signatures for legal documents to secure online transactions resembling credit card use, it provides a secure, efficient method of proving one’s identity online.
  • Technological and Regulatory Framework: Adopting cryptographic identity requires a supportive ecosystem encompassing APIs, data models, and privacy-preserving technologies like TLS and SSL. Organizations must navigate cybersecurity regulations, ensuring compliance while protecting user data.

Comparing Credentials & Cryptographic Identity

CredentialsCryptographic Identity
Password-basedYesNo (more secure)
Stored in vaultYesn/a (more secure)
Easily sharedYesNo (more secure)
Susceptible to phishing & social engineeringYesNo (more secure)


Teleport's Take

Teleport issues cryptographic identity to every participant involved in infrastructure access, including users, machines, bots, workloads, resources, and devices. Because everything has an identity that is tied to a biometric or comparable attribute (such as a TPM or secure enclave for hardware), Teleport is able to maintain a secure and ephemeral approach to infrastructure access, which is crucial for establishing trusted computing that does not rely on secrets. In this way, Teleport eliminates credentials AND human error related to credentials as an attack vector for infrastructure access.

What is Cryptographic Identity?
What are short-lived certificates?
Credentials vs. Cryptographic Identity
What is Secretless (Passwordless) Authentication?
What are Access Requests?
What is Authorization?
What are Ephemeral Privileges?
What is Just-In-Time (JIT) access?
Principle of Least Privilege: What It Is & How to Implement It
What is RBAC?
Configure RBAC for Kubernetes EKS
RBAC for Google Cloud Kubernetes Engine (GCP GKE)
What is ABAC?
What is MAC (Mandatory Access Control)?
What is OAuth 2.0 (Open Authorization)?
What is FIDO (Fast IDentity Online)?
What is U2F (Universal 2nd Factor)?
What is WebAuthn?
What is OIDC (Open ID Connect)?
What Is SAML (Security Assertion Markup Language)?
The Failures of Shared Secrets and How We Can Replace Them
How to Configure Single Sign-On (SSO) for Accessing AWS EKS Clusters
Just-in-Time Access for Amazon EKS
Authenticating GCP GKE with Google Workspace SSO
Authenticating AWS EKS Kubernetes Clusters with Google Workspace SSO
Authenticating AWS EKS Kubernetes Clusters with GitHub SSO
Authenticating Azure AKS Kubernetes Clusters with GitHub SSO
Authenticating Google Kubernetes Engine Clusters with Okta SSO
Authenticating AWS EKS Kubernetes Clusters with Okta SSO
Authenticating Azure AKS Kubernetes Clusters with Okta SSO
Configuring Okta as an Identity Provider for Kubernetes Clusters
Azure AKS RBAC

Table of Contents

Background image

Teleport Enterprise

Protect your infrastructure with essential security & compliance capabilities

Tags
credentials
password
phishing