Why I Use PKI Certificate-Based Authentication

jmacinnis's picture

PKI certificate technology has long been a foundational technology in securing web traffic between users and web services. PKI (public key infrastructure) defines the method that a web browser uses to determine that a website is genuine and belongs to the correct business or organization. In other words, PKI certificates are used to ensure the identity of a remote computer/server.  Most browsers have the padlock icon to show that a website can be trusted.  PKI certificates can be examined by clicking on the pad lock in the browser window and then clicking on 'View Certificates.’

The key to establishing trust within PKI depends on using a certificate authority (CA) which acts as a trusted third party. The primary role of the CA is to digitally sign and publish the server or web site’s public key using the CA’s private key. This is referred to as asymmetric cryptography.  Since the browser has a trusted relationship to the CA it can then verify that the server or website is who they claim to be. 

Using smartcards and mobile technology, security conscious organizations are now issuing PKI certificates to employees, contractors and visitors instead of relying on login/password.  I enjoy using PKI certificates to verify my identity for a few key reasons. I no longer have to remember and maintain a complex password. Instead I use my smartcard with PKI credential and a PIN. There is no password that can be stolen or forgotten, yielding a higher level of security for the organization.  Another benefit is ease of use for securing communications. With a simple click I can now sign email transmissions, lending proof to the recipient that the email in fact came from me and has not been modified. This can help prevent phishing and spoofing attacks. Since public keys are shared, I can also encrypt emails and documents using a recipient’s public key so that only the intended recipient (possessing the corresponding private key) can read the file or transmission.

In case private keys are compromised or an employee quits and no longer needs access, PKI includes revocation technology.  This happens when the CA administrator determines that a certificate should no longer be trusted. CA’s maintain and publish a Certificate Revocation List (CRL) for this purpose.

Security experts are now of the opinion that certificate-based authentication using PKI is the best way to provide strong two factor authentication. In the past, certificate-based authentication which relies on PKI was considered to be complex and hard to manage. It turns out that a well-designed and modern implementation of certificate-based authentication can be easy to use, provide a higher degree of security, deliver flexibility in enabling a role-based security policy and can be very cost effective.

HID Global can help you meet the challenge with credential management products, such as ActivID® CMS and ActivID ActivClient®. HID Global’s Credential Management System (CMS) can be deployed for the enterprise to simplify user authentication. CMS can manage the certificate lifecycle and automatically enforce security.

At HID Global, we have technical experts on hand to walk you through our industry-leading secure identity solutions, and preview some newer solutions that are still under wraps. You can also find out how ActivID CMS can help you better support mobile devices with Derived Credentials and Virtual Smart Cards.

View our multi-factor authentication solutions portfolio for more information.