Why I Use PKI Certificate-Based Authentication

PKI certificate technology has long been a foundational technology in securing web traffic between users and web services. PKI (public key infrastructure) defines the method that a web browser uses to determine that a website is genuine and belongs to the correct business or organization. In other words, PKI certificates are used to ensure the identity of a remote computer/server. Most browsers have the padlock icon to show that a website can be trusted. PKI certificates can be examined by clicking on the padlock in the browser window and then clicking on 'View Certificates.’

The key to establishing trust within PKI depends on using a certificate authority (CA) which acts as a trusted third party. The primary role of the CA is to digitally sign and publish the server or web site’s public key using the CA’s private key. This is referred to as asymmetric cryptography.  Since the browser has a trusted relationship to the CA it can then verify that the server or website is who they claim to be. 

Moving Beyond Passwords with PKI Certificate-Based Authentication

Using smartcards and mobile technology, security-conscious organizations are now issuing PKI digital certificates to employees, contractors and visitors instead of relying on login/password.  I enjoy using PKI certificates to verify my identity for a few key reasons. I no longer have to remember and maintain a complex password. Instead, I use my smartcard with PKI credential and a PIN. There is no password that can be stolen or forgotten, yielding a higher level of security for the organization. Another benefit is ease-of-use for securing communications. With a simple click, I can now sign email transmissions, lending proof to the recipient that the email, in fact, came from me and has not been modified. This can help prevent phishing and spoofing attacks. Since public keys are shared, I can also encrypt emails and documents using a recipient’s public key so that only the intended recipient (possessing the corresponding private key) can read the file or transmission.

In case private keys are compromised or an employee quits and no longer needs access, PKI includes revocation technology. This happens when the CA administrator determines that a certificate should no longer be trusted. CA’s maintain and publish a Certificate Revocation List (CRL) for this purpose.

PKI and 2FA are a Good Match

Security experts are now of the opinion that certificate-based authentication using PKI is the best way to provide strong two-factor authentication. In the past, certificate-based authentication which relies on PKI was considered to be complex and hard to manage. It turns out that a well-designed and modern implementation of certificate-based authentication can be easy to use, provide a higher degree of security, deliver flexibility in enabling a role-based security policy and can be very cost-effective.

HID Global can help you meet the challenge with our credential management offering, such as ActivID® Credential Management System and the cloud-based HID® Credential Management Service. You can also manage the complete digital certificate lifecycle and automatically enforce security with managed PKI-as-a-service (PKIaaS).

Learn more about PKI and other technologies as part of a strong security strategy in our Advanced Authentication Buyer's Guide.

Get the latest blogs on identity and access management delivered straight to your inbox. Sign up here.