--- name: implementing-identity-verification-for-zero-trust description: Implement continuous identity verification for zero trust using phishing-resistant MFA (FIDO2/WebAuthn), risk-based conditional access, and identity governance aligned with the CISA Zero Trust Maturity Model. domain: cybersecurity subdomain: zero-trust-architecture tags: - zero-trust - identity - authentication - mfa - identity-verification version: '1.0' author: mahipal license: Apache-2.0 atlas_techniques: - AML.T0052 nist_ai_rmf: - GOVERN-1.1 - GOVERN-1.7 - MAP-1.1 nist_csf: - PR.AA-01 - PR.AA-05 - PR.IR-01 - GV.PO-01 --- # Implementing Identity Verification for Zero Trust ## Prerequisites - Understanding of zero trust principles (NIST SP 800-207) - Familiarity with identity providers (Azure AD, Okta, Ping Identity) - Knowledge of authentication protocols (SAML 2.0, OIDC, FIDO2) - Understanding of MFA and passwordless authentication ## Overview Identity is the foundational pillar of zero trust architecture. NIST SP 800-207 mandates that all resource authentication and authorization are dynamic and strictly enforced before access is allowed. Identity verification in zero trust goes beyond traditional username/password by implementing continuous, risk-adaptive authentication using multiple signals including device posture, behavioral biometrics, location, and network context. This skill covers implementing phishing-resistant MFA, continuous identity verification, risk-based conditional access, and identity governance aligned with the CISA Zero Trust Maturity Model Identity Pillar. ## When to Use - When deploying or configuring implementing identity verification for zero trust capabilities in your environment - When establishing security controls aligned to compliance requirements - When building or improving security architecture for this domain - When conducting security assessments that require this implementation ## Prerequisites - Familiarity with zero trust architecture concepts and tools - Access to a test or lab environment for safe execution - Python 3.8+ with required dependencies installed - Appropriate authorization for any testing activities ## Architecture ### Identity Verification Flow ``` User Access Request │ v ┌───────────────────────┐ │ Primary Authentication │ │ - FIDO2/WebAuthn key │ │ - Certificate-based │ │ - Passwordless │ └──────────┬────────────┘ v ┌───────────────────────┐ │ Contextual Assessment │ │ - Device posture │ │ - Network location │ │ - Geo-velocity check │ │ - Time of access │ │ - Behavioral baseline │ └──────────┬────────────┘ v ┌───────────────────────┐ │ Risk Scoring Engine │ │ - Aggregate signals │ │ - Calculate risk score │ │ - Compare to threshold │ └───┬──────────┬────────┘ │ │ Low Risk High Risk │ │ v v ┌────────┐ ┌──────────────┐ │ Grant │ │ Step-up Auth │ │ Access │ │ - Hardware key│ │ │ │ - Biometric │ │ │ │ - Manager OK │ └────────┘ └──────────────┘ ``` ### Identity Provider Architecture 1. **Primary IdP**: Azure AD / Okta / Ping Identity for centralized identity management 2. **FIDO2 Authenticators**: Hardware security keys (YubiKey) or platform authenticators (Windows Hello, Touch ID) 3. **Risk Engine**: Adaptive access using identity threat detection (Microsoft Entra ID Protection, Okta ThreatInsight) 4. **Identity Governance**: Lifecycle management, access reviews, just-in-time provisioning 5. **Privileged Identity**: Separate verification for elevated access (CyberArk, BeyondTrust) ## Key Concepts ### Phishing-Resistant MFA FIDO2/WebAuthn eliminates phishable credentials by binding authentication to the origin domain. Hardware security keys and platform authenticators provide cryptographic proof of identity without transmitting secrets. ### Continuous Identity Verification Rather than authenticating once at session start, zero trust requires ongoing verification through session token evaluation, behavioral analytics, and periodic re-authentication challenges based on risk signals. ### Risk-Based Conditional Access Conditional access policies evaluate multiple signals (user risk level, sign-in risk, device compliance, location) to dynamically adjust authentication requirements and access grants. ### Identity Threat Detection AI-driven analytics detect compromised identities through impossible travel detection, anomalous sign-in patterns, credential stuffing detection, and token replay attacks. ## Workflow ### Phase 1: Identity Infrastructure 1. **Consolidate Identity Providers** - Audit all identity sources across the organization - Federate to a single authoritative IdP using SAML 2.0 or OIDC - Configure SCIM for automated provisioning and deprovisioning - Eliminate local accounts and shared credentials 2. **Deploy Phishing-Resistant MFA** - Enroll all users in FIDO2/WebAuthn with hardware security keys - Configure platform authenticators (Windows Hello for Business, macOS Touch ID) - Disable SMS and voice call as MFA methods (phishable) - Create conditional access policy requiring phishing-resistant methods for all sign-ins 3. **Configure Conditional Access Policies** - Require compliant device for access to sensitive applications - Block legacy authentication protocols (basic auth, IMAP, POP3) - Require MFA for all users from untrusted locations - Enforce session time limits with re-authentication - Block or require additional verification for high-risk sign-ins ### Phase 2: Risk-Based Authentication 4. **Enable Identity Threat Detection** - Activate Microsoft Entra ID Protection or Okta ThreatInsight - Configure risk levels: low (allow), medium (require MFA), high (block and investigate) - Enable impossible travel detection and anomalous token alerts - Integrate identity risk signals with SIEM/SOAR 5. **Implement Step-Up Authentication** - For sensitive operations (privilege elevation, financial transactions), require additional verification - Configure step-up policies: re-authenticate with hardware key - Integrate with PAM for privileged session approval workflows - Log all step-up events for audit trail ### Phase 3: Continuous Verification 6. **Deploy Continuous Access Evaluation (CAE)** - Enable Continuous Access Evaluation Protocol (CAEP) for real-time token revocation - Configure critical event triggers: user disabled, password changed, location change - Test that token revocation occurs within minutes (not hours) of security event - Monitor CAE event logs for operational health 7. **Implement Session Controls** - Configure session duration limits based on application sensitivity - Enable sign-in frequency controls (re-authenticate every N hours) - Implement persistent browser session controls - Configure app-enforced restrictions for unmanaged devices ### Phase 4: Identity Governance 8. **Automate Identity Lifecycle** - Configure joiner-mover-leaver workflows with HR system integration - Automate access provisioning based on role and department - Enable just-in-time access for temporary elevated permissions - Configure automatic access expiration for contractors and guests 9. **Implement Access Reviews** - Schedule quarterly access certification campaigns - Configure automated reminders and escalation - Require manager approval for continued access - Auto-revoke access for unreviewed certifications ## Validation Checklist - [ ] Single authoritative IdP with all applications federated - [ ] FIDO2/WebAuthn enrolled for all users - [ ] SMS and voice MFA methods disabled - [ ] Legacy authentication protocols blocked - [ ] Conditional access policies enforced for all applications - [ ] Identity threat detection active with risk-based policies - [ ] Continuous Access Evaluation enabled and tested - [ ] Step-up authentication configured for sensitive operations - [ ] Identity lifecycle automated with HR integration - [ ] Quarterly access reviews scheduled and operational - [ ] Identity events streaming to SIEM ## References - NIST SP 800-207: Zero Trust Architecture - NIST SP 800-63B: Digital Identity Guidelines - Authentication - CISA Zero Trust Maturity Model v2.0 - Identity Pillar - FIDO Alliance WebAuthn Specification - Microsoft Entra Conditional Access Documentation