The Growing Reliance on Third-Party Identity Providers

As cyberattacks escalate—costing businesses $4.4 billion in global data breach fines in 2024—organizations increasingly turn to third-party identity providers (IdPs) like Okta, Azure AD, or Google Workspace for robust identity and access management (IAM). These platforms offer advanced analytics, threat heuristics, and single sign-on (SSO) capabilities that in-house systems often lack. However, integrating third-party IdPs introduces critical risks, such as unauthorized backdoor access or government-mandated surveillance, which conflict with Zero Trust’s “never trust, always verify” ethos

The Zero Trust Dilemma with Third-Party IdPs

While IdPs mitigate password-related breaches (linked to 80% of incidents), they create two key vulnerabilities:

1. Backdoor Account Creation: Malicious actors or legal orders could add unauthorized accounts.
2. Impersonation Attacks: Legitimate credentials might be hijacked to bypass authentication.

For example, governments have compelled tech giants like Apple and Google to create backdoors for law enforcement, undermining organizational control. Such scenarios expose a paradox: relying on external IdPs can erode Zero Trust principles by outsourcing critical authentication decisions.

Extra-Factor Authentication: A Zero Trust Solution

To retain IdP benefits while enforcing Zero Trust, security leaders like Stephanie Domas (CISO at Canonical) propose Extra-Factor Authentication (EFA). This method layers an additional verification step outside the IdP’s control, ensuring final authorization remains in-house.

How EFA Works:

1. Standard Authentication Flow: Users log in via the IdP, which performs initial checks (e.g., MFA, behavioral analytics).
2. Post-IdP Verification: After the IdP grants a “go/no-go,” the organization prompts the user for a locally stored passkey (e.g., FIDO2 security key, TPM-based token).
3. Final Authorization: Access is granted only after both the IdP and the internal system validate the user.

This approach eliminates IdP backdoor risks, as the final authentication factor remains entirely under organizational control.

Implementation: Building a Hybrid Zero Trust-IdP Architecture

Canonical’s implementation combines open-source tools to create a self-hosted, Zero Trust-aligned IAM system:

• Auth0 OpenFGA: Manages granular permissions.
• Ory Hydra: Acts as an OAuth 2.0 server.
• Ory Kratos: Handles user authentication and session management.

These components are orchestrated via Juju charms (Kubernetes operators), enabling seamless integration with third-party IdPs while retaining control over the final authentication layer.

Benefits of the Hybrid Model

1. Enhanced Security: Combines IdP threat intelligence with Zero Trust’s least-privilege access.
2. Regulatory Compliance: Mitigates risks of government-mandated backdoors by decentralizing trust.
3. Operational Flexibility: Maintains SSO convenience while adding a critical security layer.

Aligning with Zero Trust Pillars

EFA aligns with core Zero Trust principles:

• Explicit Verification: Continuous checks across identity, device, and context.
• Microsegmentation: Isolates authentication workflows to limit lateral movement.
• Assume Breach: Treats IdP decisions as untrusted until validated internally.

Conclusion: Balancing Convenience and Control

Third-party IdPs are indispensable for modern IAM, but their risks demand Zero Trust augmentation. By embedding extra-factor authentication, organizations can leverage IdP efficiencies without surrendering control—a critical step in mitigating breaches and regulatory penalties. As Zero Trust evolves, hybrid models like EFA will become essential for securing distributed workforces and cloud ecosystems.

For deeper insights into Zero Trust frameworks, explore Microsoft’s implementation guide or Cloudflare’s Zero Trust Network Access (ZTNA) principles