To kick-start 2019 we have asked some of the movers and shakers in the world of identity for their predictions for the year ahead. Here is what they had to say:
Recognition Authentication Attacks Rise as Password Usage Finally Declines
2018 saw passwords continue to be the blight of our lives. Too frequently, they operate as a weak form of what-you-know authentication, not who-you-are or what-you-have. Despite techniques to make them stronger, passwords continue to be the cause of many contemporary data breaches. This may change in 2019 and beyond but will lead to threat actors choosing new targets to unlock access.
Other, non-string-based authentication mechanisms, such as smartcards, have been available for years and in recent history advances in smart-phone authentication technology, such as touch – thumb and finger print recognition – and face recognition, have commoditized such technology. If this trend in technology and in the continued reduction of the need for traditional passwords continues, we believe adversaries will also shift their focus here in order to gain user credentials and continue their ability to perform unauthorized authentication.
TIP: Where necessary always rely on multiple methods of authentication or access validation in order to better trust someone is who they say they are. Setting up zero-trust networks and using multi-factor authentication for those network zones, services, or users that require it will improve your organisation’s security posture by limiting, controlling and monitoring access as well as containing issues should they arise.
Author: Alex Hinchliffe, Threat Intelligence Analyst at Unit 42 (the threat intelligence arm of Palo Alto Networks)
A clean slate for identity on the Internet
Achieving a Clean Slate of IDs on the Internet – Looking toward 2019 and beyond, efforts will be more focused towards preventing fake accounts who aim to achieve a clean state of identities. Banks and FinTechs are geared towards preventing fraud, ensuring that people truly are who they say they are and empower individuals to take control of their data.
Author: Zia Hayat, CEO of Callsign
Emerging ‘Unique Human Identities’ Under Attack
We’ll see a new wave of attacks against emerging ‘unique human identities’ – or newly engineered biometric markers for digital and physical authentication. Biometric fingerprint, voice and face ID authentication controls have proven effective in consumer devices, and organisations will look to new authentication methods – like embedded human microchips, for example. Attackers will increasingly target these identities to gather massive amounts of biometric data for future modelling purposes and nefarious use. Genetic consumer-services, biometric stores within organisations and more will become key targets, further elevating privacy concerns.
Author: Lavi Lazarovitz, Head of the Security Research Team at CyberArk Labs
Secure digital identities are going to continue to mature and become more pervasive in 2019
Not only is multi-factor authentication (MFA) going to become even more common, replacing single-factor logon name/password methods on more web sites, but you’ll start to see the emergence of an even more seamlessly secure long-term winning methodology. The future of digital authentication is something more akin to how credit cards work today, where the consumer uses them and for the most part doesn’t get challenged or prevented from using them until they make an unusual deviation from their normal purchase patterns (such as purchasing an expensive large screen television in a different location than they are currently buying petrol and coffee in).
Some digital authentication experts see a future world where users are expected to do more things to authenticate themselves, such as using a smartcard AND provide a PIN AND use a fingerprint reader to authenticate. The other camp, of which I am in, sees a world where the user is authenticated “invisibly” based on hundreds of behavioural biometric attribute they aren’t even aware of. The future of authentication is continuous, seamless, and adaptive, with less user “friction” than they get today.
Our grandchildren are unlikely to know what the terms password or multi-factor authentication means. They are just going to use their devices and services and have them work. This is already happening. Most users are probably unaware that the most popular email websites, including Gmail and Hotmail, are already measuring hundreds of attributes about them and their logon. The vendors are measuring not only the name and software configuration of the computer they are logging on from, but their IP address, origination country, and even how fast it takes them to type in their password. The system they log onto knows what their usual starting points are and their behaviour once inside the system. And if the service sees something unusual, it will ask the user for more and stronger authentication (adaptive authentication). The authentication will be continuously re-accessed with every action the user takes, not just taken once at the initial logon (continuous). We won’t get there all the way in 2019, because at the same time you’re going to see more authentication devices that require more effort on behalf of the end user, but the solutions that start to win out in the long term will be the less frictionless variety.
Author: Roger Grimes, data-driven defence evangelist, KnowBe4
The rise of designated groups handling identity strategies within organisations
Our digital world has exploded in the last 20 years, leaving organisations challenged with managing more identities, devices and resources, and protecting more data than ever before. The right level of access could be the difference between being compromised or not.
Organisations are faced with the challenge of providing only authorised employees, partners and customers seamless access to the right applications using trusted devices. However, devices aren’t always immediately trusted, or even trustworthy, nor are they properly managed. Yet, identity access management (IAM) continues to be perceived as a lengthy and complex exercise that requires skilled resources that are expensive and difficult to recruit and retain. Additionally, many organisations think of IAM as a point-in-time project, and thus believe in the “we’ve already done that” approach, leaving critical data unprotected and creating barriers for workforce- and customer-facing initiatives. As we head into 2019 we’re likely to see a core designated group handling the identity strategy, programs, and execution of a fully-fledged and ongoing IAM program, reporting to the Chief Identity Officer (CIdO) who will control identity within the business, essentially ‘owning’ it.
Rob Lay, Director Solutions Architecture, Europe, Optiv
Firms will be forced to focus on operational efficiency while minimising fraud
Digital transformation efforts won’t be fully realised for financial services firms until digital identity verification for customers replaces Knowledge-based Authentication (KBA), a soon-to-be obsolete security measure that authenticates digital users by asking them personalised security questions.
This will not only broaden financial inclusion – as many millennials, migrants, and divorcees with ‘thin’ or recently changed credit files are precluded from successful identity verification in digital channels with dynamic KBA systems. It will also help minimise fraud for returning users, as recent high-profile hacks targeting personal information mean that malicious actors are more likely to ‘remember’ your favourite pizza topping or your first pet’s name and use it to their advantage.
As a result, we can expect improved customer outcomes with a 20 per cent reduction in fraud losses and close to 80 per cent reduction in account takeover fraud, which will be a relief for consumers and FS businesses alike. We also predict that by the end of next year, FS businesses that are digitally trustworthy will generate 20 per cent more online profit than less trustworthy rivals.”
The blockchain hype is over and centralisation is back in the driver’s seat
“Blockchain isn’t the be all and end all of security. Companies will learn this the hard way in 2019. Despite the hype, blockchain could cost businesses more than it’s worth, and be more of a roadblock to consumers than we would think.
Next year, at least 30 per cent of data management projects using blockchain will fail due to performance challenges. The biggest challenge with blockchain for identity verification is that a distributed ledger would be accessible to anyone who needed it but owned by no one, which will create privacy and security concerns. The system would need buy-in from both consumers and businesses to get traction and reach the acceptance tipping point.
If that’s not all, most crucially is the time and money it would take to promote the service, far more than what would be required to create and run it. Until businesses figure out how to monetise blockchain and where it can best be adopted in their businesses, they will give a hard pass on it.
Author: Rene Hendrikse, EMEA MD, Mitek
The ID Bulletin 