Industry executives and experts share their predictions for 2020. Read them in this 12th annual VMblog.com series exclusive.
By Executives from SecureAuth
The Great Disappearance of Identity
At least one thing is certain in the cybersecurity space as we
enter a new year and a new decade: Malicious actors will continue to figure out
ways to subvert security solutions, and CISOs will continue to try to catch
them. We asked our top in-house experts for their predictions of the top
stories for the coming year, presented below.
In summary, 2020 promises to see
an increase in SMS attacks, the realization that more than biometrics will be
needed for secure access, and the goal of achieving passwordless solutions will
be within close reach.
Matt Ulery, Chief Product
Officer of SecureAuth
1. Get ready for SMS attacks to go mainstream
We adopted two-factor authentication with little hesitation: get a
text on your phone with the one-time authentication code, enter it in after
entering your password and gain access to your account. Most consumers haven't
had an issue with an extra step for a little peace of mind. The problem is that
second-factor methods can now be easily defeated by your average hacker.
SMS overrides have become a common and intensifying threat over
the past year, and they'll only become more prominent in 2020. This type of
attack will come in three main forms: SIM swap, IMSI factors and SS7
hacks.
From intercepting SMS messages and voice calls to eavesdropping and
location tracking, these types of attacks highlight the weakness of relying on
two-factor authentication to protect our identities. Businesses and
organizations - especially those handling and storing customer data - have an
obligation to look towards more advanced, adaptive approaches to securely
verify their users by utilizing verification factors like location, time of
day, behavior and IP addresses. It's no longer safe to assume a six-digit code
sent to your phone will protect your identity.
2. Blockchain will play a greater role in verification
Blockchain technology is great for things like worldwide
currency and decentralized storage. There's been talk for some time now of
using blockchain technology to store identity - and that was a troubling
thought. There may be no worse idea than storing an ID in a blockchain. But the
newest iteration of this idea is much more feasible and offers great benefits
to both customers and organizations: using blockchain to store a history of
engagements of validation, such as in-person verification and ID proofing.
Companies can then rely on that information with greater trust. The concept is
similar to using references to validate you for a job: with blockchain, the
information of validation is visible.
The question now is who is going to own this movement? Will it
be adopted by banks or will Google try to own it? The answer there will be
revealed likely by next year.
3. The great disappearance of identity
Consumers will continue experiencing "the great disappearance of
identity." Previously, consumers have had the task of managing their identity
through traditional means: a password and username login. Now, no one has the
time or energy (or patience) to deal with the deluge of logins.
That means users will begin to transfer the responsibility of
identification to businesses. We'll start seeing developing technologies such
as biometrics and behavioral identification running invisibly in the background
to verify a customer without being overt. As this trend continues, identity
management will become more secure, but less visible to the consumer. There
will be some friction around this in the beginning, especially with older
users, as some customers will initially think the lack of gates mean their
information is open to just anyone. Businesses will be tasked with providing
assurances of safety to the customer while also improving background security.
Alberto Solino, VP of Research
at SecureAuth
4. Biometrics are not a silver bullet
There's something very James Bond about biometrics, and most of us
feel a secret thrill whenever we use our fingerprint to log in at the gym or
use our face to unlock our phone. Next year, the pendulum is going to swing
towards more pervasive use of this authentication, but it will bring its own
risks.
The large adoption of Apple's FaceID on iPhone was proof of the
consumer market being ready and willing to utilize biometrics, and major
smartphone vendors are making it easier for the enterprise market to move
towards the dream of passwordless authentication. The issue arises, however,
when hackers and other bad actors are able to gain access to biometrics.
Suddenly, it's no longer a password that's been compromised: it's a
fingerprint. And it's a lot easier to change a password than it is to swap out
a finger.
The security community needs to start looking at the larger
picture and thinking in terms of combinations of validations instead of relying
on a single authentication as a silver bullet. If a login looks at voice,
typing pattern and other factors, hackers will be less likely to devote
resources to acquiring a single biometric. And we can all keep our fingers.
Edgardo Artusi, Senior VP of
Global Engineering at SecureAuth
5. Major strides on the journey to passwordless
While we're definitely going somewhere, there's a long road ahead.
Yes, almost all of the major data breaches we've seen this year stem from
reused or compromised passwords and could have been prevented by having
passwordless authentication in place. But the desire for passwordless is
primarily driven by preference and societal change. In short: we're sick of
passwords.
Businesses will realize that they need to dramatically strengthen
their environment by taking the human element out of it, so we'll see more
demand for passwordless solutions from SMB and enterprise. However, the other
challenge with passwordless is legacy systems. For these older systems
(including Microsoft), implementing a passwordless experience on the front end
still requires a password on the back end. Many business environments are a mix
of different generations of technology and that means it's going to take years
to transition from the password experience to true passwordless. Any
expectations of near-universal adoption of passwordless within the next year
are premature.
Robert Humphrey, Chief Marketing Officer at
SecureAuth
6. The Death of THE Cloud
Referring to cloud as "the cloud" is about as hip as
capitalizing "internet." Nevertheless, the industry has been
referring to "the" cloud for years. As cloud continues to be
the preferred approach by most organizations, 2020 will be the year when
organizations truly understand the need to develop a strategic cloud strategy,
plan and architecture. The "cloud strategy" of many organizations has been
"cloud first," meaning it runs on someone else's hardware in someone else's
facility. In 2020, we will see a maturation of enterprise cloud
strategies that complement and support an organization's model and approach.
Organizations will no longer automatically default to cloud hosting, but will
take an intelligent architectural approach to cloud-based architecture. Hybrid
cloud will become the norm, and architecture decisions will be based on what's
best for an organization, whether it's public cloud, private cloud or a
combination of both. Sorry, Google and Amazon-everyone wins in a hybrid
world!
##