Virtualization Technology News and Information
The Uncertain Future of Identity

There may be no more appropriate time than now to talk about identity - after all, we're now living in a world where wearing a mask and, thereby, concealing oneself is now the norm. Interestingly enough, those now ubiquitous masks have highlighted another issue: the problems with biometrics - the constant battle of simply getting your phone unlocked with half your face covered by a cloth.

Biometrics still run into the same fundamental problem of other identity solutions such as CAPTCHA, MFA and stronger password generation - the password is still their ultimate recovery tool. 

As we venture into the future of identity in an environment with perpetually expanding vulnerabilities and risk, it's time to think about the identity solutions that will protect our data tomorrow.

Two-factor failure

The rise of smartphones made widespread use of 2-factor authentication (2FA) look like it could become a reality. We did get greater adoption across the industry but with it, we got increased customer support calls and general frustration. No matter the technology, you still see the same word repeated, ad nauseum: prevention

Minor frustration could be tolerated if 2FA stopped all attacks head on, but it doesn't. 2FA doesn't stop account takeovers - it deters them. Dedicated adversaries still bypass second factors, sometimes without much effort. In the past year, the FBI has shown how secondary factors can be defeated through SIM swapping and proxies.  This means we can't totally rely on them as a fool-proof option, especially because criminals adapt and get better as the months roll on. We've seen that happen with CAPTCHAs. When CAPTCHAs were first introduced they blocked many attackers in their tracks. Scams adapted. Fraudsters created new services and tools that bypassed CAPTCHAs for rates as low as $0.99 for every thousand. Technology that was previously expensive or prohibitively complicated, like cloud computing or machine learning on big data, is now offered in user friendly services at fractions of the previous cost. Attackers benefit from this cost reduction too, and we're approaching the phase where it will be common to see AI vs AI as attackers game learning systems in real-time.

Biometric bumbling

Biometric authentication is great...unless there's a pandemic. If you've been to the grocery store lately and witnessed people trying to pay with FaceID while wearing a mask, you know that our reliance on biometrics has its issues. Masks are (hopefully) temporary, but the issue is that biometrics boil down to a score and a probability. Our bodies change constantly, even a long shower can render your fingerprints unreliable. Biometric services need to be user friendly to gain market share so they rely on users being "close enough" to pass authentication. A fingerprint or a face scan to unlock your phone is convenience, not security. It is leagues better than leaving your phone unlocked, but it is not better than a strong password. And of course, there's the issue of biometric hacking. While biometrics are easy to use (and kind of fun), when something goes wrong, it goes very wrong - after all, if someone steals your fingerprint data, you can't get a new finger. Since biometrics rely on being close enough, attackers may not even need to steal your biometric data, they can craft artificial biometrics that are universally "close enough" to match everyone at once. Steal a password, though, and it can be reset.

The conundrum during COVID-19

All of the above solutions have their flaws, and it can feel frustrating that there isn't a clear answer to resolving identity authentication, especially in light of COVID-19. 

The truth is that we haven't invented the full-proof way to protect ourselves and our data. The working world has already shifted to a remote workplace and become more reliant on digital tools and services. That means an increased surface area and pressure on CISOs and security staff.

In light of this, security teams must be sure to avoid falling into the trap of permanently relaxing protocols that were meant to be temporary. The shift to remote work was so sudden, company's had to move rapidly to stay in business. According to 1Password, 29% of IT departments report relaxing some security protocols and requirements during the pandemic. It's been several months now, and it is time to revisit those emergency actions.

It is easy to feel comfortable as we adjust to the new normal, but that "new normal" is a gold mine for criminals. New scams, fraud, and exploits are everywhere, they just need to be uncovered. You've probably seen an increase in spam or direct messages offering cheap masks with free shipping. Some of you may have come across new phishing emails or fraudulent aid sites. These are the early scams, they are cheap and obvious. Phishing is already a major concern. Phishing is most effective when the victim is distracted and overwhelmed which is 2020 in a nutshell. More sophisticated fraud and attacks follow once they prove viable.

To move forward, CISOs must fully understand the extent to which their systems have changed. IT teams are stressed and dealing with an ever changing landscape. CISOs and other executives have a responsibility to understand the implications of recent changes and make decisions on what can be reversed, stay permanent, or commit to timelines to reassess later. 

This isn't temporary: we're not going to see a rapid or immediate recovery after the pandemic. An easy summer where COVID-19 disappears didn't happen, so we'll need to turn temporary workarounds into permanent parts of our infrastructure. Remote work is now a given, but it means that IT won't have the control they may have been used to. Managing MFA devices and configurations is now a universal IT responsibility and if this wasn't scalably managed before, then your teams probably need help.

Keeping your company secure will require additional education and automation. Executives need to stay up-to-date with how the company's risk profile has changed and reassess expectations and budgets appropriately. Employees are faced with new policies, workflows, team dynamics, and the insanity of working from home during a pandemic. We all have a lot going on - education needs to be in small, relevant doses. Your IT teams are likely dealing with a surge of newly manual work after a flood of new remote work tooling and expanded access. Automation has been a keyword for the past decade and 2020 is the year that early adopters will pull far ahead of the laggards. Don't be left behind.


About the Author

Jarrod Overson 

Jarrod Overson a Technical Evangelist at Shape Security, part of F5. He led the original development of Shape's Enterprise Defense platform. Jarrod is a frequent speaker on modern web threats and cybercrime and has been quoted by Forbes, the Wall Street Journal, CNET among others. He co-authored O’Reilly’s Developing Web Components, created dozens of analysis and reverse engineering tools, and frequently writes and records topics about reverse engineering and automation.

Published Wednesday, September 16, 2020 7:31 AM by David Marshall
Filed under: ,
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<September 2020>