Say Farewell to Passwords and Codes

By Jordan Blake, VP of Products at BehavioSec

A "new normal" took hold in 2020. As we work in 2021 to contain the virus that changed everything this past year, will we be able to return to a way of life we once took for granted - or find our daily routines and digital lives forever changed? 

I believe we'll see both. Yes - we'll be able to resume most familiar activities that were placed on hold. But some advantageous, pandemic-driven developments will remain part of a lasting business and societal dynamic - including working from home (WFH) and improvements to device, network, application, and system security.  

My (3) Top 2021 Predictions: 

1.     Hackers will increasingly target and succeed at compromising WFH environments, forcing security teams to respond.  

In the COVID-19 era, over 37% of Americans are already working from home. While this benefits public health within their communities, it also opens more ransomware and data breach opportunities for hackers due to an expanded and highly vulnerable cyber ecosystem. In fact, 90% of technology leaders say they've seen a rise in attacks resulting from WFH policies, with 3 of 10 noting incidents increasing by at least 25%. Further, 4 out of 5 indicate that attacks are becoming more sophisticated. Given this, security teams will need to examine their tools and methods to assess what's needed to safeguard employees - especially since, for 84% of companies, their workforce will only go more remote, and on a permanent basis. 

2.     In response to breach, Multi-factor Authentication (MFA) systems will finally evolve beyond basic knowledge/possession-based secrets.  

Why? Because, in the case of these early implementations of MFA, there are too many issues with telephone networks to continue to trust that a phone number uniquely and reliably identifies an individual, and hasn't been compromised. To cite just one high-profile example, Microsoft's Director of Identity Security, Alex Weinert, recently wrote that it's time to "hang up" on short message service (SMS) and voice MFA controls.  He notes how publicly switched telephone networks (PSTNs) are easily compromised by cyber criminals using phishing, social media, account takeover and device theft exploits. 

Weinert instead advocates a transition to "passwordless" authentication. I anticipate that many companies will begin to heed this call in 2021, leaving behind passwords, tokens, pins and additional possession, knowledge-based authentication tools as a pre-COVID model - and working to adopt newer approaches to MFA such as behavioral biometrics. Through behavioral biometrics, security teams unobtrusively authenticate users by tracking how they physically interact with services and devices, e.g. how they type on a keyboard or swipe on a smartphone. These unique, behavioral profiles of employees are used for authentication, while blocking activity of those who do not match the known behavior of the human behind the digital identity. 

In addition to improved security, behavioral biometrics solutions allow employees to avoid tedious, friction-creating steps which negatively affect their productivity and engagement. They aren't even aware that they're going through an authentication process because they don't need to "do anything" to access the internet, apps, docs, etc. - they simply use their devices as always while doing their jobs. 

3.     In their rapid responses to threat, organizations will then face increased scrutiny on data privacy compliance.  

Nearly two-dozen organizations have already paid "major" (at least €100,000) fines in 2020 for General Data Protection Regulation (GDPR) privacy violations. And in May, the European Data Protection Board (EDPB) banned "cookie walls," which require visitors to accept cookies to allow access to a website's content. Given these trends, we're likely to see more legislation and precedent-setting cases globally as consumers demand transparency about the way businesses collect and store their personal information - all of which will benefit worldwide governance, compliance and security. 

At the risk of stating the obvious, while we don't want this "new normal" to last, it has also driven difficult, but necessary, adjustments that serve greater good. The pandemic has offered "lessons learned and best practices" for both our physical and digital health to unlock meaningful, enduring change. By eliminating dependence upon old and annoying possession/knowledge-based authentication controls and committing compliance with personal data protection, we'll ensure that businesses, consumers, and employees will be able to shop, work and otherwise live in a more secure state digital world as we emerge from a year many of us look forward to putting behind us. 

##

About the Author

Jordan Blake is the VP of Products at BehavioSec, driving the vision, growth, quality of solutions, and client satisfaction with them.

His 20-year career in product management, cybersecurity, and cybersafety has spanned work with global industry leaders like IBM and Symantec. Most recently as Director of Product Management at Symantec, he led product efforts to integrate LifeLock after its $2.3 billion acquisition. He previously led the early product management function at FireEye (FEYE), leading to a multibillion-dollar IPO.

Jordan holds a B.S. from the University of Waterloo, Canada and currently resides in the San Francisco Bay Area.