Virtualization Technology News and Information
FIDO Alliance 2023 Predictions: MFA Goes Mainstream, Smishing, and More Expected to Make 2023 a Wild Ride for Cybersecurity


Industry executives and experts share their predictions for 2023.  Read them in this 15th annual series exclusive.

MFA Goes Mainstream, Smishing, and More Expected to Make 2023 a Wild Ride for Cybersecurity

By Andrew Shikiar, Executive Director at FIDO Alliance

During 2022, we saw a great deal of activity in the security arena, with black hats keeping the white hats on their toes by developing not only more sophisticated phishing tools, but ones that were more pervasive, easier to operate and less expensive. The general consumer is more concerned than ever about controlling their online identities and more awareness of where their data is going, what they shared, and with whom, necessitating the major players to come up with more sophisticated solutions in response, to keep users safe. 

Consumer awareness and control will play a big role in the industry over the next year and companies like Apple, Microsoft, and more, have been working with the FIDO Alliance to make their experiences not only safer, but easier using passkeys and biometrics.

Taking the past year into account as we head into 2023, I'd like to offer further insights. 

Cyberattacks increase - cloud service providers move beyond legacy MFA and SMS OTPs:

Cloud service providers are growing in size, data and influence, making them prime targets for cyberattacks. In 2023, we'll see a lot more high-profile, sophisticated attacks that bypass legacy MFA like passwords and SMS OTPs.  

Cloudflare and Twilio already shared their experiences this year of being attacked as part of the 0ktapus hack, with employees targeted via SMS and attackers circumventing OTP codes. While attacks will rise, we can thankfully also expect more stories with happier endings, like Cloudflare's, which was ultimately protected from data compromise due to the use of strong FIDO security keys. 

Not all MFA is created equal - and SMS OTPs just don't cut it 

Not all MFA is created equal. In the last twelve months, there's been a huge uptick in hacker toolkits available on the dark web that make bypassing SMS-based MFA cheap and trivial. Unsurprisingly, this correlates with both the rise in consumer usage we've seen, and growing attack numbers. 2023 is going to be the year SMS OTPs are finally broadly recognized as not fit for the purpose of being a strong authentication method.

Ultimately, it boils down to one key distinction - phishable and non-phishable credentials. A one-time passcode is a human-readable and shareable credential, meaning it can be phished and leveraged to take over accounts in the same way passwords are. SMS-based MFA has been an easy checkbox for security compliance for the likes of banks and retailers under tight regulation like PSD2, but that can and should change. Regulatory updates take longer than industry recognition, but we're likely to see attitudes shifting in the next year.

Smishing harder to spot  

Smishing - or SMS-based phishing attacks - has grown massively in the second half of 2022 and is going to be blowing up our notifications even more next year.  Not only that, but these attacks may also become even harder to spot as attackers refine their techniques.

Meanwhile, in the U.S., the United States Postal Inspection Service is once again warning of such scams, as identified by the Better Business Bureau Scam tracker, which shows numerous accounts of smishing all over the country. Posts on the scam tracker indicate a link to a fake USPS website, asking for a redelivery fee.

More personal data available online, plus smarter AI and data scraping tools, are going to make these attacks more convincing and trick even those who think they're clued up. The silver lining is that as Smishing becomes more prevalent, consumers will put less trust in SMS as a communications channel which, we hope, will accelerate service providers' move away from SMS-based MFA in favor of passkeys and other forms of unphishable authentication.  

Passkeys become a hot topic

The passkey concept was introduced by FIDO Alliance and the world's largest platform vendors in 2022, receiving a wide welcome as a more secure replacement for passwords, and already utilized by PayPal and other service providers. Passkeys are currently supported in Apple platforms with full support in Android, Chrome and Windows anticipated by early 2023.

It follows that we will see more major brands adopting passkeys in 2023 - which will lead to broader consumer awareness and demand. Already, it's promising that our recent research found nearly 40% of 18-34 year-olds had this technology on their radar already - a figure we can expect to rise both among this age group and more broadly.

ID Verification goes mainstream 

The conversation around Twitter Blue rapidly brought identity verification into the mainstream vernacular - after all, how many average consumers really thought too much about their ID on social media or things like dating apps before? While this topic has been central to those in the identity space for some time, 2023 will see more stakeholders at more businesses starting to understand the imperative. This will reach consumers too - not just via Twitter, but through things like Mastercard's identity network.

These identity services (Mastercard ) coming to fruition will also bring questions of usability, security, and interoperability to the fore. Users need to get a consistent experience and feel reassured that identity services are handling their data with diligence. Many government entities are already looking to existing standards, like FIDO, and business models like delegated authentication will grow - meaning trusted providers can verify necessary information about users - eg. DOB, country of residence - without users needing to hand over mounds of sensitive data to third parties.

The metaverse isn't just for kids and needs to be secured

‘Metaverse' may seem like a buzzword or a virtual world confined to kids playing in universes like Roblox, but analyst views differ. The B2B metaverse market - which encompasses things like industrial and manufacturing use cases as well as business meetings - is valued at around $39bn. Undoubtedly, we're going to start seeing this lucrative and sensitive space become a growing target for hackers, with questions around how accounts are created and verified, with MFA becoming a stronger imperative as attacks increase in volume and sophistication.

The cybersecurity industry has an ever-increasing and vital role in our society. Whatever the next year holds, 2023, know that we are working on it!




Andrew Shikiar is Executive Director and Chief Marketing Officer at FIDO Alliance, a global consortium working to create open standards and an interoperable ecosystem for simpler, stronger user authentication. He has deep experience in multi-stakeholder organizations, having previously led market development efforts for Tizen Association, LiMo Foundation and Liberty Alliance Project - and also helped structure and launch groups such as the Smart TV Alliance and Open Visual Communications Consortia.  

Published Tuesday, January 17, 2023 7:33 AM by David Marshall
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<January 2023>