Virtualization Technology News and Information
Article
RSS
SecureAuth 2024 Predictions: Identity & Access Management

vmblog-predictions-2024 

Industry executives and experts share their predictions for 2024.  Read them in this 16th annual VMblog.com series exclusive.

2024 Predictions: Identity & Access Management

By Steve Goldberg, Director of Product Management, SecureAuth

From authentication emerging as a top security priority, to the declining effectiveness-and popularity-of legacy multi-factor authentication (MFA) approaches, the past year has shown a notable shift in how IT and security professionals approach Identity and Access Management (IAM). With 2023 coming to an end, IAM and passwordless authentication will continue to be highlighted as key topics in predictions and trends reports for 2024. Here are a few examples of what you can expect to see:  

Another year of compromised credential reports in 2024  

The attacks against companies and individuals are only going to get worse. Compromised credentials continue to be a significant threat to all users. Passwords must become obsolete or, at the very minimum, only part of the authentication chain. And MFA must be mandatory, but it must be robust, resistant to phishing, and avoid adding unnecessary friction to the log in experience for end users.  

New technologies will change authentication 

Advanced bio-behavioral authentication methods based on AI/ML technologies will gain favor as static rule-based approaches fail to protect access to sensitive applications and data. For example, is the user logging in from the same IP address or are they trying to log in from somewhere 1,000 miles away? Are they using a different device with different configurations than previous logins? If so, require a user to use a strong MFA option that is not susceptible to phishing - FIDO Keys, Symbol to Accept. AI/ML allows organizations to compare large quantities of historical user data from their laptop, mobile, browser, and user's behavior as part of a real-time risk check.  

Passwordless authentication - Passkeys are not enough  

There has been a lot of talk about passkeys in the past year, and we expect to see broader implementation of practical passkey solutions in the future. However, passkeys are not a silver bullet - they are a strong factor and should be treated as such, folded into a strong MFA system that provides additional resistant factors with strong, adaptive controls. 

Strong Authentication will be a requirement for Cyber Insurance   

In the coming year, with the changes to reporting requirements set by the Securities and Exchange Commission (SEC) [https://www.sec.gov/news/press-release/2023-139] and more requirements from Cyber Insurance providers, companies will be seeing an increased requirement for strong authentication requirements, among other stronger security controls, that the SEC and insurance companies will require. Not adhering to the stronger security controls will likely cause fines, cancellations and even some civil or criminal charges against executives of the company.

Attackers will bypassing legacy MFA approaches 

Each year attackers find ways of taking advantage of weaknesses in the security controls that companies implement. And each year, the security industry strengthens its controls to try and stay ahead of attackers. In the coming year, attackers will continue to exploit weaknesses in legacy multi-factor authentication (MFA) methods - such as through MFA fatigue/bombing, social engineering and other techniques to trick users into accepting MFA challenges.  

To defend against these attacks, stronger, phishing resistant MFA options such as FIDO keys and Symbol to Accept will be required - ideally paired with a passwordless approach to authentication which can result in a completely invisible MFA experience. This enables a Zero Trust architecture while providing completely frictionless experience for users. 

Attacks Leveraging Generative AI and Machine Learning 

Generative AI or Large Language Models (LLMs) in and of themselves are not an immediate threat to make all security controls irrelevant; however, attackers will continue to use products such as ChatGPT and other LLMs to devise more convincing social engineering phishing attempts. Attackers will also use AI models to better guess what a user's password may have been changed to from a password that has been exposed in previous breaches - another strong hint that passwords are a weak validation factor and should be phased out or enhanced with additional strong factors. 

Companies and individual users must be aware of the signs of phishing, but also should use a Password Manager to allow the use of random, secure passwords for each individual site and not reuse or just slightly change a password from what was previously set. However, even in addition to ensuring passwords are individual, unique, and secure, companies and users should demand that all vendors and companies provide MFA options, including those that are phishing resistant (FIDO keys, Symbol to Accept) or invisible MFA.  

##

ABOUT THE AUTHOR

Steve Goldberg 

As Director of Product Management, Steve Goldberg, develops and executes the strategy for product management of Arculix, SecureAuth next-gen authentication solution. He is responsible for the strategy, delivery timeline, technical trainings, and technical integration of Arculix to enterprises and large organizations. Previously, he was the director of product management and marketing at Axio, senior product manager at Thycotic for endpoint security as well as a product manager for MetaLogix Software. Prior to MetaLogix, he served as a Sales Engineer at Axceler (acquired by Metalogix) where he was the primary sales engineer for their global sales team. He received his BS degree from Questrom School of Business, Boston University. 

Published Tuesday, January 02, 2024 7:33 AM by David Marshall
Comments
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
Calendar
<January 2024>
SuMoTuWeThFrSa
31123456
78910111213
14151617181920
21222324252627
28293031123
45678910