Industry executives and experts share their predictions for 2024. Read them in this 16th annual VMblog.com series exclusive.
2024 Predictions: Identity & Access Management
By Steve Goldberg, Director of Product Management, SecureAuth
From authentication emerging as a top
security priority, to the declining effectiveness-and popularity-of legacy
multi-factor authentication (MFA) approaches, the past year has shown a notable
shift in how IT and security professionals approach Identity and Access
Management (IAM). With 2023 coming to an end, IAM and
passwordless
authentication will continue to be highlighted as key topics in predictions and
trends reports for 2024. Here are a few examples of what you can expect to
see:
Another year of
compromised credential reports in 2024
The attacks against companies and
individuals are only going to get worse. Compromised credentials continue to be
a significant threat to all users. Passwords must become obsolete or, at the
very minimum, only part of the authentication chain. And MFA must be mandatory,
but it must be robust, resistant to phishing, and avoid adding unnecessary
friction to the log in experience for end users.
New technologies will change
authentication
Advanced bio-behavioral
authentication methods based on AI/ML technologies will gain favor as
static rule-based approaches fail to protect access to sensitive applications
and data. For example, is the user logging in from the same IP address or are
they trying to log in from somewhere 1,000 miles away? Are they using a
different device with different configurations than previous logins? If so,
require a user to use a strong MFA option that is not susceptible to phishing -
FIDO Keys, Symbol to Accept. AI/ML allows organizations to compare large
quantities of historical user data from their laptop, mobile, browser, and
user's behavior as part of a real-time risk check.
Passwordless
authentication - Passkeys are not enough
There has been a lot of talk about
passkeys in the past year, and we expect to see broader implementation of
practical passkey solutions in the future. However, passkeys are not a silver
bullet - they are a strong factor and should be treated as such, folded into a
strong MFA system that provides additional resistant factors with strong,
adaptive controls.
Strong
Authentication will be a requirement for Cyber Insurance
In the coming year, with the changes to
reporting requirements set by the Securities and Exchange Commission (SEC) [https://www.sec.gov/news/press-release/2023-139] and more
requirements from Cyber Insurance providers, companies will be seeing an
increased requirement for strong authentication requirements, among other
stronger security controls, that the SEC and insurance companies will require.
Not adhering to the stronger security controls will likely cause fines,
cancellations and even some civil or criminal charges against executives of the
company.
Attackers will bypassing legacy MFA approaches
Each year attackers find ways of taking
advantage of weaknesses in the security controls that companies implement. And
each year, the security industry strengthens its controls to try and stay ahead
of attackers. In the coming year, attackers will continue to exploit weaknesses
in legacy multi-factor
authentication (MFA) methods - such as through MFA fatigue/bombing,
social engineering and other techniques to trick users into accepting MFA
challenges.
To defend against these attacks,
stronger, phishing resistant MFA options such as FIDO keys and Symbol to Accept
will be required - ideally paired with a passwordless approach to
authentication which can result in a completely invisible MFA experience. This
enables a Zero Trust architecture while providing completely frictionless
experience for users.
Attacks Leveraging
Generative AI and Machine Learning
Generative AI or Large Language Models
(LLMs) in and of themselves are not an immediate threat to make all security
controls irrelevant; however, attackers will continue to use products such as
ChatGPT and other LLMs to devise more convincing social engineering phishing
attempts. Attackers will also use AI models to better guess what a user's
password may have been changed to from a password that has been exposed in
previous breaches - another strong hint that passwords are a weak validation
factor and should be phased out or enhanced with additional strong
factors.
Companies and individual users must be
aware of the signs of phishing, but also should use a Password Manager to allow
the use of random, secure passwords for each individual site and not reuse or
just slightly change a password from what was previously set. However, even in
addition to ensuring passwords are individual, unique, and secure, companies
and users should demand that all vendors and companies provide MFA options,
including those that are phishing resistant (FIDO keys, Symbol to Accept) or invisible
MFA.
##
ABOUT THE AUTHOR
As Director of Product Management, Steve Goldberg, develops
and executes the strategy for product management of Arculix, SecureAuth
next-gen authentication solution. He is responsible for the strategy, delivery
timeline, technical trainings, and technical integration of Arculix to
enterprises and large organizations. Previously, he was the director of product
management and marketing at Axio, senior product manager at Thycotic for
endpoint security as well as a product manager for MetaLogix Software. Prior to
MetaLogix, he served as a Sales Engineer at Axceler (acquired by Metalogix)
where he was the primary sales engineer for their global sales team. He
received his BS degree from Questrom School of Business, Boston University.