Key takeaways from Identiverse: Identity Security Threats & Trends

Martin Gallo
Senior Director of Research at SecureAuth Innovation Labs
August 19, 2021

Get the latest from the SecureAuth Blog

Go Passwordless in 21 Days

Identiverse is an annual Identity and Access Management conference with identity professionals attending from around the world. SecureAuth’s Innovation Labs attended and presented at the 2021 hybrid edition, featuring both in-person as well as virtual sessions. After looking at the full virtual content during July, we wanted to share a couple of reflections from an identity security perspective. 

Note: This blog was co-authored by SecureAuth Innovation Labs researchers.

Threats and trends 

Events in the last couple of years continue to demonstrate that almost every major security incident involves an identity-based attack or a compromise of identities, despite the technical means to achieve those. This was the main point of our talk in the Identity and Access Management for Security track, “Recent Identity Threats and Trends: Lessons to improve Identity Security”. In this session, we reviewed the latest threat vectors through recent example campaigns, while trying to identify and share some trends and concluding with lessons learned. 

The same track also featured a couple of interesting sessions that backed up our findings and reinforced the trends we were observing. The Security Panel hosted a discussion and shared earned knowledge since the recent Solarwinds attacks, while Alex Weinert further expanded on this topic with a deep-dive into the incident in “Sunburned: What Happened, How We Recovered, and How the Industry Needs to Respond”. 

Improved user journeys with Continuous Identity Access enablers

As participants and advocates of the work that’s being done at the OpenID Foundation’s Shared Signals and Events working group, we were eager to hear what our colleagues have to share about these efforts. On the first day of the conference, we saw representatives from the working group highlighting the latest developments in our standardization efforts with the “A Zero Trust Security CAEPer” session. Around the same topic, Microsoft shared their adoption efforts in “How to Enforce Security Policies in Real-Time with Continuous Access Evaluation”. Overall, a good overview of what’s next and what can be achieved as we and the industry move towards continuous models that enable lean and progressive access journeys. 

However, if you want to go deeper in these subject talks like “Simplify Your Least-Privilege Journey with Access Analysis” and “Managing and governing workload identities” definitively provide greater insight. As a complement to the intuitive use of events in this topic, UberEther showed in “User Behavior Analytics: Marrying Identity and the SOC Like Peanut Butter and Jelly” how UBA (User Behavior Analytics) and UEBA (User Events Behavior Analysis) deliver additional value to help avoid threats in real-time and provide visibility to analysts. 

FIDO2 and Passwordless Adoption

This year we saw a large number of sessions on the area of passwordless, ranging from shared implementation experiences to the introduction of new developments aiming at increase adoption and improve user journeys. 

The second-day keynote included a session where the FIDO Alliance officially announced the release of the new FIDO UX Guidelines. This was also followed up with a dedicated session “Optimizing User Experience for FIDO Authentication”, highlighting a very much applauded effort to provide best practices that facilitate more consistent experiences to users. Some adoption insights were also shared on the “MFA for Real: Reports from the Field… Two Years Later” panel. 

Key Takeaways

The hybrid experience of the 2021 edition allowed attendees to consume valuable content. All in all, as in previous years, Identiverse has proven to be a great place to have conversations about the present and future identity security challenges.