In the News

The Great Disappearance of Identity

At least one thing is certain in the cybersecurity space as we enter a new year and a new decade: Malicious actors will continue to figure out ways to subvert security solutions, and CISOs will continue to try to catch them. We asked our top in-house experts for their predictions of the top stories for the coming year, presented below.

In summary, 2020 promises to see an increase in SMS attacks, the realization that more than biometrics will be needed for secure access, and the goal of achieving passwordless solutions will be within close reach.

1. Get ready for SMS attacks to go mainstream

We adopted two-factor authentication with little hesitation: get a text on your phone with the one-time authentication code, enter it in after entering your password and gain access to your account. Most consumers haven't had an issue with an extra step for a little peace of mind. The problem is that second-factor methods can now be easily defeated by your average hacker.

SMS overrides have become a common and intensifying threat over the past year, and they'll only become more prominent in 2020. This type of attack will come in three main forms: SIM swap, IMSI factors and SS7 hacks. 

From intercepting SMS messages and voice calls to eavesdropping and location tracking, these types of attacks highlight the weakness of relying on two-factor authentication to protect our identities. Businesses and organizations - especially those handling and storing customer data - have an obligation to look towards more advanced, adaptive approaches to securely verify their users by utilizing verification factors like location, time of day, behavior and IP addresses. It's no longer safe to assume a six-digit code sent to your phone will protect your identity.

2. Blockchain will play a greater role in verification

Blockchain technology is great for things like worldwide currency and decentralized storage. There's been talk for some time now of using blockchain technology to store identity - and that was a troubling thought. There may be no worse idea than storing an ID in a blockchain. But the newest iteration of this idea is much more feasible and offers great benefits to both customers and organizations: using blockchain to store a history of engagements of validation, such as in-person verification and ID proofing. Companies can then rely on that information with greater trust. The concept is similar to using references to validate you for a job: with blockchain, the information of validation is visible. 

The question now is who is going to own this movement? Will it be adopted by banks or will Google try to own it? The answer there will be revealed likely by next year.

3. The great disappearance of identity

Consumers will continue experiencing "the great disappearance of identity." Previously, consumers have had the task of managing their identity through traditional means: a password and username login. Now, no one has the time or energy (or patience) to deal with the deluge of logins. 

That means users will begin to transfer the responsibility of identification to businesses. We'll start seeing developing technologies such as biometrics and behavioral identification running invisibly in the background to verify a customer without being overt. As this trend continues, identity management will become more secure, but less visible to the consumer. There will be some friction around this in the beginning, especially with older users, as some customers will initially think the lack of gates mean their information is open to just anyone. Businesses will be tasked with providing assurances of safety to the customer while also improving background security.

4. Biometrics are not a silver bullet 

There's something very James Bond about biometrics, and most of us feel a secret thrill whenever we use our fingerprint to log in at the gym or use our face to unlock our phone. Next year, the pendulum is going to swing towards more pervasive use of this authentication, but it will bring its own risks.

The large adoption of Apple's FaceID on iPhone was proof of the consumer market being ready and willing to utilize biometrics, and major smartphone vendors are making it easier for the enterprise market to move towards the dream of passwordless authentication. The issue arises, however, when hackers and other bad actors are able to gain access to biometrics. Suddenly, it's no longer a password that's been compromised: it's a fingerprint. And it's a lot easier to change a password than it is to swap out a finger. 

The security community needs to start looking at the larger picture and thinking in terms of combinations of validations instead of relying on a single authentication as a silver bullet. If a login looks at voice, typing pattern and other factors, hackers will be less likely to devote resources to acquiring a single biometric. And we can all keep our fingers.

5. Major strides on the journey to passwordless

While we're definitely going somewhere, there's a long road ahead. Yes, almost all of the major data breaches we've seen this year stem from reused or compromised passwords and could have been prevented by having passwordless authentication in place. But the desire for passwordless is primarily driven by preference and societal change. In short: we're sick of passwords.

Businesses will realize that they need to dramatically strengthen their environment by taking the human element out of it, so we'll see more demand for passwordless solutions from SMB and enterprise. However, the other challenge with passwordless is legacy systems. For these older systems (including Microsoft), implementing a passwordless experience on the front end still requires a password on the back end. Many business environments are a mix of different generations of technology and that means it's going to take years to transition from the password experience to true passwordless. Any expectations of near-universal adoption of passwordless within the next year are premature.

6. The Death of THE Cloud

Referring to cloud as "the cloud" is about as hip as capitalizing "internet." Nevertheless, the industry has been referring to "the" cloud for years.  As cloud continues to be the preferred approach by most organizations, 2020 will be the year when organizations truly understand the need to develop a strategic cloud strategy, plan and architecture. The "cloud strategy" of many organizations has been "cloud first," meaning it runs on someone else's hardware in someone else's facility.  In 2020, we will see a maturation of enterprise cloud strategies that complement and support an organization's model and approach. Organizations will no longer automatically default to cloud hosting, but will take an intelligent architectural approach to cloud-based architecture. Hybrid cloud will become the norm, and architecture decisions will be based on what's best for an organization, whether it's public cloud, private cloud or a combination of both. Sorry, Google and Amazon-everyone wins in a hybrid world!

This article originally appeared on vmblog.com

January 8, 2020