PART 2: 5 Predictions Shaping Digital Security in 2024 - From the Technology Side
In an ever-evolving digital landscape, the need for robust authentication methods has become increasingly paramount. Just this week, we continued to hear the drumbeat of data breaches and the associated dangers. JP Morgan Chase executives reported at Davos last week that despite spending $15B on technologies and employing 62,000 technologists who mostly focus on cybercrime prevention, the bank suffers from 45 billion hacking attempts every day. What is important to remember when it comes to cybercrime, it is not about the number of hacking attempts that fail, it is about the big ones that succeed.
So as we step into the future and look ahead into the coming year, there are several trends on the technology side that are poised to shape the way we secure our digital identities. This article is following on from Al Pascual's analysis from the market point of view posted on the Anonybit website, delving into five predictions that are set to redefine the realm of authentication from a technology point of view.
1. Passkeys: The New Norm, but Challenges Persist
Depending on what market research report you read, the statistics are clear. The adoption of passkeys is on the rise, with many institutions recognizing their efficiency in securing digital access. However, while passkeys offer a level of security, they are not immune to evolving cyber threats. There are numerous concerns including where they are stored; in the cloud of the main providers, then the only thing standing between a hacker and a victim’s passkeys is a password, and where does that leave us? Furthermore, there are numerous use cases and applications where a passkey is not necessarily relevant or cannot be relied on (such as in the case of a lost device or a shared device implementation), making it complicated for enterprises to implement. In fact, the account recovery scenario is the most vexing of all, requiring systems that can handle lost or compromised passkeys without compromising the security of the user accounts to begin with.
2. Maturation of Privacy Enhancing Technologies
Privacy-enhancing technologies (PETs) are set to mature and expand in use, providing answers to lingering questions about their viability and scalability. As enterprises increasingly deploy these technologies, we can expect a clearer understanding of their effectiveness. From a biometrics perspective, the limitations of some of the approaches like tokenization and homomorphic encryption are becoming more understood - the two biggest challenges being algorithmic dependency for accuracy, and the significant computational overhead that is required to perform at scale - leaving only multi party computation as an effective means of storing and processing biometrics at an enterprise level. Multi party computation allows for multiple biometric and non biometric functionalities, including one to one matching (for user authentication), one to many matching (for deduplication, blocklist checks and preventing synthetic identities), as well as storage and retrieval of any structured or unstructured data sets. This makes this type of PET most compatible with identity management, where all these functionalities are typically called upon in an end to end framework. More on this in the next point.
3. IDVs Evolving: Extending Capabilities and Raising Questions
Identity Verification (IDV) companies are starting to add capabilities that extend the value of their offering and help their customers leverage the data they are collecting for other purposes. It is a natural extension of their businesses and a trend identified by Liminal last year in their report on the Rise of Integrated Identity Platforms. However, the promise of these systems to enhance security and deliver massive ROI (15.4x according to Liminal) is always tempered by questions around data storage, security, ethical considerations and regulatory compliance. Striking a balance between enhanced security measures and respecting user privacy will be a critical consideration for institutions deploying advanced IDV solutions.
4. Verifiable Credentials still require an overall system security framework to be totally viable
Verifiable credentials are set to become an integral part of the digital identity landscape, but likely more as an extension of government ID systems, and less around standalone private sector implementations. Part of the reason for this has to do with business model concerns and who pays when a credential is issued and when a credential is used; another is the need for unified standards for issuance, verification and management which is difficult to manifest among many private sector players. Other aspects to consider include the security of the backend, where verifiable credentials come into play for enterprise applications and how account recovery is handled. As stated in our blog on this topic earlier, addressing the verifiable credentials without an overall system security framework is a recipe for disaster. Having a strategic roadmap and a visualization of the final end state is critical. Without these intentional steps, cybercriminals will find ways to exploit these credentials, steal sensitive information, and create new victims. If this point is ever reached, it will be virtually impossible to distinguish between legitimate people and attackers.
5. Biometric Data Protection in the Age of Passwordless Authentication
With the increasing reliance on biometrics for authentication, cybercriminals are likely to target biometric data as a valuable asset. This includes biometrics that are stored on mobile devices as well as ways to bypass biometric authentication requirements altogether. This is not a theoretical risk. To protect biometrics effectively, robust solutions will be crucial. These include capabilities for detecting presentation attacks, injection attacks and deepfake attacks, and solutions for managing the storage and processing of biometrics data in a way that is safe from hackers but can still handle many of the intricate requirements of a biometric deployment - dynamic thresholds, support for various algorithms and modality, data residency configurations, and more.
As always, the identity space is exciting, ever-changing and broadening in so many ways. Institutions and individuals must stay abreast of the issues and understand the technical nuances in order to navigate the evolving landscape and design systems that are future proof and consider all the privacy, usability, cost and security aspects that are important in any implementation.