Authenticated content, improved technology and secretless access -- identity predictions for 2024
Despite moves towards other means of authentication passwords are still widely used, making protecting digital identities a problem.
But identity affects other areas too, such as being able to verify content and devices, things which are likely to come more more into focus as we approach significant elections in the US and UK. Here are some expert views on the identity landscape for 2024.
Verified identities will help authenticate content, says Amit Sinha, CEO of DigiCert. "The United States election season will put this issue front and center. Verified identity will become the foundation of how we can trust the source and authenticity of content. Companies will begin to explore ways in which digital identity can be established once, without requiring additional proof checks each time it is applied."
Andrew Bud, founder and CEO of iProov goes further and thinks authenticated authorship of images and written content become a legally required tool. "There will be a plethora of AI-generated deepfake videos being used to persuade voters as we move towards elections. To counteract this there will be broad moves by technology companies to provide ways for people to verify the authenticity of the images they upload. For example, solutions that enable people to watermark the images and sign them when they are created or modified. 2024 is likely to see many attempts in this area because the use of deepfakes is so widespread. It will be a prerequisite that any content using images must offer some way to assure their genuineness and failure to do so will see those images devalued."
John Baird, co-Founder and CEO of Vouched, believes we'll see improvements in technology. "In 2024, the trajectory of Identity Verification (IDV) and cybersecurity is set to leverage advanced technological capabilities -- innovations akin to sophisticated identity authentication methods and AI-powered anomaly detection will reshape the landscape, minimizing fraud risks significantly. These advancements will integrate cutting-edge authentication, ensuring robust verification processes that proactively identify and prevent fraudulent activities. The seamless incorporation of these technological advancements into IDV strategies will fortify digital identities against emerging threats, setting new standards for security and trust across industries."
Mark Brady, VP emerging product at AU10TIX believes different identity systems needs to work better together. "As a community, we expect more focus on the interoperability of different forms of digital identities. There are many different regional or professional standards out there, and we need to figure out how they can coexist together and be accepted universally."
Andre Durand, co-founder and CEO of Ping Identity says:
Identity has always been a gatekeeper of authenticity and security, but over the past few years, it's become even more central and more critical to securing everything and everyone in an increasingly distributed world.
As identity has assumed the mantle of 'the new perimeter', and as companies have sought to centralize its management, fraud has shifted its focus to penetrating our identity systems and controls at every step in the identity lifecycle, from new account registration to authentication.
2024 is a year when companies need to get very serious about protecting their identity infrastructure, and AI will fuel this imperative. Welcome to the year of verify more, trust less, when 'authenticated' becomes the new ‘authentic.’ Moving forward, all unauthenticated channels will become untrustworthy by default as organizations bolster security on the identity infrastructure.
There’ll be a surge in identity related cyberattacks, says Murali Palanisamy, chief solutions officer at AppViewX. "In 2024, identity related cyberattacks will be on the rise as mismanaged and misconfigured machine identities are targeted. As the enterprise perimeter blurs, traditional perimeter defenses will no longer be sufficient to keep organizations safe and secure. With identities as the new perimeter, it will be critical to properly and meticulously manage trusted identities for machines, workloads, applications and cloud services. Weak cryptography, expired certificates and misconfigured identities will open exploitable vulnerabilities that cyberattackers will target to steal proprietary information, disrupt business-critical systems and carry out ransomware attacks."
Silverfort co-founder and CTO, Yaron Kassner expects to see a shift in the way identity management is handled:
As we approach 2024, the ever-changing cybersecurity landscape demands a radical shift in how organizations tackle identity management. Historically, identity and access management handled access to systems and devices, Multi-Factor Authentication (MFA), and governance, pushing security concerns into the background. However, recent high-profile breaches, such as Okta, MGM, and Caesars, underscore the need to secure identities beyond MFA. In 2024, securing identity blind spots (e.g., service accounts, legacy on-prem systems, command-line interfaces, IT/OT infrastructure) and the identity infrastructure will finally take center stage.
Compromised identities will remain a favored weapon for cybercriminals. Countless organizations struggle to modernize their access systems amidst legacy constraints and a tangled web of identity providers. Adding to the complexity, the lines between IT, operations, and security teams are blurring, creating ripe opportunities for malicious actors. Identity infrastructure is the most unprotected part of the technology stack and needs protection just like any other cloud, endpoint, or network, and organizations are realizing this.
In the new year, I hope to see a shift in priorities, with organizations actively seeking to secure identities beyond human identities and identity infrastructure.
Gil Geron, Orca Security CEO, says identity management will be reprioritized to harden cloud security. "Identity management has been a checkbox for any comprehensive security strategy. But it's become even more important as infrastructure moves to the cloud. Organizations are realizing that identity management is one of their key risk factors and we're going to see a new focus on it – from revamped policies and procedures to the tools and technologies that will become available to more effectively manage identities and access."
Patrick Joyce, global resident CISO at Proofpoint, thinks social engineering attacks will remain an issue:
In 2024, I anticipate aggressive social engineering tactics, including phishing campaigns to become even more prevalent. These tactics have already extended to supply chain attacks, compromising identity provider (IDP) vendors to access valuable customer information. In the coming year, we will see the replication and widespread adoption of such aggressive social engineering tactics, broadening the scope of initial compromise attempts beyond the traditional edge device and file transfer appliances.
Next year, identity-based attacks will also dominate breaches, exploiting vulnerabilities rooted in human behaviour and obscured by limited visibility. Identity already became the new vulnerability, thus in 2024, organisations must shift their focus from primarily fortifying infrastructure to securing stored credentials, session cookies, access keys, and addressing misconfigurations, especially when it comes to privileged accounts.
Ev Kontsevoy, CEO and co-founder at Teleport says increasing frequency and cost of breaches as a result of human error will force organizations to adopt secretless access. "2023 was a year defined by human error in costly security breaches -- according to Verizon's 2023 Data Breach Investigations Report, the human element features in 74 percent of all breaches. Mistakes such as privilege misuse, accidental data exposure, and falling victim to social engineering attacks stem from various human factors, and the critical consequences of the compromise of secrets. This has resulted in organizations embracing biometric hardware and identity verification, but attackers are no longer solely fixated on stealing passwords. They are actively seeking a range of secrets embedded within an organization's infrastructure, including browser cookies, private keys, API keys and session tokens. To keep up with the pace of threats, organizations will recognize they must move to fully secretless authentication in 2024 to secure the wider spectrum of sensitive access points still vulnerable to threats. As organizations look to eliminate their reliance on static secrets altogether, widespread adoption of secretless access in the coming year will create immunity to human error and significantly hamper how threat actors operate."
Image credit: vchalup2/depositphotos.com