By Ben Goodman, SVP at ForgeRock and CISSP
- 2020 Will be the Beginning of the End of Passwords.
Consumers already log in to dozens of protected resources everyday: from email, banking and financial accounts, social media, healthcare, government accounts, and beyond. Even when tools like TouchID are leveraged each of these resources currently still have an associated username and password that can be attacked. To save time and remember their credentials for all these sites, consumers reuse the same username and password across several sites. As a result, the user’s exposure from any one security breach on one of those profiles dramatically increases the odds that additional accounts can be compromised as well, allowing attackers to access far more sensitive information.
Users can also put their employer at risk of being breached if they use the same login credentials across personal and professional accounts. Organizations have reacted to this risk by increasing their password policies and requiring more and diversified characters, as well as more frequent password changes; however, this still allows users to reuse usernames and passwords across different accounts.
To eliminate this issue, passwordless authentication methods, such as using out-of-band steps on smartphones that leverage push notifications, will become widely adopted. In fact, Gartner estimates that 60% of large and global enterprises, as well as 90% of midsize organizations, will leverage passwordless methods in over 50% of use cases by 2022. Companies that properly implement passwordless authentication will not only be more secure, but they subsequently improve the overall user experience by reducing friction in the login process.
- Unified, third-party identity providers become the gold standard to streamline and secure the user experience.
Consumers already validate their identities by leveraging single sign-on (SSO) and registration with Facebook, Google, Apple and more. However, similarly to how a NASCAR car is covered with logos, the practice of using too many third-party identity providers creates a “NASCAR” condition which can hinder the user experience. The truth is that with even more market entrants coming in 2020 none of these providers will likely get enough critical mass in order to be recognized as the de facto provider for all US consumers.
To combat this problem, the U.S. will balance the need for security with the importance of seamless user experience. The U.K. Postal Service currently uses Digidentity as a method for consumers to quickly and securely obtain access to postal services, and it would not be surprising to see similar concepts take off in the US.
The benefits of leveraging digital identity speak for themselves, as a recent Deloitte Insights article referenced how:
- Nigeria saved $1 billion on civil service staff by using digital identity and removing 62,000 ghost workers.
- 24 of the 28 European Union member countries that have implemented the Once-Only initiative are expected to save nearly 855,000 hours for their citizens and 11 billion euros for businesses annually.
- Estonia’s use of digital signatures saved the country 2% in the annual gross domestic product (GDP).
- By assigning identities to connected things to secure and manage them, they will become first-class citizens in 2020.
To reduce IoT security incidents, device providers will cease to prioritize connectivity over security in their projects. In fact, security will be integrated at an earlier phase of the development cycle, and devices will have identities assigned to them from square one in order to effectively and efficiently secure and manage them.
Recently, it was reported that hackers have created dedicated software for breaking into Amazon Ring’s security cameras, and there have already been successful attacks in Florida and Tennessee. To get IoT security right, companies must be secure at multiple levels: the transportation of data, access to that data and access to connected devices. As a result, organizations will define unique and secure identities for the devices they are trying to secure and manage. This can be done by working with vendors that understand the identity and access management (IAM) issues companies will be dealing with.
- There will be an AI arms race to defeat deepfakes and other counterfeit media.
The heinous use of AI to create convincing deepfake videos is becoming more publicly known, and they represent a massive threat with potential to spread misinformation and slander individuals on a grand scale. The industry will respond to this threat by fighting fire with fire, and using AI ethically to discern whether a video is a deepfake or legitimate.
For the most part, individuals that are public figures, such as politicians and celebrities, will be targeted by threat actors with deepfake campaigns as there are usually plethoras of content available to aid with modeling the movements, speech, and appearance displayed in these videos.
However, the AI for the “Good Guys” can get an advantage in combating these convincing videos and content via the intersection of three techniques: implementing behavioral biometrics that look at unconscious actions of users to transparently authenticate users and their content, leveraging digital identity to help create a subset of real, validated and tamper-evident content, and considering whether that content is digitally signed by the individual displayed or not. These capabilities will allow good AI to apply a certainty score to a piece of content to display the chances of whether it is legitimate or not.
With this AI arms race, ethical uses of AI will have an advantage by leveraging digital identity as its secret weapon.
About the Author
Ben Goodman is a CISSP and the senior vice president of global business and corporate development at ForgeRock. He has over 20 years of experience in the sale, design, and implementation of IT. Prior to joining ForgeRock, Goodman was the lead evangelist of VMware end-user computing for VMware.