By Tom Thimot, CEO and Director, authID.
While enterprises should be focused on cybersecurity year-round, October is Cybersecurity Awareness month and a good opportunity for organizations to assess their practices and take stock of security trends. Here are four cybersecurity themes that have emerged this year that should be top of mind for organizations when evaluating their Identity, Access Management and Authentication strategies.
1. Human Vulnerabilities
As recently reported on by The Wall Street Journal, even Big Tech companies are vulnerable to major hacks and data breaches. The main reason is human error, with employees or vendors often falling victim to social engineering attacks.
For example, Uber, who was recently compromised by a smishing scheme and multi-factor authentication (MFA) social engineering attack. The hacker was able to persuade an employee to disclose their password, and therefore gave the bad actor access to Uber’s systems including Uber’s Duo, AWS, and Google Workspace.
Another recent attack on customer engagement platform Twilio was achieved by a massive phishing campaign that compromised 9,931 accounts at more than 130 organizations. The fraudsters obtained Okta identity credentials and MFA codes from users, who received text messages containing links to phishing sites that mimicked the Okta authentication page of their organization.
Researchers suggest implementing strong FIDO2 passwordless authentication is the best action to prevent these attacks. Human-driven security vulnerabilities also call for Human Factor Authentication – i.e., biometrics, like those we deploy at authID.
2. Passkeys Make Headway
This year, the cybersecurity world has made progress away from passwords and knowledge-based authentication methods and towards passkeys and biometrics.
Apple announced at its Worldwide Developer Conference this summer that it will launch passwordless logins across its products, dubbed by WIRED as “the first major real-world shift to password elimination.” Three of the world’s largest tech companies – Apple, Microsoft, and Google (Alphabet) – have each pledged passwordless initiatives and lauded FIDO2 standards that enable passkey technology.
While this is a huge step in the right direction, the passkeys approach falls short in a few ways, as our SVP of Product, Jeremiah Mason, wrote here. Among the issues are tech ecosystem lock-in, UX issues with users interacting with websites that have not implemented FIDO2, and password recovery challenges. In addition, passkeys as they are being developed by the major tech companies are not an enterprise-grade solution. Enterprises need a much stronger level of both identity assurance and authentication management than passkeys can deliver.
3. Ethics in Biometrics
As biometrics have begun to take hold in some sectors, debates around privacy and ethical biometrics came to the fore this year. ID.me, Clearview AI, and Onfido ran into legal and political trouble for their approaches to using biometric data.
As these companies’ actions draw the attention of policymakers and the courts, it will hopefully lead to better policies for and deployment of ethical use of biometrics to protect rather than exploit consumers. Pillars of ethical biometrics include explicit informed consent to use biometrics, biometrics that are free of bias based on skin tone, gender, or other characteristics, and an opt-in rather than an opt-out model for use of biometrics.
4. Zero Trust Expands
Although Zero Trust has been a topic in cybersecurity for at least a decade, increased circumvention of MFA, escalating supply chain and ransomware attacks, and the ubiquity of remote workforces have brought Zero Trust back in focus. This year, the White House issued an Executive Order declaring that the federal government would pursue a Zero Trust strategy. Subsequently, many industries have also begun to adopt Zero Trust architecture including financial services, healthcare, education, and more.
Finally, keep an eye on our blogsite for more content and trends this Cybersecurity Awareness Month, as well as our upcoming white paper on Zero Trust, covering implementation challenges, Zero Trust Architecture and Zero Trust Access.