Join leaders in San Francisco on January 10 for an exclusive night of networking, insights, and conversation. Request an invite here.
In today’s sprawling IT landscape patchworking numerous cloud and SaaS apps and disparate devices and networks, just typing in a username and password no longer cuts it from a cybersecurity standpoint.
First of all, usernames are often simple and predictable — typically a person’s email, name or initials. Secondly, passwords can be easy to guess. Startlingly, the most common passwords (yes, even in 2023) are “Admin,” “12345,” “12345678,” “1234” and “password,” according to research from Outpost24.
Not surprisingly, then, using stolen credentials is one of the top ways attackers access an organization, and more than half (54%) of all attacks in the last year began with compromised logins.
All of this, experts say, means we need to move towards a passwordless — or at least password-enhanced — future marked by heightened authentication methods.
VB Event
The AI Impact Tour
Getting to an AI Governance Blueprint – Request an invite for the Jan 10 event.
Here are a few evolving identity management techniques to keep an eye on in 2024.
If you don’t have MFA in place, you’re already way behind
Multi-factor authentication (MFA) is one of the most basic step-ups in identity management: If your enterprise has not incorporated it already, you’re far behind, experts warn.
The method requires users to provide more than a username and password — typically an SMS from their smartphone, a one-time password (OTP) sent to their email address, a USB key or authenticator app or biometric authenticator (more on that below).
According to the Cybersecurity and Infrastructure Security Agency (CISA): “MFA increases security because even if one credential becomes compromised, unauthorized users will be unable to meet the second authentication requirement and will not be able to access the targeted physical space, computing device, network or database.”
Zero trust on its way to becoming real
Zero trust, or “least privilege access” is another emerging method that assumes that every user could pose a legitimate threat. Throughout their time in a network or system, users must continually verify themselves, and they are only granted access to what they need when they need it.
“Everything is authenticated and authorized,” Dell global CTO John Roese told VentureBeat. “Everything is tightly coupled in real-time.”
Zero trust systems log and inspect all network traffic and grant access to users at various stages based on their level of privilege and an enterprise’s security policies. The method also authenticates every device, network and connection based on policies and context from numerous data points.
While the concept has been talked about for some time, it has yet to be fully realized because it is complex to incorporate, particularly when it comes to legacy systems that already have numerous security controls in place. But with the increased growth of AI built-from-scratch ‘greenfield’ systems, experts say that 2024 will be the year zero trust becomes real.
“We’ve spent 2023 talking about zero trust and its importance to cybersecurity,” said Roese. “In 2024, zero trust will evolve from a buzzword to a real technology with real standards, and even certifications emerging to clarify what is and is not zero trust.”
Just-in-time extends limited, temporary access
An extension of zero trust is just-in-time (JIT) access, which grants temporary and time-limited access only when required for specific tasks.
“This access is provided on-demand, right at the moment when the user requests it, and it is automatically revoked after the allotted time or task completion,” explains the SaaS management platform Zluri.
Critical to privileged access management (PAM), it is based on access policies and rules and incorporates verification methods such as temporary tokens.
Users request access to a specific instance, device or virtual machine, which is then evaluated by admins and either granted or denied. After use in a short-term timeframe, they then log off and access is automatically revoked until required again in the future.
“Instead of always granting access, JIT access limits it to a specific timeframe,” Zluri writes. This way, it reduces the risk of cyber attackers or insiders misusing privileged accounts and gaining unauthorized access to sensitive data.”
Passkeys eliminate the need for passwords altogether
Moving toward the passwordless future, passkeys are digital credentials that allow users to create online accounts without the need for passwords.
“Passkeys allow users to authenticate without having to enter a username or password, or provide any additional authentication factor,” according to Google.
Passkeys leverage Web Authentication (WebAuthn) APIs jointly developed by the industry association FIDO Alliance and the World Wide Web Consortium (W3C). Using public and private keys that are mathematically linked, passkeys can determine whether a user is who they claim to be.
“You can think of them like interlocking puzzle pieces; they’re designed to go together, and you need both pieces to authenticate successfully,” according to password management company 1Password.
Public keys can be seen by websites or apps, while private keys remain secret — they are never shared with sites users want to visit or stored on their servers.
When users visit websites that support passkeys, they create an account and choose an option to secure it with a passkey — whether a phone, computer, tablet or other device — rather than a password. They then confirm their authenticator and a passkey is generated for that specific site locally on a user’s device.
The next time the user signs in, the website challenges their authenticator, prompting it to complete a signature that is verified against the public key.
“If 2022 was the year of being passkey-curious and 2023 was the year of hedging bets by making passkeys optional, 2024 will be the year that we see two or three major services providers go all in on passkeys,” predicts 1Password chief product officer Steve Won.
Still, “It will still take another five years for passkey-only authentication to be adopted more broadly,” he added.
At the same time, challenges such as integration with legacy systems and user education must be addressed, cautioned Michael Crandell, CEO of password management platform Bitwarden.
“A balanced approach prioritizing both security and user experience will be key in advancing these security measures,” he said.
Biometrics: The ultimate credential that can’t be lost or stolen
But the real identity authenticator of the future, many say, is biometrics, or various physical characteristics that are unique to a specific person.
This can include voice, facial, iris and retina recognition and fingerprint and palm scanning.
Researchers also claim that the shape of a person’s ear, the way they sit and walk, their veins, facial expressions and even body odors are unique identifiers.
“Each person’s unique biometric identity can be used to replace or at least augment password systems for computers, phones, and restricted access rooms and buildings,” according to cybersecurity company Kaspersky.
Advanced systems use computer vision, sensors and scanners to capture a person’s unique characteristics, then leverage AI and machine learning (ML) to scan that information across a saved database to approve or deny access.
While there are still many security, privacy and surveillance concerns around the use of biometrics, experts say their obvious advantages are that users don’t have to remember usernames or passwords and that personal characteristics are always with that one person — they can’t be lost or stolen.
“In other words,” writes Kaspersky, “biometric security means your body becomes the ‘key’ to unlock your access.”
VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Discover our Briefings.