By Blair Crawford, co-founder and CEO of Daltrey.
Impersonation resistant technology will become imperative in 2023, in growing recognition that hackers don’t hack, they actually log in. With billions of username and password combinations stolen over recent years, we can no longer rely on entering a password as proof of identity. And many recent attacks, such as the September 2022 breach at Uber, make it clear that cybercriminals are becoming more skilled at finding creative ways to circumvent Multifactor Authentication (MFA), which was seen as a way to strengthen password-based security.
Entering the correct username and password, even backed with MFA, doesn’t prove that an authorised person has accessed your systems. Organisations need to be assured that the person entering the login credentials are who they say they are.
The importance of verifiable credentials is gaining momentum. There is no point authenticating a user when they enter login credentials unless you are certain that their identity is verified. Strong authentication starts with identity proofing. This is why the FIDO Alliance is working on defining standards for identity proofing as they acknowledge this is a significant gap in their value proposition.
In 2023, we predict that at least 50% of large Australian enterprises will remove or begin the process to remove passwords and adopt impersonation resistant authentication controls to strengthen their cyber defences. This is not about becoming passwordless – it’s about proving, with a very high level of certainty, that the person being authenticated is really who they say they are.
Digital identity is fast becoming the top priority for organisations of any size with the Federal Government passing laws that can result in fines of up to $50M for companies and $2.5M for individuals that are breached resulting in the theft of personal data.
Verizon’s recent Data Breach Investigations Report found that 80 percent of cyber risk stems from weak or stolen credentials. The broad implementation of MFA has stemmed the flow of unauthorised access, but modern attack vectors are now using MFA spoofing to get access to critical data assets. Verified digital identities that are impersonation resistant are needed to ensure system access is not compromised as traditional authentication tools are increasingly vulnerable.
Standards-based biometrics that include features such as liveness detection of the user enhances security controls and thwarts attempts to spoof authentication processes. Adding biometric authentication significantly bolsters cyber defences and stops cybercriminals who try to trick users into disclosing MFA codes or leveraging other methods such as technical interception.
When organisations analyse their risk of cyberattack, the misuse of credentials sits near the top of the list of ways attackers can gain unauthorised access to systems. We can no longer rely on usernames and passwords as billions of them are freely available to threat actors. And MFA, while useful, is now being routinely overcome by criminals. Impersonation resistant authentication using a verified identity that is bound to a login credential can protect organisations from attacks stemming from weak or stolen credentials.
