Ryan Rowcliffe, Field CTO, HYPR and Andrew Shikiar, Executive Director and CEO, FIDO Alliance, two prominent cybersecurity experts examine the evolving landscape of identity security and the challenges posed by changing work environments as well as AI-powered attacks, specifically focusing on the need for a balanced approach to security that combines traditional methods with AI-powered tools. They address the importance of certification in the adoption of passkey technology, the advantages of passkeys in various authentication scenarios, and the increasing interest in identity verification technologies.
According to the recent “2024 State of Passwordless Assurance Identity” report, 78% of organizations were targeted by identity-related cyberattacks in the past 12 months. These attacks pose an unprecedented threat to organizations worldwide, while the alarming statistics underscore the urgent need for effective identity security measures. In an effort to thwart this growth in IT security attacks that have caused many organizations to scramble to revamp their identity security systems, companies are turning to AI to prevent cybercriminals from capitalizing on impaired defenses.
However, in identity security, AI-powered phishing attacks are increasingly targeted and sophisticated, resulting in significant challenges to traditional security measures. While AI offers substantial benefits, it also presents the potential for new threats.
- 60% of organizations worldwide consider AI a major threat
- 75% of companies consider it a strategic defense against cybercriminals
This conversation – based on “Webinar: What Are the Top Identity Threats in 2024? Insights From the Annual State of Passwordless IA Report (hypr.com)” – explores the dual nature of AI and its creation of a cat-and-mouse game between vendors and attackers that necessitates continuous adaptation and innovation in security strategies.
Q: HYPR recently released its annual State of Passwordless Identity Assurance Report. What were the key takeaways in regard to identity security?
RR: Our research underscores that the rapid evolution of threats and enterprise IT environments has outpaced identity defenses, creating significant security, modernization, productivity, and growth challenges. Despite proactive adoption of new identity security tools, traditional models remain fragmented and vulnerable.
A strategic shift towards a holistic identity framework, incorporating phishing-resistant authentication, ongoing verification, and continuous risk assessment, is essential.
This integrated approach not only addresses current and emerging security risks but also reduces user friction, productivity barriers, and regulatory pressures. Collaborating with experienced partners and adopting deterministic security controls can effectively mitigate identity risks and integrate seamlessly into existing infrastructures.
Q: What do you think are the biggest hurdles in keeping our identities secure today?
AS: The primary challenges in identity security today are the increasing sophistication of AI-powered attacks, credential misuse, and authentication weaknesses. AI-powered phishing attacks are becoming more targeted and sophisticated, resulting in significant challenges to traditional security measures. Additionally, many organizations still face issues with help desk spending and password-related issues
Q: How have challenges in onboarding and offboarding, such as the rise of fake identities, impacted identity security? What measures can be taken to address these issues?
AS: Onboarding and offboarding, whether for new employees or customers, present significant challenges due to dynamic components and user experience pain points. Strategically addressing these processes is crucial for maintaining security and preventing identity-related threats, such as fake identities that can arise from poorly managed procedures. Implementing a reliable passkey system and a face verification certification program can streamline both onboarding and offboarding by ensuring that identity verification is secure and user-friendly. Additionally, securing endpoint access and password reset procedures with passkeys and multi-factor authentication can significantly enhance the overall security posture. This approach not only mitigates risks associated with unauthorized access but also reduces the likelihood of phishing attacks, fake identities, and other identity-related threats. By adopting these measures, organizations can create a more seamless and secure experience, ultimately improving productivity and user satisfaction.
Q: Let’s pivot to AI, in what ways are AI-powered attacks affecting how we keep our identities secure?
RR: AI-powered attacks are fundamentally transforming identity security by enhancing the sophistication and accessibility of phishing and other cyber threats. These attacks are now more cost-effective and widespread, posing a significant challenge to traditional security measures. The dual nature of AI in cybersecurity—offering both advanced defenses and new vulnerabilities—demands a strategic approach to security. Organizations must continuously innovate and adapt their security strategies to stay ahead of AI-driven threats. This includes implementing robust protective mechanisms, leveraging AI to enhance security measures, and proactively managing new vulnerabilities. By staying vigilant and forward-thinking, vendors can effectively counter the evolving landscape of AI-powered attacks and safeguard identity security.
Q: How are cybercriminals using AI to get around security measures, and what can we do to stop them?
RR: Cybercriminals are leveraging AI to bypass security measures by enhancing the sophistication, affordability, and accessibility of credential attacks. To counter these threats, enterprises must adopt a strategic approach that balances robust security with a seamless user experience. This involves implementing advanced security controls, such as AI-driven threat detection and response systems, that can adapt to evolving attack patterns. Additionally, focusing on scalable, proactive defenses that address high-return attack vectors is crucial. By continuously innovating and integrating AI into their security strategies, organizations can stay ahead of cybercriminals and effectively mitigate AI-powered threats.
Q: Let’s discuss passwordless authentication: what are some of the perks of using passkeys for different login situations?
AS: Passkeys provide several advantages in authentication scenarios, including simplifying authentication processes, improving user experience, and providing a higher level of security. They provide a higher level of security than traditional passwords and can be used in various authentication scenarios, such as payment authorization and as a replacement for SMS-based authentication, which is often vulnerable to interception and fraud. Passkeys can significantly reduce the risk of credential-based attacks by reducing the use of passwords. Scenarios include business email compromise and call centers. By simplifying authentication processes and enhancing user experience, passkeys can help organizations improve their security posture and protect against evolving threats.
Q: How important is certification when it comes to adopting passkey technology?
AS: Certification is essential in the adoption of passkey technology as it ensures that the technology meets specific security standards and provides a higher level of security than traditional passwords. Using a certified solution ensures interoperability, security, and usability testing has been conducted, which means faster deployments and minimized risk. A certified passkey solution can be leveraged to build trust with users.
Q: What does the near term look like for passwordless authentication?
RR: Passkey technology is gaining recognition, with 50% of survey respondents familiar with the technology. Passwordless authentication offers numerous advantages, including improved security and a better user experience. However, implementation challenges remain, but increased availability of resources can help organizations overcome these challenges and successfully adopt passwordless authentication.
Q: What steps can organizations take to start using passkey authentication?
RR: Organizations can get started with passkey authentication by evaluating their current authentication methods, promoting education and awareness about passkey benefits, and considering proof of concept or pilot programs. Providing resources and support for those seeking to adopt passkey authentication is also essential.
Q: What steps would you suggest boosting identity security?
AS: There are several recommended action items to enhance identity security:
- Evaluate Current Authentication Methods: Determine the weakest links in authentication processes that require immediate improvement.
- Promote Education and Awareness: Raise awareness about the benefits of passkey authentication and educate employees and stakeholders on its advantages.
- Consider Proof of Concept or Pilot Programs: Assess providers for a proof of concept or pilot program to start implementing passkeys.
Q: What does the long-term outlook hold for identity security?
RR: As the cybersecurity landscape continues to evolve, organizations must remain vigilant of emerging threats by continuously adapting their security strategies. AI will be a significant factor in the future of identity security, but it must be complemented by robust deterministic controls and a focus on identity assurance. By combining traditional methods with AI-powered tools, organizations can enhance their security postures and safeguard against evolving threats.
Wrapping Up and Main Points to Remember
The need for a balanced approach to identity security has never been more critical. With the rapid rise in identity-theft cyberattacks, organizations must prioritize certification and passkey technology while addressing the growing demand for robust identity verification technologies. Consider this:
- In the past year alone, nearly 78% of organizations faced identity-related cyberattacks. Phishing (39%), identity impersonation (28%), and push notification attacks (26%) are now common tactics, with the latter becoming a hacker favorite.
- Alarmingly, 84% of organizations hit by a cyberattack experienced a breach, and 62% suffered multiple breaches. Credential misuse or authentication weaknesses were the root cause for over 91% of these breaches, highlighting a significant rise from the previous year.
- The financial impact is staggering, with authentication-related breaches costing an average of $5.48 million and identity fraud costing $2.78 million over the last 12 months.
Organizations must remain informed about the latest developments and technologies in identity security and adopt innovative solutions to address evolving threats.
By promoting education and awareness, evaluating current authentication methods, and considering proof of concept programs, organizations can navigate the complexities of identity security and safeguard their digital assets. Embracing these strategies not only enhances security but also streamlines operations and boosts user satisfaction.