As we commence 2023 and look forward to the year ahead, I find myself being asked to make predictions about the major trends to look out for. In previous years I have made the bold proclamation that finally this year will be the last for passwords. Lo and behold, 12 months go by and we are still talking about major data breaches caused by poor password management, the same ‘weak’ passwords being used. We also talk about the need to shift to multi-factor authentication (MFA), but sadly many who do venture down this path, continue their reliance on passwords and do not enjoy the protections that true passwordless MFA affords.
I have repeated the phrase on many occasions regarding those who fail to relinquish their dependence on passwords, insanity is doing the same thing over and over and expecting different results. However, each year I have said the same thing and eagerly anticipated a different outcome!
What I can say with absolute confidence is that the need for the right MFA is only going to grow stronger as attacks (specifically phishing) intensify. By the right MFA, I mean two or more factors (a combination of something you know such as a PIN, phrase or one-time code; something you have, such as a mobile device or hard token; and something you are, be it a fingerprint or other form of biometric), but not a password. The number and type of factors will very much depend on what needs to be secured.
There are some strong early indicators that organisations are recognising that the shift to MFA must come soon. It was reported at the start of January 2023 that one out of every two senior security and IT executives consider becoming more phishing resistant to be the top cybersecurity priority this year.
This concern is well founded with phishing prevalent, from simple mass email attacks, targeted ‘spear’ phishing and voice phishing. With the number of phishing attacks increasing by 61%, from 2021 to 2022, with a massive 255 million recorded last year, every indication points to the upward trend continuing, given the ease with which they can be carried out, coupled with their effectiveness.
A challenge to becoming more phishing resistant has been the lack of a recognised standard. However, this is changing and I would encourage everyone to take a look at the Federal Information Processing Standards Publication 201-3, published this time last year, which announced the Standard for Personal Identity Verification (PIV) of Federal Employees and Contractors in the U.S. This document provides pragmatic guidance for any organisation, regardless of their geographic location, regarding how to have the right authentication assurance level for the information that is being protected, from passwords through to PKI.
There is no such thing as being 100% secure but you can be more resistant. The first step is to consider what you are protecting, what would work in your environment and selecting the level of authentication that fits your needs, whether this is beginning with a Password Security Management System, implementing passwordless MFA, or the highest levels of PKI protection.
Make 2023 the year you take a fresh approach to authentication, for a different and better result.