As the co-founder of Transmit Security, I’ve been immersed in customer identity and access management (CIAM) since before it was recognized as a set of use cases. We began by developing identity orchestration that’s used by dozens of the world’s largest banks around the world to both improve their customers’ digital experiences and reduce fraud risk. This is where we first encountered FIDO-based, passwordless authentication, and why we joined the FIDO Alliance as a board member. Along the way, we’ve seen our customers’ needs evolve a lot over the years.
The demand for CIAM solutions is skyrocketing. This is driven by the pandemic-fuelled growth in digital and the corresponding growth in cybercrime targeting consumers, citizens, and patients.
In this article, I’ll share four trends that I’m seeing based on my conversations with our customers both in the banking sector and in others such as insurance, retail, commerce, and hospitality.
1. CIAM is going passwordless
More than 80% of all cyber attacks are due to compromised accounts and passwords (Verizon). Everything we read about that involves cyber attacks has to do with passwords. By addressing the problem of passwords, organizations are able to address 80% of the cyber security problems they face.
Given how weak and cumbersome credential-based authentication is, the rise of passwordless authentication has been a growing trend for the last few years. However, the passwordless trend is now moving from the hype stage into the implementation stage. Gartner projects 50% of all companies will kick off a passwordless initiative within the next 2 to 3 years. Big players such as Microsoft announced in March 2021 that users would be able to sign in to their accounts with just a look or a tap. Apple also joined the shift to passwordless authentication by previewing a new feature called “Passkeys in iCloud Keychain.” The feature enables users to log in using FaceID, TouchID or a security key (instead of a password). The Passkeys are then synced across all the user’s Apple devices using iCloud.
The adoption of passwordless authentication by tech giants is just another sign of the growing momentum behind ditching passwords. Therefore, it’s predicted that passwordless authentication will become the new standard in customer authentication throughout all industries in 2022.
2. An increase in stronger account recovery options
Account recovery is often referred to as the weakest link in authentication. Today, most recovery falls back on either email recovery or call center recovery — both highly susceptible to hacking and usually the first port of entry for a hacker. Having an airtight authentication process means nothing if you can’t securely recover an account.
As more experiences turn digital, organizations need to rely on identity verification to establish trust in account opening and authentication. In 2022 there will be an increase in fallback recovery options that are more secure in order to establish a deeper sense of trust with customers. Verifying customers and establishing trust with an official government ID, for example, is much harder to fake and therefore deters cybercriminals from attacking.
3. Upgraded ATO prevention solutions
Account takeover (ATO) attacks are on the rise. 2021 saw a surge in large-scale supply chain and critical infrastructure attacks that all stemmed from cracked or stolen credentials to take over a valid account. With the correct username and password, hackers slip past “security” (a traditional login), appearing to be a legitimate user. From the inside, they’re able to escalate privileges, probe for vulnerabilities, plant backdoors and encrypt data.
Much has changed over the last few years in terms of ATO detection technologies. Modern browsers block some of the techniques used by vendors to detect attacks and hackers have found ways around many of the detection techniques used by organizations. A new generation of ATO detection solutions is needed to address this growing problem.
2022 will see a new generation of modern and effective ATO prevention solutions that work side by side with passwordless authentication to enable organizations to take insights and inform dynamic journeys to mitigate risks.
4. A new generation of Identity Store and Administrative services
Lightweight Directory Access Protocol (LDAP) was invented almost 30 years ago in 1993 and Active Directory was first introduced 22 years ago in 1999. This was way before we had rich applications with tens of millions of users, privacy regulations and massive attacks to steal personal information. These technologies have not changed much over the past 20-30 years and are barely relevant anymore. They’re centralized, unprotected by design and have no sense of privacy or end-user control.
In 2022 we’ll start to see new user store architectures that take into consideration concepts such as decentralization, user control and consent, strong protection of Personal Identifiable Information (PII) and dynamic access control.