SecurityBrief Asia - Technology news for CISOs & cybersecurity decision-makers
Story image
The future of authentication: four trends to watch in 2023
Mon, 19th Dec 2022
FYI, this story is more than a year old

In a year of economic uncertainty and geopolitical tensions, it should be no surprise that the digital landscape is fraught with cyberthreats. From widespread impersonation scams to increased SMS phishing in Australia, the frequency and severity of cyberattacks increased in 2022, which highlighted organisations’ authentication vulnerabilities across all industries.

Thus, as we turn the page to a new year, now is an opportune time to take stock of the cybersecurity lessons learned and prepare for the top authentication trends emerging in 2023 and beyond.

1. Not all MFA is created equal – and SMS OTPs just don’t cut it

In the last twelve months, there has been a massive uptick in hacker toolkits on the dark web, making bypassing SMS-based multi-factor authentication (MFA) cheap and trivial. Unsurprisingly, this correlates with both the rise in consumer usage we have seen and growing attack numbers. 2023 will be the year SMS one-time password (OTPs) are finally broadly recognized as unfit for purpose as a strong authentication method.

Ultimately, it boils down to one critical distinction – phishable and non-phishable credentials. A one-time password is a human-readable and shareable credential, meaning it can be phished and leveraged to take over accounts, just like passwords. SMS-based MFA has been an easy checkbox for security compliance, but that needs to change. While regulatory updates take longer than industry recognition, we will likely see attitudes shifting in the next year.

Furthermore, with Bank Negara Malaysia’s recent announcement to migrate from SMS OTPs, we can expect more organisations to follow in their footsteps and move toward more secure authentication methods. This includes implementing biometrics, facial recognition, or cryptographically secure possession-based, multi-factor authentication devices to enhance fraud prevention.

2. Ramping up adoption of passwordless authentication in the banking sector

According to a recent report by KPMG, Australia is now ranked sixth in global fintech rankings. In recent years, multiple digital banks have sprouted, and tap-and-go payments have skyrocketed to 82% across the region. However, this growth has caught the attention of cybercriminals, who are increasingly targeting the lucrative financial services industry with sophisticated cyberattacks. With the region's burgeoning demand and preference for digital payments, industry players must strengthen and secure their cybersecurity in the digital payment landscape.

While financial institutions and regulators are doing what they can to keep up, cyberthreats are ever-evolving. To protect consumers from fraudsters, I anticipate more organisations will rethink their cybersecurity strategies and secure their digital channels through multi-factor passwordless authentication. Not only would this ensure a robust cybersecurity system, but it also provides a seamless consumer experience.

3. The metaverse is growing in importance – and needs to be secured

Dubbed the ‘next generation of the Internet,’ the metaverse is one of the hottest buzzwords of 2022. With the market estimated to be worth US$800 billion by 2024, Australian businesses are vying for a piece of the virtual pie. This, however, would also mean that we will start seeing this lucrative and sensitive space become a growing target for hackers, with questions about how accounts are created and verified. As a result, MFA will also become a stronger imperative as attacks increase in volume and sophistication.

To better safeguard the security of this immersive, hyper-realistic virtual world, there is a pressing need for a universal standard for authentication in the metaverse. In 2023, organisations and authorities should begin working together to establish these standards for users and businesses to adhere to.

4. ID verification goes mainstream

The conversation around Twitter Blue rapidly brought identity verification into the mainstream vernacular. After all, how many of us have thought much about our identity on social media before? However, as high-value services increasingly move online in 2023 – from banking applications to government services – demand is also rising for more robust verification solutions to validate user identities remotely.

These identity services coming to fruition will bring questions of usability, security and interoperability to the fore. Users need to get a consistent experience and feel reassured that identity services are handling their data diligently. Many government entities are already looking to existing standards, like FIDO, and business models like delegated authentication will grow. This means trusted providers can verify necessary information about users, such as date of birth and country of residence, without users needing to hand over mounds of sensitive data to third parties.

Our current global environment is testing resiliency. As industries and businesses continue to transform digitally, new cyber risks will continue to emerge in 2023. With user authentication as cybersecurity’s first line of defence, it is critical for organisations to reassess its authentication technologies, keeping these four trends in mind.