The key role authentication plays in securing digital identities

Digital identities grant us access to various services and resources in the online world. They define what we can do, where we can go and what we can access. Our identities are no longer confined to physical documents that our parents or grandparents were accustomed to. Whilst this has provided many conveniences, it has also provided cyber criminals with more valuable information to compromise.

Just as technology and cybersecurity measures have evolved over time, so have the tactics cyber criminals use. We have all seen the cliché with teams of hackers in Hollywood movies breaking into sensitive networks. In reality, it’s a lot less sophisticated than that, but the fact of the matter is that cyber criminals don’t break in, they log in; which means protecting our digital identities becomes increasingly critical.

The degree of trustworthiness and security associated with digital identities varies, reflecting their value. Consider, for instance, the potential ramifications of a compromised identity. From financial fraud and data breaches to identity theft and extortion, the stakes are high and the implications are far-reaching. To stay secure from sophisticated threats like phishing and ransomware, it’s essential to understand the various authentication methods and their vulnerabilities; including the urgent need for a paradigm shift towards modern, phishing-resistant multi-factor authentication (MFA) tools for organisations and individuals alike.

Authentication, the process of confirming one's identity, has emerged as the linchpin of digital security and a significant factor in safeguarding digital identities. However, legacy authentication options such as traditional usernames and passwords and even SMS-based one-time passcodes (OTPs) are no longer an option to stay secure.

The increasing sophistication of cyber criminals has birthed a plethora of threats to digital identities: phishing, vishing, pharming and other deceptive tactics targeting users' credentials and personal data.

Regardless of their size or sector, enterprises remain alarmingly susceptible to cyber attacks due to outdated authentication practices. Our Global State of Authentication Survey 2022 found that over half of ANZ employees rely on insecure authentication methods. Meanwhile, the market intelligence report, conducted by S&P Global Market Intelligence, identified that 59 per cent of enterprises reported experiencing a data breach last year, and 91 per cent still rely on usernames and passwords as their main form of authentication.

Traditional authentication methods like OTPs or mobile authenticator apps, while providing an extra layer of security, are not infallible. These methods can still be susceptible to phishing attacks. To combat this, a more robust solution is needed. The Fast Identity Online (FIDO) Alliance's standards provide a compelling approach to modern authentication.

The FIDO Alliance’s flagship standard, FIDO2, represents a revolutionary shift in authentication. The modern, phishing-resistant multi-factor authentication (MFA) protocols it leverages prioritise high security without sacrificing usability. A great example of a phishing-resistant MFA solution that leverages FIDO2 and WebAuthn protocols are passkeys and in particular hardware security keys, which store passkeys within a physical device.

The corporate world is poised to benefit immensely from adopting FIDO2 authentication. The concept of establishing trusted identities gains renewed importance in this context. Authentication hygiene becomes the cornerstone of the Zero Trust model, ensuring that access is granted only to those who can unequivocally prove their identity.

Enterprises must urgently reevaluate their authentication strategies. The prevalence of cyber threats demands the implementation of modern, phishing-resistant MFA. The pivotal role of MFA in safeguarding digital identities is underscored by its inclusion in Australia's Critical Infrastructure Act, encompassing a wider range of industries and imposing stringent reporting requirements. Additionally, the Australian Cyber Security Strategy 2023-2030 aims to address these challenges through proactive measures and industry consultation.

The Essential Eight, a set of cybersecurity guidelines, advises organisations to upgrade their authentication practices. Multi-factor authentication, when classified as phishing-resistant, is central to this advice. It aligns with the recommendations of the Five Eyes Alliance, which Australia is part of, reinforcing its significance across international cybersecurity discourse.

Transitioning to modern MFA should not come at the cost of user convenience. Identity management hygiene is essential to strike the right balance. While the path of least resistance may be tempting, it often compromises security. Users must recognise the intrinsic value of their digital identities and actively participate in protecting them. Phishing-resistant authentication methods are not futuristic concepts but accessible tools available today.

Embracing security keys, like the YubiKey, as a modern authentication solution is essential. Security keys provide robust phishing-resistant authentication that fortifies organisations against data breaches and compromised credentials.

Even in the event of future phishing attempts, security keys ensure that cybercriminals cannot steal valuable data. The key to securing digital identities lies in the hands of organisations willing to transition to modern, phishing-resistant multi-factor authentication. By doing so, they protect their assets and empower users to navigate the digital world securely with confidence.