With the new year underway, I thought it would be interesting to make some predictions about what will happen with web and mobile authentication in 2012. Here are five predictions for authentication trends in 2012 and even some specific security attacks that could occur this year.
1. BYOMD (bring your own mobile device) will spell big trouble for businesses in terms of data loss in 2012.
Employees and contractors are increasingly bringing their personal smartphones and tablets to work and using the devices for a blend of personal and business related activities. 2012 will bring even more of this and we'll see a few high-profile incidents of enterprise data loss resulting from allowing employees to connect their personal mobile devices to the company network without proper security protocols in place. The end result will be more businesses enforcing stricter authentication and security policies, particularly in regards to what information can be accessed, used and stored on mobile devices.
2. There will be a large data breach (reminiscent of the Sony online gaming breach of 2011) which will finally cause organizations across many industries to realize they cannot rely solely on passwords to protect user accounts.
In 2011 we saw several large data breaches including the Sony breach that leaked more than 100 million credentials online and the Gawker breach that leaked more than one million. In both instances, the breaches caused a domino effect to spread across the web. Knowing that many people use the same username and password on multiple websites, fraudsters used the leaked credentials to access accounts on many other, unrelated websites. Sites like Amazon and LinkedIn had to force wide-scale password resets for their users, to prevent further fraud.
In 2012 we anticipate there will be another large scale security breach as a result of weak credentials and poor authentication standards on websites. We anticipate that a dramatic increase in the number and severity of such data breaches will finally bring an end to the use of a single text password as the de facto standard for
authentication on the web. Many popular sites such as LinkedIn, Amazon and Mint.com store large amounts of personal details and financial information, and only rely on a static password for authentication. 2012 will be the year we finally start to see a large number of organizations in gaming, healthcare, education, retail and social networking, start to adopt multiple layers of authentication and multifactor authentication to protect user accounts.
3. Targeted Variations of Zeus-in-the-Mobile style attacks will grow
In 2011 we saw new versions of the infamous Zeus malware being modified to specifically target smartphones for the purpose of intercepting the authentication text messages that banks send their customers (called a Zeus-in-the-mobile attack or Zitmo). An increasing number of institutions are using SMS-based two-factor authentication, from financial institutions to Facebook. Because so few people install security software on their smartphones or tablets, cybercriminals know they can get their hands on lots of valuable information by infecting people's mobile devices with keyloggers and malware. We anticipate that in 2012 Zeus-in-the-mobile attacks will increase both in the quantity of attacks and in the number of variations made to target different smartphones. Hackers will continue to aggressively pursue
intercepting authentication text messages from banks, as well as other high-value mobile transactions. The increasing number of successful attacks in 2012 will cause financial institutions and other organizations to realize that SMS-based two-factor authentication is a "band-aid" and not a strong authentication solution. Organizations seeking strong authentication will need to look for solutions that secure the second factor device itself and ensure that it is the legitimate user in possession of the second factor device, not someone who is using malware to intercept SMS text messages sent to the phone.
4. Smart devices enable smart authentication - image-based authentication, biometrics and more
The growing use of smartphones and tablets with touchscreens, cameras and sensors will enable significant growth of emerging new authentication techniques and technologies. Examples include graphical authentication techniques, image-based authentication, pattern-based authentication where users draw a particular pattern on a touchscreen. Biometric authentication such as face and voice recognition will also become more prevalent. Expect triple-digit market growth for emerging authentication technologies in 2012. Such authentication techniques and
technologies are more secure than the traditional methods of passwords and PINs, and are often much easier for users. Many of these approaches were not practical or simply not possible for use on traditional PCs but lend themselves well to the touchscreens, cameras and sensors that are common in smartphones and tablets.