With the new year underway, I thought it would be interesting to make some predictions about what will happen with web and mobile authentication in 2012. Here are five predictions for authentication trends in 2012 and even some specific security attacks that could occur this year.
1. BYOMD (bring your own mobile device) will spell big trouble for businesses in terms of data loss in 2012.
Employees and contractors are increasingly bringing their personal smartphones and tablets to work and using the devices for a blend of personal and business related activities. 2012 will bring even more of this and we'll see a few high-profile incidents of enterprise data loss resulting from allowing employees to connect their personal mobile devices to the company network without proper security protocols in place.
The end result will be more businesses enforcing stricter authentication and security policies, particularly in regards to what information can be accessed, used and stored on mobile devices.
2. There will be a large data breach (reminiscent of the Sony online gaming breach of 2011) which will finally cause organizations across many industries to realize they cannot rely solely on passwords to protect user accounts.
In 2011 we saw several large data breaches including the Sony breach that leaked more than 100 million credentials online and the Gawker breach that leaked more than one million.
In both instances, the breaches caused a domino effect to spread across the web. Knowing that many people use the same username and password on multiple websites, fraudsters used the leaked credentials to access accounts on many other, unrelated websites. Sites like Amazon and LinkedIn had to force wide-scale password resets for their users, to prevent further fraud.
In 2012 we anticipate there will be another large scale security breach as a result of weak credentials and poor authentication standards on websites.
We anticipate that a dramatic increase in the number and severity of such data breaches will finally bring an end to the use of a single text password as the de facto standard for authentication on the web. Many popular sites such as LinkedIn, Amazon and Mint.com store large amounts of personal details and financial information, and only rely on a static password for authentication.
2012 will be the year we finally start to see a large number of organizations in gaming, healthcare, education, retail and social networking, start to adopt multiple layers of authentication and multifactor authentication to protect user accounts.
3. Targeted Variations of Zeus-in-the-Mobile style attacks will grow
In 2011 we saw new versions of the infamous Zeus malware being modified to specifically target smartphones for the purpose of intercepting the authentication text messages that banks send their customers (called a Zeus-in-the-mobile attack or Zitmo).
An increasing number of institutions are using SMS-based two-factor authentication, from financial institutions to Facebook. Because so few people install security software on their smartphones or tablets, cybercriminals know they can get their hands on lots of valuable information by infecting people's mobile devices with keyloggers and malware.
We anticipate that in 2012 Zeus-in-the-mobile attacks will increase both in the quantity of attacks and in the number of variations made to target different smartphones. Hackers will continue to aggressively pursue intercepting authentication text messages from banks,
as well as other high-value mobile transactions. The increasing number of successful attacks in 2012 will cause financial institutions and other organizations to realize that SMS-based two-factor authentication is a "band-aid" and not a strong authentication solution.
Organizations seeking strong authentication will need to look for solutions that secure the second factor device itself and ensure that it is the legitimate user in possession of the second factor device, not someone who is using malware to intercept SMS text messages sent to the phone.
4. Smart devices enable smart authentication - image-based authentication, biometrics and more
The growing use of smartphones and tablets with touchscreens, cameras and sensors will enable significant growth of emerging new authentication techniques and technologies. Examples include graphical authentication techniques, image-based authentication, pattern-based authentication where users draw a particular pattern on a touchscreen. Biometric authentication such as face and voice recognition will also become more prevalent.
Expect triple-digit market growth for emerging authentication technologies in 2012. Such authentication techniques and technologies are more secure than the traditional methods of passwords and PINs, and are often much easier for users.
Many of these approaches were not practical or simply not possible for use on traditional PCs but lend themselves well to the touchscreens, cameras and sensors that are common in smartphones and tablets.
5. Retailers and mobile payment providers will lead the adoption of new mobile authentication techniques in 2012
Mobile commerce and mobile payments have not taken off to the degree that many predicted, even though Internet-enabled mobile devices are now so widely proliferated that global sales of smartphones outpaced sales of PCs in 2011.
A major reason for slow growth in mobile retail and mobile payments is that the current authentication scheme using text passwords to login or approve transactions is too cumbersome. Mobile users struggle to enter complex passwords on the tiny, soft keypads of smartphones and tablets (often having to toggle between multiple keypads to enter upper and lower case letters, numbers and symbols).
In fact, in a recent survey of smartphone users the majority (60 percent) said they wish there were an easier form of authentication for mobile apps. Retailers and payment providers understand that they are losing money due to user frustration with mobile authentication.
One poll showed that 84 percent of respondents said they have struggled with mobile transactions and nearly 25 percent specifically reported trouble with logins. 43 percent said a negative experience would cause them to abandon the mobile commerce transaction altogether.
Therefore, we expect retailers and providers of person-to-person mobile payment applications to lead the charge in 2012 by adopting new, more user-friendly and mobile-friendly authentication techniques (such as those mentioned in prediction number two) to help streamline purchases and increase security.