The security landscape is always evolving. This can make predicting what’s going to happen next complicated, but no less necessary.
Part of our security team’s job is to keep an eye on the security landscape so that we can be flexible as changes need to be made. As part of that, we’ve asked them to share some of their security-related predictions for 2023.
1. Passkeys are going to achieve critical mass in 2023
People have been talking about the end of passwords for more than a decade at this point, but for once, they might actually be right. With the introduction of passkeys there is now an accessible password replacement option that is strong and secure.
Passkeys are digital credentials that let you sign in to apps and websites without using a password. And in 2022, passkeys finally worked their way into mainstream awareness – which is the first step towards reaching mass adoption. Not only do people now know about passkeys – and the passwordless future they promise – but there’s even a passkey directory letting people know which websites already support passkeys for authentication.
Businesses need to start supporting passkey authentication on their websites and apps if they don’t want to get left behind.
Passkey support is actively being integrated in iOS, Android, and Windows – making it more accessible for everyone. Now it’s up to enterprises to lead the charge in enabling the shift to passwordless to finally take place – something we think will happen in 2023. Enterprise businesses need to start supporting passkey authentication on their websites and apps if they don’t want to get left behind.
“In the year ahead, hackers will continue to take advantage of people’s psychological weaknesses, preying on vulnerabilities like false urgency, greed, curiosity, and authoritative figures. But we expect passkeys to reach a critical mass in 2023, which will reduce everyone’s attack surface level and combat other forms of human error.” – Steve Won, CPO of 1Password
As a business built around making passwords easy to use, you might think we’d be worried about this prediction – but we couldn’t be more excited! In 2022, we shared a glimpse of what passkeys will look like in 1Password, and announced that this functionality will be available to every 1Password customer in early 2023.
2. Cyber crime is going to mature in remote working organizations
The COVID-19 pandemic forced many workplaces to rush into remote working in 2020. Since then, there’s been a steady increase of cyber security attacks, both for office workers and remote workers. However, now, as we are further into remote work becoming the norm for many, attacks have had time to mature into tailored attacks on those who work remotely.
Specifically, we’re expecting to see a bigger focus on impersonation attacks which take advantage of social engineering and the fact that many remote workers have never seen or spoken to many of their co-workers. But never having met or spoken to a co-worker isn’t even necessary for social engineering scams to be successful.
We expect to see a bigger focus on impersonation attacks which take advantage of social engineering.
A common version of this scam is CEO fraud. In this type of scam an attacker will pose as the company CEO in an email and ask an employee to transfer money to an account they control, or request sensitive personal or business information. To learn more about CEO fraud and how to protect your business from these types of attacks, read our blog post on the topic.
Businesses should start preparing their workforces for these threats, if they’re not already. The first step is to adopt and roll out a password manager like 1Password. With 82% of vulnerabilities linked to a human element it’s important for businesses to secure their business by securing their workforce.
3. It’s time to create a post-quantum cryptography strategy
Time to pull out the virtual planner because we predict that the National Institute of Standards and Technology (NIST) standardization will get to the point where if you need a quantum crypto strategy, you can start making one.
Post-quantum cryptography is about creating security systems that protect against both classical and quantum computers while working within existing communications networks and protocols.
With developments in the NIST standardization of cryptography, forward looking organizations can start to develop plans for adopting post-quantum cryptography. It’s important to remember that post-quantum cryptography algorithms are not going to be drop-in replacements for classical cryptography, as each has different trade offs in terms of efficiency for a particular usage scenario and what they protect against.
In preparation for this shift, start looking at areas where you can use crypto to achieve long term security and start engineering which tradeoffs of proposed crypto algorithms can work for you.
Post-quantum cryptography algorithms are not going to be drop-in replacements for classical cryptography.
This is to prepare for the finalization of the standard and wider adoption of post-quantum stuff in the coming years, and about being on the cutting edge.
While there are no algorithms to select, right now, we are expecting the first ones to be proposed in 2023. So you can start developing your organization’s strategy in 2023, while considering an appropriate degree of “cryptographic agility” – the ability to introduce new versions of cryptography in your systems. This will make it easier to update your cryptography to post-quantum in the future.
“To cover potential risks stemming from the continued growth of quantum computing, organizations should think about what cryptography they employ and what it’ll take to make those uses post-quantum secure. As standardization occurs, organizations will be able to begin taking these important steps in 2023.” – Rick Van Galen, senior security engineer at 1Password and former ethical hacker
4. People will expect and demand data privacy by default
The purpose of strong security is to keep your information – whether that’s business secrets, customer data, or your personal information – private.
Customer awareness about data privacy – or in many cases, their lack of data privacy – has increased over the past few years. A growing group of people are calling on the companies that make their devices, apps, and online services to better protect and respect their personal information. As we go through this year, we’ll start to see data privacy as a bare minimum requirement, rather than as a differentiating feature.
“In 2023, it’s going to be a requirement for companies versus an active choice. From Apple’s recent announcement on their new encrypted iCloud backup option, to Twitter’s plan for encryption of direct messages, we’re already seeing encryption and privacy by default becoming the norm. While some companies think that focusing on customer privacy means leaving money on the table – long-term trust with users will outweigh any short-term monetization.” – Jeff Shiner, CEO of 1Password
No-one can predict the future
These predictions are based on our security team’s current perspective and understanding of the security landscape. But keep in mind, they’re just predictions – none of us have a crystal ball! We’re excited to see what the future holds, and what exciting developments will actually rise up and make an impact on our daily lives.