Here we are again: the beginning of a brand new year. Brimming with possibility, it’s the perfect time to reflect, evaluate, and plan.
Everyone here at 1Password is looking ahead — including our Security team. As you can imagine, they have a few thoughts and predictions for the coming year. Maybe you want to know what to watch for as you and your family live and work on the internet. Perhaps your company is budgeting for security and you wonder where funds are best spent. Whatever you’re planning for, information is key.
From (more) passkeys to increasingly sophisticated hacking techniques, there’s a lot in store for 2024. Let’s dive in.
Don’t believe what you see
As AI continues to permeate our lives, the use of deepfakes will grow rapidly in both targeted social engineering attacks and broader attempts to influence public opinion. While AI-generated audio, photos, and video is still far from perfect, it’s good enough to trick most people — and improving rapidly.
Your employees are the targets
While the human element of security is always critical, attacks on businesses are focused on people rather than systems, now more than ever. Social engineering is becoming more sophisticated, effective, coercive, and sometimes even threatening.
Passkeys, passkeys, passkeys
The effort to kill passwords has been in motion for decades. This year we’ll see passwords relegated to a second-class experience (though far from dead) as passkeys continue to gain traction quickly, providing a better user experience and increased security versus traditional passwords.
As we’ve covered in the past, passkeys are highly phishing resistant. As adoption increases, we’ll see a decrease in phishing sites that have been set up to harvest credentials. Instead, we expect more investment in sophisticated targeted attacks — specifically, getting on users’ computers to steal local and session data from web browsers. The balance will slowly shift from large-scale, wide-net attacks to more targeted social engineering.
It’s about the money
Attacks focused on profit will continue to multiply as threats become even more sophisticated and flexible, and attackers take full advantage of the latest technologies to improve their efficiency. The line between criminal organizations and state-sponsored groups will continue to blur, and attribution will become ever more difficult.
We can look at 2023 as just a preview of what the future will hold. These groups will only improve, becoming more professional and dedicated. The days of a loose collective looking for quick profit are gone as attacks are dominated by more professional organizations.
Quantum computers aren’t a threat — yet
It’s important to develop and refine plans to adjust your systems to threats posed by quantum computers, like plans to implement post-quantum cryptography. But we’re still years away from a quantum computer that may be useful, much less pose a threat to systems that are in use today. That said, now is the time to plan, prepare, update threat models, and reevaluate security controls.
With that in mind, NIST announced the winners of their post-quantum cryptography contest, and defined draft standards for two post-quantum secure digital signatures and one post-quantum key exchange mechanism — an important milestone.
The wider cryptographic community seems to agree the algorithms are worth standardizing, which means early movers will likely adopt post-quantum algorithms in their stack. In fact, Signal messenger is trialing the CRYSTALS-Kyber key encapsulation mechanism that NIST selected.
The bottom line: Preparation is key
If there’s an overarching trend for 2024, it just might be: Prepare now. Whether that means adopting passkeys, educating your team, or experimenting with post-quantum algorithms, progress in 2024 means less cause for worry down the road.
A special thank you to the 1Password Security team members who contributed to this article:
- Adam Caudill – Security Architect
- Rick van Galen – Team Lead, Product Security