2018 Predictions from Our CTO Office
At the end of each year, the CTO office here at Ping brims with excitement. Sure, the holidays and treats are wonderful, and we love guessing what's behind the gift wrap. But what excites us most is predicting what's to come next year with technology and identity trends. We've summed up 2017 and compiled a list of our top predictions, and we think 2018 is going to be big. Here's what you should expect...
Multi-factor authentication (MFA) has already been drastically enhanced with the addition of biometrics like fingerprint sensors in devices. But when Apple released their iPhone X with the included FaceID feature, facial biometrics got a lot of attention. Android is already planning to adopt it widely into their ecosystem next year.
The question is if authentication with facial recognition will take off as wildly as it did with fingerprint scanning. This is up for debate in our CTO office, as questions of convenience and prevalence of the feature in the market are discussed. Either way, facial biometrics can't be ignored. Maybe our team needs to visit the Canadian tundra this winter to put Apple's new FaceID to the test after 30 minutes in below-zero temps. Responsiveness after frozen eyebrows and scarf-covered chins...that should help the debate come to some conclusions.
The gap between identity proofing and account recovery techniques looks like it's about to widen, even in the customer identity space. The reason is that there's a big difference between proofing a lack of relationship and verifying a persistent relationship. Tying a new digital relationship to a metaspace person is substantially different than simply knowing that the person who forgot their password is likely the same person who consistently uses your service.
But identity proofing techniques like "out of wallet" KBA are dying. Why? Well, look at Equifax's breached "secret" database. Or think about the "mother's maiden name" KBA that everybody shares on Facebook. Better verification options like assertions from authorities (banks, the DMV, employers) and other strong relationships will take infrastructure efforts to become mainstream, but they have better fraud reduction potential than identity proofing methods that are quickly being squeezed out. To replace out of wallet experiences, we predict that services like "photograph your physical ID" will thrive.
Authentication, authorization and account recovery are becoming more interchangeable. These factors are shifting to one big set of contextual and continuous hoops that users have to jump through, with varying degrees of transparency. As an analogy, it's a bit like adding a Jacob's ladder to a tightrope walk, whereas today it's just a Jacob's ladder. In other words, users don't just need to climb up to the right height--they also need to not fall off. Analogy aside, interchangeable factors are making it more and more difficult for bad actors to get in, and we're getting closer to a zero-login reality.
Thanks to the Open Banking initiative, OpenID Connect (OIDC) and SAML are achieving a much stronger state of co-existence. The widespread adoption of OIDC isn't likely to be a scale-tipping move, but the two technologies will and should both operate for at least a decade to come. For now, this won't change the fact that SAML remains the right answer for enterprises. But as service providers and customer-focused platforms look at how to more efficiently serve customers down the road, the dual mobile/web nature of OIDC will win over SAML, changing the balance over time.
The rise of Initial Coin Offerings (ICOs) has popularized token systems, which are making their way into popular apps to manage resources between users. Also, the adoption of "wallets" is going up and we're witnessing digital services like Kin (coming to Kik Messenger) being integrated into apps and adopted by millions of cryptocurrency users. What's not making it into the headlines is that cryptocurrencies are based on blockchain technologies, and everyone with a "crypto wallet" has a blockchain identity. Identities are all based on public keys, and the wallets manage the private keys for them. Expect widespread adoption of blockchain (we predict for other, identity-related uses) even though you may not hear the word.
As effective as MFA is at curbing opportunistic attacks, you unfortunately can't always stump a determined and persistent hacker. At some point, the writers of malicious scripts will catch up with the efforts we all make to keep them out. So, now that MFA has been a more normalized part of identity protection for some time, we should proactively watch for bad actors to start finding ways of harvesting MFA methods in addition to their favorite password-snatching scripts. The game of cat and mouse continues.
For our final prediction, we're really letting our inner geek show. You may not know what quantum computing is today, but we predict that you'll be much more familiar with the concept by the end of 2018. Quantum computing represents an event horizon where the cryptographic algorithms that underpin e-commerce and digital trust become easily breakable. We really don't want the era of quantum computing to arrive until we're very well prepared.
Expect to see post-quantum cryptography entering conversations in the geekiest circles as part of long-range business continuity plans. Approaches like "supersingular elliptic curve isogeny cryptography" or "symmetric key quantum resistance" will need to move from being just buzzwords to becoming approved algorithms, and then becoming implemented options. The question is just how long it will take.
We know this is a lot to think about, but as they say, that's the way the identity cookie crumbles. Fast pace, new technology, old threats becoming new--it's why we love this industry. If you're a security leader looking to keep pace or get ahead of these predictions, our Security Leader's Guide to MFA is a great start.
Here's to a safe, secure and exciting 2018