It’s 2023—do you know what your identity is doing? As the adoption of digital channels continues to be matched by corresponding levels of fraud, the ability to achieve digital identity verification will take on new urgency in the coming year. At least, let’s hope so.
According to Javelin Strategy & Research, fraud costs consumers and businesses $52 billion per year in just the US. Worldwide, the figure could be as high as $5 trillion. Account takeovers (ATOs) and account origination fraud increasingly play a role in these losses.
Thanks to never-ending credentials harvesting attacks and data breaches, fraudsters pilfered more than $11.4 billion through ATOs last year, a 90% increase over 2020. When account hijackings lead to yet another breach, the average additional cost to US-based organizations now tops $9.44 million per incident, though it can go much higher.
Meanwhile, account origination fraud has emerged as a top attack vector. In these scams, fraudsters use stolen or synthetic identities to open new banking, credit card, or retail accounts. According to Forbes, that could spell $5 billion in losses by 2024. With all of this in mind, here are six things to watch for in the year ahead.
1. US Regulators Require Tech Giants to Adopt Non-Proprietary Identities
With the Improving Digital Identity Act nearing passage and federal government agencies accelerating the transition to Kantara-certified NIST-800-63-3, FIDO2, and certified biometrics-certified digital identity verification systems, look for regulators to begin formalizing similar requirements for US businesses.
In 2023, measures will likely require US tech giants to adopt non-proprietary verified digital identities that protect against fraud and allow individual consumers to control what personal information they share with organizations they do business with online.
Modern digital identity technologies enable identity to be verified without storing that information centrally on servers belonging to companies like Google, Apple, Meta, or Amazon. This form of verified identity protects companies and consumers from fraud while safeguarding privacy and preventing personal information from getting hacked, sold, or shared.
While the GAMA companies may be first, such measures are likely to be extended to all consumer-facing businesses. It’s already the law for all companies doing business in California—effective January 1. Given that 90% of US businesses are unprepared for even that change, organizations are advised to begin evaluating technologies that accept distributed identifiers now.
2. VPNs Give Way to an Identity-based Perimeter for the Virtual Workforce
When the corporate “network” now extends to every employee’s bedroom, breakfast nook, or go-to coffee bar, relying on VPNs for perimeter security is like locking the back window while leaving the front door wide open. As recent cyberattacks on Uber and others have demonstrated, VPNs are simply no match for compromised credentials.
Whether they’re to corporate systems, email accounts, or the VPN itself, the 2 billion login credentials stolen in recent years mean threat actors have easy access to corporate secrets, data, and more. It doesn’t help that 64% of us use variations of the same passwords across multiple accounts—and often share them with colleagues.
Traditional forms of multifactor authentication (MFA) aren’t proving to be much of an obstacle either. As a result, look for next-gen MFA solutions to gain traction in the year ahead. Today’s most robust offerings use biometric markers tied to a registered smartphone to provide phishing-poof authentication impervious to account takeover.
3. 80% of Fortune 500 Greenlight Passwordless Projects
The same drivers behind the shift from relying solely on VPNs and traditional MFA will accelerate the push toward passwordless authentication projects in 2023. By year’s end, we predict 80% of Fortune 500 companies will have formalized and budgeted these projects, and 50% will implement it in at least two of the most commonly targeted systems—remote access and operating systems.
With passwordless authentication, corporate users can log in and access systems, resources, and applications without using passwords. Instead, they leverage another form of identity verification. But not all paths to passwordless security are created equal.
Passwordless authentication can involve a one-time passcode (OTP), SMS confirmation, and a PIN. But while helpful, these can be easily bypassed by hackers. To be successful, organizations will need to deploy modern MFA technologies that bridge biometrics, offline government-issued IDs, and device-based authentication to make it virtually impossible for systems or accounts to get hacked.
4. Transaction Signing Moves From NFTs, Crypto Exchanges to Banking
In the year ahead, transaction signing will expand from digital assets such as non-fungible tokens (NFTs) and crypto exchanges to traditional financial markets with major banks implementing the technology.
To those in the know, transaction signing introduces an additional layer of security over common two-factor authentication methods by requiring users to key in details embedded in their transactions to generate a random one-time QR code that is then authenticated with an authenticator app. This helps prevent interception or modification to transaction details from malware or viruses employing “man-in-the-middle” schemes. While the friction this creates has slowed adoption, customer demand is building.
Organizations using tamper-resistant forms of transaction signing will have a competitive advantage. Investments in use cases like transaction signing of digital assets will eliminate fraudulent activities that have cost the cryptocurrency market $2.5 billion during just the first three quarters of 2022, expanding its appeal to a wider array of high-value, high-risk transactions.
5. From Trust to Bust: Recession Brings New Boom in Fraud
The chances of an economic downturn in the next year now range between 60% and fait accompli. If the economy does go south, there’s one thing you can bank on—a massive surge in fraud. The COVID pandemic was just the latest lure du jour for fraudsters looking for a hook. But the most relevant historical precedent for online fraud dynamics would be the Great Recession that began in 2008.
At the time, Reuters reported the number of online fraud complaints reported to the FBI jumped 33%–the first increase in three years. Phishing emails doubled from 400,000 to 800,000 a day between August and November. Meanwhile, financial services firms saw a surge in bust-out scams perpetrated by fraudsters armed with synthetic identity information. By 2014, 10% to 15% of all banks unsecured bad debt was believed to stem from this fraud.
If similar dynamics play out now, the financial services industry’s shift from traditional forms of MFA to biometrics- and device-based authentication and distributed identity couldn’t come at a more pivotal moment.
6. The ‘Identity Score’ Gains Traction Over Conventional Credit Scores
As ownership and control of personal data starts to fall away from tech companies and credit bureaus, digital reputation—or our “identity score”—will be managed and nurtured by individual consumers. A likely scenario could be the ability to store personal information in a privacy-focused wallet or another decentralized verification mechanism.
Government identity documents, bank account relationships, and verifiable credentials or receipts that establish transaction and credit history will be held by the individual instead of a credit bureau or tech platform. When the individual opts to share this data, it can be scored without contributing any private user information or metadata to third-party providers. Or it can be time-based and deleted after a predetermined period.
Beyond the aspect of personal control, reputation and risk established with this kind of digital identity score are verified to be accurate and up to date (as in real-time), unlike current credit bureau-based reputation systems. Exactly the kind of verification that will rank among digital identity’s primary benefits in 2023—and beyond.
Go beyond our predictions for digital identity in 2023 with a collection of resources for achieving passwordless MFA and verified identity at 1Kosmos Insights!