The Cybersecurity Threat Landscape in 2023

As the end of the year approaches, it’s a natural time for us to reflect on what happened in the world of authentication over the last 12 months, as well as think about what the next year will bring.

In 2023, we saw cybercrime continue to increase in both volume and sophistication across many attack vectors, including ransomware, man-in-the-middle, business email compromise (BEC), and push bombing attacks. Arguably one of the most notable developments in cybersecurity this year, however, was the introduction of generative AI, which has taken phishing attacks to new heights.

This changing threat landscape combined with the fact that 74% of breaches involve the human element, according to Verizon’s 2023 Data Breach Investigations Report, and the two primary ways in which attackers access an organization are stolen passwords (50%) and phishing (15%), presents a major problem when it comes to authentication. Especially when you consider that, despite passwords being the root cause of so many data breaches (80%, in fact, according to the FIDO Alliance), organizations still continue to use them.

What 2024 Will Bring

All of these factors come into play when we think about authentication in 2024. We can’t change the behaviors of threat actors, but we can control how we react to them – and we hope to see more organizations turn to passwordless technology and phishing-resistant multi-factor authentication (MFA) to strengthen their security posture.

In addition to this over-arching trend, we asked two Axiad thought leaders what they think will unfold in the industry in 2024. Here’s what they had to say:

Bassam Al-Khalidi, co-founder and co-CEO:

• We’ll see the consolidation of passwordless and credential management companies – Next year, we’ll start to see mergers between passwordless and credential management companies, which will create a new category in the authentication space: think “passwordless plus.” This movement will be similar to the consolidation we saw a few years back between identity management and access management companies, which resulted in the identity and access management (IAM) industry.

True passwordless technology removes passwords and other shared secrets completely. When you do that, the next step becomes modernizing account recovery. Traditionally, this is where password managers came in. In a passwordless world, however, vendors need to be able to offer passwordless recovery. Given this, the next natural step in the authentication industry will be passwordless technology vendors and credential management companies joining forces.

• Generative AI will make phishing-based cyber-attacks exponentially more successful – In 2023, we saw the rise of generative AI tools such as ChatGPT. While these tools can be very helpful for improving business processes, they can also add massive overhead from a security perspective. The biggest reason for this is generative AI has made phishing attacks readily available to hackers, helping them craft believable emails with context. Whereas individuals used to be able to look for tell-tale signs of fraudulence – such as spelling mistakes, grammatical errors, or tones of misplaced urgency – phishing attacks crafted with generative AI are nearly perfect. If that’s not bad enough, they also pull in relevant context found on individuals (e.g., using information posted on social media accounts). This combination makes it more difficult than ever for recipients to distinguish between a real and a fake email. 

Cybercriminals want maximum results for the least amount of effort and money. Generative AI-based phishing attacks can be executed easily, quickly, and at no cost. So, while we’ve been able to keep phishing at bay over the past few years, in 2024, we’ll see both the rate of phishing attacks and their percentage of success increase dramatically.

Jerome Becquart, COO:

• Cybercriminals will increasingly target account recovery methods – With the uptick in phishing attacks and resulting guidance from the S. White House Office of Management and Budget (OMB), the Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST), in 2024, more organizations will strengthen their authentication method by going passwordless. In fact, we’re already seeing this move in the market, with large enterprises including Google and Amazon now offering consumers the ability to log-in more securely with passkeys.

While this is a step in the right direction, it’s only half the journey. As the “front door” of the house gets stronger, cybercriminals will shift from stealing credentials (e.g., passwords) to attacking the “back door,” or account recovery methods. For example, let’s say a cybercriminal enters incorrect information on an account five times. The account recovery process then kicks in. If that process involves calling a help desk to answer security questions or answering them online, there’s a good chance hackers will be able to ascertain the information they need to hack their way in by perusing social media. We’re already seeing this happen, but, in 2024, we’ll see an escalation of cybercriminals targeting account recovery methods to compromise credentials.

Looking Ahead

The cybersecurity threat landscape will continue to evolve as cybercriminals find new ways to attack the weakest parts of an organization’s technology security strategy. Being aware of potential weaknesses – whether it’s an authentication or account recovery method – and taking action to improve upon them will be more important than ever to address in the coming year to mitigate risk. We hope these three predictions will be useful to your business as you continue to strengthen your cybersecurity posture in 2024.

If you have thoughts, questions, or if we can be of assistance in your authentication journey, feel free to contact us.