1. Relying only on passwords is "out"
If in 2023 you only protect your IT resources with passwords, without further securing with multi-factor authentication and other measures, you have been asleep. But fear not; if there is a problem here that you are struggling to get through, it is entirely possible to ask for help to solve it.
Remember! It is always better to have a problem that is solved overtime than to have a problem that you ignore until you can't do it anymore.
2. Passwordless authentication is fully feasible
Passwords as a security mechanism are, as we have already discussed, potentially challenging. What we have seen in the last year and which will mature further in 2023, is that it is practically possible to be able to authenticate ordinary end users in a secure and user-friendly way without having to use passwords at all.
There is still a need to plan both rollout and operation well, and users must receive sufficient training, information and follow-up, but technologies and interfaces on the systems involved have now become so good that the threshold for passwordless authentication is fully manageable.
→ Read more about 5 benefits of passwordless authentication
3. Passkeys are on their way
Passkeys have been discussed for quite some time already, but now big players such as Google, Microsoft and Apple have really started to put weight and effort behind getting it used.
Getting into the depth of what passkeys are and why they will make a big difference to how user authentication works is more than enough material to cover a separate article, but the key benefits are:
- Users will no longer need to remember or take care of passwords. Goodbye yellow post-it notes!
- Services will no longer store passwords; if there is a break-in at the service where thieves get hold of user data, they will not be able to use it to log in as the user later, nor take it with them to other services since the user does not have a password that is used across services.
4. Zero Trust is the main rule
There are plenty of examples where thieves have gotten their little toe inside the computer systems, and then painstakingly taken step by step inwards to build up privileges, gradually gaining more and more access to privileged systems and data.
New systems must be designed to remove these possibilities as best we can, and existing systems must be updated to remove the possibilities that may exist as of today.
5. On-boarding and off-boarding can be carried out without physical presence
A central part of onboarding processes has often been that new users must show up physically so that you can be completely sure that the person is who they say they are, preferably accompanied by a passport or other physical ID. Then you will have been handed a sheet with username and password for access to the user account and any other things you might need during the start-up.
In the wake of the pandemic, remote working has seen a tremendous upswing and more and more organizations are opening up to the fact that you do not need to be physically present to be able to do a satisfactory job.
Linking identity verification services into the onboarding process, for example BankID in Norway or MitID and NemID in Denmark, means that parts of the processes that previously had to be done face-to-face can be carried out virtually.
6. CIAM is seriously a focus area
Many organizations are well on their way to tackling IAM aimed at employees and others who are defined as internal, i.e. "enterprise IAM". They have started to see safety and efficiency gains.
We cannot say for sure whether it is these experiences that have now seriously begun to see how similar gains can be achieved with customer users, but there is no doubt that there is much more pressure around Customer Identity and Access Management (CIAM) now than a year or two ago. A pressure that will increase beyond 2023.
7. More use and effect of AI and machine learning
Just as machine learning and AI are in the wind in other areas, IAM will also use this technology to support systems and processes. In the first instance, this is linked to detecting and handling security incidents, as we e.g. already looking with Okta's ThreatInsight. In the long term, there are many different parts of IAM that will be able to reap benefits from this.
8. Cloud-native PAM
For many, Privileged Access Management (PAM) has been about server access and Windows domain admin. As the infrastructure and service portfolio evolves for most organizations, so does the need for PAM. It will have to deal in a holistic way with everything from Windows/Linux, Azure/Amazon/Google, Kubernetes and containers and everything like that.
In addition, we expect that organizations will want to increase the size of the "PAM umbrella" to cover larger user groups and more access, also to datasets to achieve PAM utility in more places than what have traditionally been target groups for PAM.
9. Laws, requirements and regulations
As a result of many years of history with security incidents, loss of data and "creative" solutions around personal data, there are more and more laws, requirements and regulations that affect organisations' needs and requirements for IAM systems and the processes they must support.
Many organizations are currently establishing cyber insurance, and in their work and follow-up there is a lot to be documented and implemented by measures.
The same can be said about certifications that will cover service areas where IAM is included. IAM systems will thus not only be able to deliver security and efficiency in various contexts, but also be able to document it on a good and regular basis.
In addition, the problems surrounding Schrems II are far from resolved, which will affect almost all discussions about Norwegian/European use of American and American-owned cloud services.
10. Consolidation of the IAM market
In recent years, we have seen an increasing tendency for the major players in the IAM market to acquire or merge with other players, in order to increase their market share or acquire capabilities that they have previously been weak in. This applies both to the suppliers on the market (cf. Okta's acquisition of Auth0) and those who work to deliver and implement these systems. There is no reason to believe that this is something that will fade away in 2023 and beyond.
