Idenity Theft Awareness Week: WSO2 comment

Identity theft is initially thought of in relation to the threat it poses to the individual, such as gaining access to personal credentials to access their bank accounts and steal money. However, with the rise in ransomware attacks and cyber breaches, identity theft is a major issue for organisations and cybersecurity teams.

For most systems within an organisation, the level of access to company files and data is tied to the identity of the user. Therefore, if a user account becomes compromised, a hacker can gain access to many restricted parts of a system without alerting the system’s security measures because, as far as the system is concerned, they have the correct credentials. This is known as an account takeover attack (ATO). This type of insider threat is increasing, with misuse of company accounts rising by 51% in 2024 compared to 2023 according to CIFAS, and cases of abuse of company privilege doubling. The reason for this increase has been ascribed to security challenges arising from the normalisation of remote work, as well as employees taking on multiple roles at the same time.

One way to strengthen the overall security posture is to simplify user experiences.

For instance, Multi-factor authentication (MFA) methods such as authenticator apps, push notifications, and security keys provide an additional layer of protection for account access. While passwordless authentication options—such as email-based login links and mobile OTPs—may not always offer the most seamless experience, they still enhance security. Incorporating modern authentication methods, including FIDO-powered passkeys and social logins via platforms like Google and Facebook, strikes a balance between strong security and a frictionless user experience.

To this end, leveraging a modern IAM platform simplifies the implementation of these advanced authentication mechanisms, ultimately accelerating time to market and improving both security and usability.

Adaptive authentication, which steps up security based on situational risk factors such as attempting access from a new device, logging in from an unusual geographical location, or after a prolonged period of inactivity, can be crucial when detecting access that may come from a compromised account. For high-value services like financial applications or government services, additional layers like biometric verification and liveness checks (Identity Verification or IDV options) provide higher levels of assurance and meet regulatory compliance demands for more stringent security measures.

By incorporating these various authentication methods, organizations can significantly enhance security, protect against unauthorized access, and improve the overall user experience.