Identity security will see several ongoing long-term trends continue over the next few years. These include greater adoption of phishing-resistant authentication; greater acceptance of
passkeys and other
passwordless protocols; further migration to cloud-native identity-management platforms; and accelerating consolidation of formerly siloed identity-management tools such as IAM, PAM and IGA.
The continuing adoption of
zero-trust frameworks will cement identity's place as foremost among information-security protections. Correspondingly, even more attackers will target identity as their initial means of entry.
Newer concepts in identity may be further developed, such as identity threat detection and response and universal standards for identity security. Of course, we'll also see much more in the interface between identity security and
artificial intelligence, although those developments are harder to predict.
There are a few dark clouds. The development of
decentralized identity seems to have stalled as the identity industry trends toward greater centralization of tools and management platforms. Passkeys are being rapidly adopted, but their regular users are still a tiny fraction of all identity users, and the implementation still has several kinks that need to be worked out.
And
passwords aren't about to die any time soon. By 2030, we'll see much less day-to-day password usage, but we won't be able to completely abandon passwords as many
legacy systems will still require them, either as primary authentication factors or as fallbacks.
What follows is some of what we anticipate in the identity-security field for 2025 and beyond.
More phishing-resistant authentication
After more than a decade of efforts,
multi-factor authentication (MFA) is finally commonplace and familiar to most users. Unfortunately, we're still overly reliant upon the weakest forms of MFA, chief among them temporary one-time passwords transmitted by SMS text message, voice calls or email messages. Even passcode-generating authenticator apps are not immune from phishing.
That's why it's imperative that organizations and online retailers move toward
phishing-resistant factors of authentication such as FIDO hardware keys, platform-centric protocols like Okta's FastPass or even number-matching push notifications of the sort used by Microsoft.
"I'm a very big fan of physical access tokens,"
Mark Dorsi, CISO at Netlify, told SC Media recently. "The Touch IDs of the world, Yubikeys of the world, Windows Hello, Face ID, all those sorts of things. It's the thing that you have versus that thing that you know, and that's an important distinction when it comes to MFA."
Wider use of passkeys
The most important development in access management since MFA has been passkeys, which leverage the secure-element chips and biometric interfaces present on modern laptops and smartphones to create
FIDO2-compliant hardware keys that most people already carry everywhere.
But there are snags. The passkey experience isn't uniform because Microsoft, Apple and Google each have different ways of handling passkeys. So do many online services, leading to user confusion and frustration.
Efforts to make passkeys more user-friendly by syncing them across an individual user's devices may create potential weaknesses for attackers to exploit. Linux passkey support is paltry.
"The experience of logging into PayPal with a passkey on Windows will be different from logging into the same site on iOS or even logging into it with Edge on Android," wrote Ars Technica's
Dan Goodin in a recent overview. "There are too many cooks in the kitchen, and each one thinks they know the proper way to make pie."
The entire passkey experience needs to be standardized, and the big providers need to agree on a common, secure protocol for sharing passkeys among devices instead of just jerry-rigging Edge, Chrome and Apple Keychain to do the job. I hope we'll see all that soon.
More attacks on identity
It's already a cliché to say that "today's hackers don't break in — they log in." But it's increasingly true. As more organizations adopt zero-trust frameworks, and as internet-facing software becomes tougher to penetrate, identity becomes the primary target for attackers.
Nearly 40% of all intrusions cited in the
2024 Verizon Data Breach Investigations Report involved credential compromise. Roughly 15% involved
phishing.
Legacy identity-management systems often aren't up to the task of defending organizations in this tougher environment, especially as sensitive data moves off-prem and into the cloud, to home offices and onto employees' personal devices.
"Historically, attackers gained initial access to networks through the endpoint," Obsidian Security Co-Founder and Chief Product Officer
Glenn Chisholm told SC Media earlier this month. "But that's not where the data is anymore. I expect identities to represent an increasingly frequent point of attack as these threat actors evolve their efforts and attention to where the biggest payout is: the data within cloud-based SaaS and PaaS applications."
Greater adoption of cloud-native identity-management platforms
To effectively manage cloud assets, the management platform itself needs to be in the cloud, which is why even more organizations will be updating their identity security to
modern cloud-based identity platforms that handle on-prem, remote, cloud and mobile assets equally well.
Greater consolation of identity-management tools
Until recently,
identity and access management (IAM),
privileged access management (PAM) and identity governance and administration (IGA) were three different things.
IAM handled regular users' day-to-day access to organization assets and systems. PAM handled system administrators and other highly privileged users, imposing higher authentication barriers and continuously monitoring access to sensitive areas and assets. IGA provisioned new users with access and removed it from departing users.
This is still the norm at many organizations. But others are modernizing their identity-management systems to platforms that handle the functions of all three tools.
This is necessary because cloud, remote and mobile assets have complicated the identity environment so that ordinary users sometimes gain elevated system privileges. On the provisioning and onboarding side, contractors, gig workers and consultants quickly come and go.
"Any identity can be privileged at any given time," said
Matt Cohen, CEO of CyberArk, at a recent conference. "Most organizations today have hundreds of thousands of identities to secure, both human and non-human. More and more of those identities look like privileged accounts."
A consolidated, cloud-based, modern identity-security platform that combines the roles of IAM, PAM and IGA may be the optimal solution to manage this increasingly complex, fast-paced identity environment.
Greater governance over machine identities and embedded/IoT devices
Another newly minted adage is to say that "machine identities outnumber human ones by 40 to one" or even "100 to one."
That may depend on how you enumerate APIs, service accounts and session tokens, but it's unquestionable that attackers are leveraging overlooked machine-to-machine communications to
worm their way into privileged accounts and systems. Likewise, IoT devices in the workplace such as smart TVs or smart speakers can provide a way in for
network trespassers.
"This ability to exploit machine identities for unauthorized access will drive adversaries to focus more intently on cloud native environments,"
Sitaram Iyer, Venafi VP of emerging technologies, told SC Media. "Successfully targeting machine identities gives attackers a clear pathway to admin-level control, that can enable everything from data theft to taking over — or shutting down — critical business services."
In response, many modern identity-management systems are extending their nets to enact more control over machine identities and embedded devices, guarding them as they would human accounts.
Further down the road
Then there are a couple of newer ideas that haven't completely yet caught on but may gain traction in the next couple of years.
Identity threat detection and response (ITDR)
This concept was
coined by Gartner in 2022. It’s the identity equivalent of
endpoint detection and response (EDR) or
extended detection and response (XDR). As you’d imagine, an ITDR platform automatically responds to identity-based attacks such as
credential stuffing or MFA bombing.
Its proponents are often enterprise cybersecurity-software and services vendors that also provide XDR or incident response. Makers of identity-management platform might argue that their own services
already provide the features of ITDR.
Additional universal, product-agnostic standards for identity security.
The widespread adoption of interoperability protocols like FIDO2,
OAuth,
WebAuthn, OpenID and SAML shows that open standards can work well in the identity industry. Yet most commercial platforms often go their own way in how they operate internally and handle long-term processes.
Okta, BeyondTrust, Microsoft, Ping Identity and the OpenID Foundation
recently announced an effort to create a greater framework for shared identity standards called
Interoperability Profile for Secure Identity in the Enterprise, or IPSIE.
IPSIE "will standardize the way Identity security is done across the industry and help foster an open ecosystem where building and using enterprise applications that are secure by default is easy for everyone," wrote Okta CEO
Todd McKinnon in an October 2024 blog post.
So far, IPSIE is just a talking shop, but the founders are seeking additional participants.
AI looms, but how large?
Finally, there's the big, quiet elephant in the room. AI has the potential to profoundly change how we practice identity security, just as it stands to
profoundly change almost every other aspect of information security.
We just don't know how and to what degree it will do so. It seems certain that AI will automate many tedious manual processes, such as provisioning/onboarding and deprovisioning/offboarding users, and be able to conduct on-the-spot access reviews. It can also do some things humans are bad at, like rapidly analyzing huge amounts of data to spot anomalies and potential intrusions or risks.
It's also clear that attackers will make extensive use of AI, from
crafting perfect-sounding phishing emails to harvesting personal information for use in spear-phishing attacks to automating entire campaigns. Defenders will have to use AI in some capacity to keep up with the pace of the attacks.
The real question is how much control we want to cede to AI. Will we let it take a primary role in managing identity platforms, or should it be just an advisor to human decision-makers? Can we trust AI not to make mistakes or not to
hallucinate false information? Can we trust it to make decisions that will affect people's lives?
"[IAM] is the only technical control we have to manage who has access to this new [AI] technology," said a CISO/CSO in a
recent survey. "We are slowly opening the gates for specific justified needs — not being afraid of AI but by embracing it slowly and methodically."
