Boldly Meeting the Promise of Web 3.0
It seems not so long ago that the word "future” was short-hand for a technology “promised land” of sorts – a land of virtual and augmented realities, digital currencies, and cures for terminal illnesses from the cloud. The good news is we’ve made steady progress on a couple of those fronts. The not-so-good news: this land contains deeper, more complex threats than many enterprise leaders anticipated.
That’s because we’re amidst a shift to the next era of the WWW. As organizations ready themselves for Web 3.0, it’s becoming clear that most are ill-equipped for the underbelly of the next phase of the internet, a new cyber frontier that a lot of companies, including cybersecurity companies, are unprepared for.
This unpreparedness stems from two things: first, we live in a digitized world. You’d be hard-pressed to find a process today that doesn’t have an online component. You can pay bills, renew the insurance, sign a mortgage, transfer money, keep in touch with friends, and sign a permission slip. In-person, face-to-face interactions are quickly becoming a minority and being over-taken by fully digital interactions and transactions. In some ways, this isn’t a bad thing as processes that took up an entire Saturday afternoon, now take minutes. We’ve got precious time back, and many of us are taking full advantage of that.
The problem with everything becoming digitized is that a sense of realness and legitimacy of the physical world slipped away. It may have started with Snapchat filters that made us look like dogs, but now, filters make people completely unrecognizable. Bots are listening to music, engaging with tweets, and can be bought to make a person seem more influential than they are. We live in a world of deepfakes and fake news – and because of that, it’s really hard to tell what is real anymore – and criminal organizations and nation-states are taking full advantage. As each process becomes just a bit more digital and a bit more complex, the seminal question of real-ness on the internet has emerged in a way that companies aren’t prepared to verify or protect against. Protecting employees is hard enough, but what about customers you don’t know but want to acquire desperately to fuel your business?
This is the second part of the unpreparedness that defines the challenge organizations are facing as we approach Web 3.0 – the security solutions, processes and customer experiences available today weren’t designed to keep organizations, customers, data and identities safe. It’s not a matter of inadequacy, it’s a matter of what we are trying to protect and how we protect it has changed.
It would be a mistake to believe that customers are happy to disregard what’s behind the security curtain of this end-to-end process. How many business relationships are abandoned because something feels “off” to the customer, whether that’s because they’re receiving a welcome email from an unknown sender domain, or because they don’t recognize a third-party logo in the digital workflow? This is what they have been trained to do thus far. But Web 3.0 changes all of that. The digitization of processes, procedures, documents, contracts, and overall customer experience across physical, digital and virtual realms––changes all of that.
With Web 3.0, we are boldly embracing and accepting a digitized world. We thrive on the convenience these digitized processes offer us, and because it’s so quick and easy, and increasingly cool, no one is thinking about the legitimacy of the document they are signing. Or even if the person who joined their Zoom meeting is actually who they said they were. Or is the GoFundMe supporting a real family, or just the latest example of social engineering and poor taste?
For most of us, it’s our nature to be trusting, and because of that, we aren’t checking before we transfer, sign, buy, or accept. Security has been focused on securing end-to-end processes typically with employees. What security hasn’t been focused on is securing and authenticating the actual interaction that is happening digitally between two people, two companies, or their customers across multiple realms. When organizations take a step back and really ask themselves how they are exposed as a result of this transition to Web 3.0, the answer lies deep in the interaction model and shines directly on authenticating and identifying all involved parties and maintaining a “chain of custody” just in case they got it wrong.
Solutions like MFA, biometrics, and token-based authentication have emerged to do some of this, but the problem is, it’s not continuous or woven throughout the entire customer transaction lifecycle. We aren’t securing endpoints anymore; we are securing digital processes and customer interactions that require continuous authentication and identity verification no matter where that interaction takes place.
Despite the industry’s best efforts, do no gooders continue to remain one step ahead. To match their pace in Web 3.0, authentication and identity verification needs to be continuous, yes, but it also more than MFA. More than answering what your high school mascot was. More than acknowledging you aren’t a robot.
As organizations embrace Web 3.0, authentication and verification techniques will need to evolve to become more sophisticated and stringent. This means confirming your identity before you join a Zoom meeting. This means organizations must develop accurate-and reliably-reproduced audit trail capabilities for all interactions. Capabilities that prevent one person from signing or giving consent for their co-worker. These processes may seem excessive but it’s what must happen to protect ourselves. And we don’t need to sacrifice the experience to do this. Verifying who we are doesn’t have to be disruptive, and it must be invisible.
This is the only way we protect against a world that operates on billions of insecure links sent around the world every day. It’s the only way we secure our identities and enterprise revenue growth while effectively managing risk and maintaining compliance. The only way we infuse trust in the brands of tomorrow, is to bring integrity back to the internet, and make good on the promise of 3.0.
This blog, written by Matt Moynahan, President & CEO of OneSpan, was first published on Forbes.com on November 2, 2022.