Identity protection is key to metaverse innovation
If today’s metaverse was a shopping mall, there would be many department stores with their own rich selection of products. Roblox allows you to shop for a new avatar’s outfit or to check out the latest digital real estate valuations. However, you can’t take your Roblox avatar to Decentraland or view a VR movie on another platform. Still being constructed are the hallways, elevators and kiosks as well as reference maps, which make it possible to transport your shopping bags from one store to another.
Digital identity is complex even in today’s 2D internet. Phishing is so sophisticated that even an email from your bank, a phone call from your auto insurance, or a text message from mother might not be what they claim to be. However, the immersive nature of the metaverse may allow for more sophisticated forms of identity theft and mimicry.
” The threat of social engineering could be even more dangerous in a 3D-world, where deepfakes are more common and an imposter can trick victims more easily,” Jeff Schilling, global chief info security officer at Teleperformance, says. He stresses the importance of digital identity. “Regardless of whether you are using the telephone or the metaverse, the best way to resist the temptation of social engineering is to have a foolproof method to validate who is speaking .”
Identity protection is a crucial part of any successful business operations in metaverse. It’s especially important for those on the ground floor.
Metaverse innovators can lead on cybersecurity
Although the metaverse is currently a patchwork of individual companies’ siloed experiences, that won’t be the case for long. Major technology players are already busy constructing the infra-structure. Open Metaverse Interoperability Group (OMI Group) is another open-source community of industry veterans. They work to help companies achieve “metatraversal” capabilities, which allows them to seamlessly move from Saks to Starbucks. These innovators will soon want to integrate these environments to create seamless experiences for their customers.
David Truog, vice president and principal analyst at Forrester, points out that the metaverse will be the next iteration of the internet–and like the early web, it will go through some growing pains. He points out that the web was still in its infancy when it didn’t have encryption or ecommerce. “Nobody had site passwords or an online bank account.” He says. Truog says that these systems were essential to allow people to communicate privately, buy things, and trust that they could submit a creditcard number online
In the metaverse, cybersecurity will play a greater role in establishing similar interactions. The first to move into the space are therefore in a unique position in which to anticipate security gaps and implement safeguards right away.
In this early stage of the metaverse there is an opportunity for companies learn from past technological advancements and security snafus. For example, the advent of AI algorithms has highlighted the importance of protecting against bias. Encryption was essential for cloud migrations. Schilling says that when the business community first moved from the traditional data center environment to the cloud public environment, everyone was excited but forgot to bring their security equipment. “I see a similar scenario with the metaverse
It is important to ensure that everyone has a seat at this table. These startups can make a great investment in a chief information security officer (CISO), or chief technology officer, for example, who have a deep understanding of cloud technology that will underpin most of the metaverse.
Many startups with great ideas start with five people around the table. Schilling says that he believes one of the five people should be a security officer today. Identity protection against new threats
Other security threats could grow more dangerous in the metaverse, in addition to more sophisticated social engineering strategies. For example, new ransomware could allow for large-scale “cryptojacking” to take over systems that can be used for cryptocurrency mining. Trojan horses and malware that targets consumers could become more sophisticated, with malicious code transforming into free swag, such as avatars.
” Some people believe that the metaverse is a three-dimensional representation the IT environment we have today. Schilling explains that there are some operational differences and a lot of seams when it come to threat scenarios .”
Authentication and identity are a particularly difficult area. How can a celebrity or CEO protect his or her avatar against copycats and copyright infringement? How can companies ensure that their employees are true to themselves, in both internal and external contexts?
“Avatars that look like the people they’re claiming to represent may be able to slip more effectively past people’s guard, because they tap into our natural human inclination to base our decisions about someone’s identity on recognizing their face and mannerisms,” says Truog. Identity protection has become a billion-dollar market. It includes passwords, biometric logins, and end-toend encryption. The identity protection global market size was around $12.3 billion in 2020, and it’s projected to nearly double that by 2025, according to the Identity Management Institute.
Robust identity protection can help protect against unauthorized access to sensitive information, ransomware attacks and identity fraud. It can be difficult to keep up with hackers’ latest scams. A 2020 report by the Identity Defined Security Alliance (IDSA) found that 79% of respondent organizations had experienced an identity-related data breach in the preceding two years. Those metrics continue to worsen: in a 2022 follow-up, 84% of respondents reported an identity- related data breach in the last year.
That’s not to say identity protection is futile. Of the 2020 IDSA survey respondents who experienced an identity- related breach, a full 99% believe these types of attacks are preventable. Data from the report also suggests that proactivity makes a difference–34% of companies with a “forward-thinking” security culture reported an identity-related breach in the year preceding the survey, versus 54% of companies with a “reactive” culture.
We’ve seen glimpses of the potential for identity protection to fail in the metaverse. Over the past few years, social media companies have spent significant sums to remove fake users and bots. At the start of the covid-19 pandemic, as teams adopted videoconferencing for remote work, many companies saw firsthand the necessity for security parameters around virtual meetings.
This content was produced by Insights, the custom content arm of MIT Technology Review. It was not written by the editorial staff of MIT Technology Review.
I’m a journalist who specializes in investigative reporting and writing. I have written for the New York Times and other publications.