With 2024 behind us, we saw another challenging year in the world of cybersecurity – highlighted by new and evolving threats like Artificial Intelligence (AI)-driven phishing and increasingly sophisticated cyber attacks overall. Yubico’s September Global State of Authentication Survey confirmed the challenges, even underscoring the potential risks of these new threats. The report emphasized the importance of wide-scale adoption of cybersecurity tools like multi-factor authentication (MFA) and phishing-resistant passkeys.
While the survey results were eye-opening, it allowed businesses an opportunity to reflect on the effectiveness of existing cybersecurity practices and what changes should be made in 2025. Whether the changes are spurred by increasing threats or the evolution in global government regulations, it’s clear that the year ahead will bring many cybersecurity changes across the enterprise. To get a better understanding of where the cybersecurity landscape sits heading into a new year, we sat down with Yubico’s experts to discuss what top trends they’re seeing unfold across the industry in 2025.
Check out insights from our experts below, as well as in our recent webinar detailing our top recommendations for staying cyber resilient in 2025 here. Visit part two of our 2025 predictions here focusing on government regulations, and cybersecurity across critical infrastructure and financial services.
The future of digital identity wallets: Stina Ehrensvard, Founder
The Internet, initially created by researchers for sharing information, has become a major threat to democracy, security and trust due to bad actors leveraging it to attack individuals, companies, and nations. The majority of these challenges are caused by stolen, misused or fake identities. To mitigate these risks, some claim that we have to choose between security, usability and privacy – but there is a clear solution focused on the broad adoption of digital identity wallets and open standards for digital identities.
Digital identity wallets aim to offer a new approach to the use of federated identities where users are in control of when and where their personal data is shared – and with whom. User credentials and data includes important things like driver’s licenses, insurance cards, work and student visas, travel documents, credit card data, educational credentials, and digital medical prescriptions. Modern FIDO-based authentication is a natural fit to secure digital wallets as users are becoming more familiar with its associated registration and sign in flows now that many websites have adopted passkeys as a means to access their services.
As we continue seeing more success stories about digital identity wallets and continued momentum of open standards for digital identities, in 2025, I expect many more countries around the world to adopt the technology and secure citizens and organizations with these digital wallets backed by FIDO-based security.
A look at a passkey future: Derek Hanson, VP of Standards and Alliances
Passkeys have taken the world by storm as the de facto authentication solution to replace passwords. As we continue navigating the ever-changing landscape of cybersecurity, embracing passkeys will be critical – but the role passkeys actually play in securing our online identities depends heavily on how they are used. Unless organizations do all the right things and have an effective strategy in place throughout the user lifecycle, passkeys won’t reach their potential. Over the next year, I expect to see a rapid rise in adoption of passkeys across the enterprise – but it will still take time for organizations and consumers to fully take advantage of the benefits passkeys provide as they continue understanding the new technology.
In the short term, consumers may continue to be hesitant to adopt MFA – primarily because their experience with MFA has traditionally been cumbersome and difficult. While better than no MFA at all, the reliance on SMS-based OTP as a primary MFA factor is dangerous. SMS-based OTP is widely available and offered as a standard by organizations around the world and because of this customers are now accustomed to it. When we’re talking about consumer behavior, there is hesitancy to change or adopt anything else unless they see it in more places where they’re familiar with and respect.
I believe the solution is clear: enable broad support for passkey authentication. Like any new technology, passkey adoption will be slow – unless organizations begin to remove unsafe methods of authentication for users, like SMS OTP. It’s also important to prioritize following recommended guidelines around creating a good user experience that encourages users to enroll passkeys and educates them on the value to them as users.
The rise of AI-driven cyber threats: Chad Thunberg, CISO
More than 80% of all cyber attacks start with phishing, primarily due to its relatively low cost and high success rate. That number will continue to grow even higher with the advent of AI-driven phishing attacks. By automating the most time, skill, and labor-intensive parts of running phishing campaigns, generative AI is making it possible to dramatically increase the number of attacks and lowers the bar for less capable attackers to get involved with phishing.
The risk doesn’t end there, though. We’ll continue to see generative AI make each social engineering attempt more potent and likely to succeed because modern AI leverages massive amounts of data to support generating realistic text and voice-based attacks, or generate a dossier on specific targets to be used in a sophisticated campaign. For example, AI can mimic someone’s writing style or reference relevant and accurate details extracted from previous breaches. It can even create “deep fakes,” where attackers use AI to synthesize someone’s voice and speech patterns.
These types of attacks usually focus on convincing the victim to take action but can be mitigated by validating the request using an alternative communication path – ideally one that is known to be good. For example, if you receive an email from a family member asking you to send them money to help them get out of a situation, call them using a phone number that you already possess for them to confirm the situation.
We’re likely to see broader adoption of standards like those from the Coalition for Content Provenance and Authenticity (C2PA), which help consumers verify content authenticity. As the volume of generated content surges, confidence in content will decline—unless countermeasures like these are widely adopted and well understood by consumers.
Legacy MFA solutions are already under attack, and generative AI will make them even less effective. This is why it’s more critical than ever to be vigilant of these threats, and stay one step ahead of attackers with phishing-resistant security keys by removing the human error that leads to the success of AI-driven phishing attacks.
