Looming quantum event gives rise to the need for cryptoagility, post-quantum prep

For a few years now, the cybersecurity community has had its own version of Y2K, the calendar change that threatened to take down global IT infrastructure. This time it’s not a date issue, but rather the massive implications of quantum computing, which theoretically could make traditional encryption schemes obsolete. Terms like “post-quantum cryptography” (PKC, curiously enough) and “cryptoagility” are entering the digital identity lexicon, as providers prepare for the emergence of computers that can process vast amounts of information at previously impossible speeds.

And it’s happening faster than many expected. Microsoft recently unveiled Majorana 1, which it calls the world’s first Quantum Processing Unit (QPU) powered by a “Topological Core,” designed to scale to a million qubits on a single chip. This kind of power gives computers the ability to calculate what was previously incalculable.

In a presentation at the Secure Technology Alliance’s Identity and Payments Summit, Idemia’s VP of smart credentials, Teresa Wu, is blunt: without active preparation, we are in a lot of trouble. Meeting the challenge will require increased collaboration between physical security and digital security teams that currently operate in silos, as well as a host of tools and technologies to ensure the best possible security posture.

In the new world of cybersecurity, “every single employee is an attack surface,” Wu says. As such, enterprises need to adapt, which means letting go of outdated models and facing the reality of the situation. Fraud-as-a-service models, deepfakes, generative AI and the quantum capability for vastly improved computing speeds have accelerated the need to make changes that Wu says are long overdue, anyway.

Curse the password, broken-down jalopy of security tools

For one thing, “passwords need to be gone,” she says, comparing the 60-year-old ID security technology to a car of similar vintage. Cryptoagility means embracing passkeys, which are unphishable and increasingly supported. Mobile driver’s licenses (mDL) are a piece of the puzzle – but not, says Wu, in isolation: mDL and identity verification are not an either-or thing. For ID verification, biometrics now absolutely need liveness detection; as to whether or not to use passive or active, says Wu, why not both?

Wu displays a graphic of nesting circles that has mDL at the center, followed in concentric layers by mID, identity wallets, digital verifiable credentials and – the outlet layer – digital identity.

Prepare to be nimble as quantum capabilities improve, standards evolve

The overarching point is that security is more fluid than ever, and cryptographic algorithms that can withstand the quantum transformation are young. Wu says that for the next 10-15 years, with extensive real-world deployment, vulnerabilities may appear. While some algorithms could prove less secure than anticipated, standards will be evolving in tandem.

Wu refers to the development of increasingly advanced defenses against the quantum threat as a cat and mouse game. She says as soon as a vulnerability is discovered, algorithms must be updated, including physical credentials and devices. And there must be the ability to decouple encryption algorithms from workflows in cases when an algorithm needs to be changed.

Her recommendations for a strengthened security posture include developing gen-AI-resistant employee onboarding, adaptive authentication that continuously monitors for risks, and eliminating those moldy old passwords. Get ahead of the curve, she says – and if you have a tool at your disposal, use it!

While Wu’s presentation dangles the specter of a “Y2Q” scenario, others advocating for cryptoagility say the quantum leap is not likely to be a singular event. In a separate summit panel, Johannes Lintzen, director of business development for PQShield, says “it’s going to be more of a moving thing. But the transition is already in full swing.”

Only the nimble are likely to survive. In the meantime, says Lintzen, “be proactive, but take your time. Find people to talk to about it.” Understand what is ahead and plan accordingly – or, metaphorically, don’t wait to put new tires on your car until after they’ve caused you to crash.

 

Article Topics

biometric liveness detection  |  biometrics  |  cryptoagility  |  cybersecurity  |  digital identity  |  IDEMIA  |  Identity and Payments Summit  |  post-quantum cryptography  |  quantum computing  |  Teresa Wu