Now on Demand: Threat Detection and Incident Response (TDIR) Summit - All Sessions Available
Connect with us

Hi, what are you looking for?


Application Security

Securing the Metaverse and Web3

Security must be built into the metaverse as it moves from science fiction to science reality

Web3 Cybersecurity

The terms ‘web3’ (Web 3.0) and ‘metaverse’ have been so heavily promoted by the cryptocurrency and gaming industries that it is easy to think it’s a niche terminology with little overall business value. That would be wrong. Each technology offers valuable business opportunities — but their synergy could change the nature of the future internet.

Web3 fundamentally comprises the blockchain technology that underpins cryptocurrency. Cryptocurrencies are still searching for legitimacy beyond an a risky and highly speculative investment opportunity. They haven’t found it. They are loved by speculators and widely used by criminals but largely shunned by a business world that prefers the greater stability of fiat currencies (Bitcoin dropped in value from around $60,000 in November 2021 to less than $18,000 in June 2022). 

Nevertheless, cryptocurrency paints itself as the future of global finance (not impossible, but a long and hard road). By promoting the underlying technology as web3, and describing it as the future of the internet, it gains some credibility for its own futuristic claims.

The metaverse is any technology that provides an immersive experience, so that users feel as if they are part of the experience rather than just spectators of a flat or moving web page. The gaming industry has been moving in this direction for years – but the reality of fully immersive virtual reality is still largely in the future.

Nevertheless, the metaverse potential goes way beyond gaming, driven by the human preference to talk ‘in person’. Immersive virtual reality on social platforms will allow people to meet and talk face-to-face, will bring remote workers together more effectively than Zoom, will allow genuine distributed learning from junior school to metaversities, will facilitate effective remote medical consultations – and much more.

The synergy between web3 and the metaverse will come from the greater need for fine-grained and secure access control into, and identity within, the metaverse – something that can be effectively delivered in a secure decentralized manner by web3’s blockchain technology. It is the focus on identity within the metaverse, and the ability for web3 to deliver that identity securely and across multiple metaverses, that leads some commentators to describe web3 as the enabler of the metaverse.


Web3 is a decentralized iteration of the internet built around the principle of the distributed ledger (blockchain); that is, the same technology used to one degree or another by most cryptocurrencies. “Decentralization,” says KPS Sandhu (known as KP), CTO for cybersecurity at Tata Consultancy Services, “will give greater control to users over their content while bringing together features such as user personalization, transparency, security, and immutability.”

Advertisement. Scroll to continue reading.

The purpose is to improve on the current web2 by allowing the creation of decentralized applications (dApps, as in DeFi for decentralized finance apps) to support data sovereignty and combat the current web2 paradigm that allows large enterprises to control and manage access to copious volumes of user data.

“Data architecture from web2 to web3 is very different,” explains KP, “with web3 apps expected to be open, sovereign, non-custodial, and governed by community. These dApps store data across a decentralized network where individual users would be guaranteed ownership, privacy, and intellectual property rights. In such a distributed computing and decentralized storage architecture, it would be nearly impossible to censor or manipulate such data, as there would be minimal manual intervention and smart contracts would execute processes automatically based on defined triggers.”

A metaverse is not dependent upon web3 technology. However, the long-term hope is that different metaverses will be able to interconnect, with users moving freely from one to another. Identity verification will become essential. Reauthenticating before gaining access to each different metaverse is the web2 approach retaining all the existing problems and insecurities of identity management. A web3 distributed ledger approach to identities would solve this. The metaverse provider will not require an identity database for its users (repeated by every different metaverse provider); each user will effectively carry his or her own authentication in some form of token issued by the web3 distributed identity application.

“The concept of web3 identity,” explains Jose Costa, CISO at Tugboat Logic, “is that personal data is not owned by one corporation nor stored in one place.” The data is split into many pieces and stored on many different servers. As such, it is more secure than storing everything in one database – criminals would need to simultaneously locate and compromise every different server.

The user could specify what bits of information may be used. Technically, the service provider may not need any of the PII – merely a token from the blockchain verifying the identity and veracity of the logon candidate. With so much security over the PII, the user may feel more confident in disclosing more personal detail knowing that it cannot (but let’s never say never) be stolen and abused by criminals, and law enforcement or intelligence agencies.

With users concerned about the misuse, abuse and commercialization of their personal data, they are likely to welcome the additional privacy offered by web3.

“I feel as we look to the future,” continued KP, “it’s going to be important to have a good structured web3 framework to enable the real implications or the real value of the metaverse to be unlocked. So, if enterprises want to go in and be able to bring out economic value or drive commerce, service customers, and especially anything that involves a virtual social metaverse, user subscriptions are important.”

 Note that Facebook has already changed its name to Meta in preparation for the metaverse. The greater the number of users in a metaverse, the more useful the platform becomes – and the more critical is the trusted identity. 

“But if you’re going to support a large number of users, and especially if you’re going to allow them to create their own content, it becomes increasingly important that all future metaverses are built on blockchain technology to ensure identity verification,” added KP. It will mean that individual platforms will no longer ‘own’ their users’ identities, and that source of revenue will be impacted. But capturing user behavior within the metaverse, shall we say within social network platforms, will easily provide an even greater potential for monetization.


A metaverse (there will be many) is fundamentally an immersive experience of the internet. With the addition of virtual reality, mixed reality or enhanced reality headsets, users will be able to experience 3D events as if they are part of the event rather than just an observer of a 2D projection of the event. 

Microsoft’s Mesh, for example, already uses mixed reality to present holographic images of remote workers together in the same room. “Connect with new depth and dimension. Engage with eye contact, facial expressions, and gestures. Your personality shines as technology fades away,” says Microsoft. Humans are social animals – we like to meet people in person and talk face to face. The current web does not allow that. The metaverse is not just a new application that will need to be sold to customers; the customers are there waiting.

“The metaverse,” says KP, “is a digital simulated virtual environment that converges a lot of the digital reality with physical reality. So, it could have multiple technologies which come in so they could be even virtual reality or augmented reality. There is also this concept of mixed reality where you bring physical objects and overlay a digital environment on top of them; or you could have an extended reality which is a mixed combination of all of this. So, we have a lot of different realities, but unfortunately, we picked up all these technologies as we went along. Primarily it is kind of a virtual reality with some overlay of our physical environment.”

But this multitude of different metaverses using different technologies isn’t the logical end game for the metaverse. “Eventually,” explains David Whelan, CEO at Engage (a metaverse builder), “all these different three-dimensional worlds and metaverse applications will be linked together. You will be able to walk through a doorway and move from one metaverse into another.” Imagine being able to walk into a three-dimensional representation of a hotel and look around at the facilities, and then walk through a doorway and, if wished, make and book your travel arrangements directly with a separate travel agency metaverse. Or down a street, and visit different shops…

This is where web3’s blockchained identities come in. To be able to move freely from one metaverse to another, users’ identity verification must be able to go with them. This could be achieved with tokens issued by the identity blockchain that guarantees the person is who he or she claims to be; and that token must be of sufficient strength and security to be trusted by every different metaverse. It could be continually verified through different metaverses by biometric snapshots taken by the VR headset.

Security in the metaverse

“I don’t think people yet understand one of the key dangers (as well as delights) of the metaverse: people in the metaverse will seem to be real people far, far more powerfully than they do online today,” comments Shmuli Goldberg, CMO at Identiq. “That’s hugely exciting, but it comes with a massive burden of trust. We’ll instinctively trust people far more in the metaverse than we currently do online. We’ll be hearing their voices, seeing their faces – maybe, in time, experiencing scent or touch alongside them. We won’t have the natural defenses that we have online today, where we wonder if someone is real, or if they’re who they say they are, or if they’re trying to trick us.“

This makes the protection and validation of digital identities vitally important for the metaverse, even more so than it underlies our ability to trust online today. “If we can’t get that right,” continued Goldberg, “we won’t get anything about the metaverse right. And that’s a frightening thought.”

It’s not that the threats will be vastly different than they already are; but the risks posed by those threats will be far more severe. Consider online bullying, which exists on today’s internet. Imagine the psychological damage that can be done if the identity and appearance of your best friend is hijacked by a sick-minded troller in a social metaverse. Or the ease of a BEC attack if the metaverse persona of the CEO is hijacked.

With greater risks to individuals, there will inevitably be greater regulations from governments. One tricky area will the transfer of the currently mooted legislation to make platforms responsible for content generated by users. Will this need to become a responsibility for actions performed by users? Since the harm within a metaverse is likely to be very immediate, saying illegal content must be taken down within 24 hours won’t work. Harm in the metaverse will need to be stopped in realtime – that is from within.

“We call it the MetaForce,” said Whelan. Each metaverse builder will be responsible for what happens within that metaverse. Repeated failure could potentially lead to that metaverse being taken down by governments, or disconnected from other metaverses within a particular jurisdiction.

Each metaverse is likely to have its own MetaForce. On occasion, this could include genuine law enforcement agents, but most frequently it will comprise a team of ‘moderators on steroids’. These moderators will be able to temporarily suspend or permanently banish transgressors in realtime to satisfy government regulators.

Whelan welcomes government scrutiny. “There are vast swathes of the current internet you just wouldn’t want to visit, because of the amount of online abuse and bullying. Governments have only just realized this over the last four or five years. I think there’s a real opportunity here for a reset, where we can make these places safe and conducive to work. And that’s important, because online remote work is here to stay. I do think there’s going to be a level of scrutiny from the government, which I think the technology should really welcome at this stage.”

This opportunity for a reset is also noted by Goldberg. “Security and privacy need to be a primary focus in everything that metaverse developers do,” he said. “With web2, it was an afterthought, and the result is a mess. Companies are faced with having to protect against threats like online fraud, data breaches, ransomware. – and everyone must find solutions for themselves.”

This can and must change. “The implications of the metaverse for every kind of digital interaction are so enormous that it’s just not acceptable to build first and work out the security and privacy later. It must be baked in right from the start – and that begins with conversations and decisions, now, when there’s still time to be thoughtful and to make a cross-industry impact.”

The future

There are many aspects of the metaverse that run counter to current thoughts about privacy. Facial recognition is likely to be used for continuous identity verification that the person wearing the headset is still the identified and authenticated person. Artificial intelligence, linked to facial recognition, is likely to be used in continuous age verification for entry into age-restricted adult or gambling metaverses.

There will be many problems and difficulties to overcome. Unless controlled and patrolled, a metaverse could become an anarchic and lawless place – and regulations will need to be enforced in realtime because of the immediacy of threats.

But there’s no stopping it now. “This genie is already out of the bottle,” comments KP, “and there’s no putting it back.” That means time is short. The metaverse is on the cusp of moving from science fiction to science reality. Entrepreneurs, developers, law enforcement and governments need to collaborate now, so the opportunity to develop a safe and secure metaverse to replace the insecure web2 is not lost.

Related: Facebook Trumpets Massive New Supercomputer

Related: Blockchain Security Firm CertiK Raises $88 Million at $2 Billion Valuation

Related: Cyber Insights 2022: Identity

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Wendy Zheng named as CFO and Joe Diamond as CMO at cyber asset management firm Axonius.

Intelligent document processing company ABBYY has hired Clayton C. Peddy as CISO.

Digital executive protection services provider BlackCloak has appointed Ryan Black as CISO.

More People On The Move

Expert Insights