authentication Archives - IDPro https://idpro.org/tag/authentication/ The Professional Organization for Digital Identity Management Tue, 02 Jul 2024 23:22:56 +0000 en-US hourly 1 https://idpro.org/wp-content/uploads/2023/07/cropped-idpro_stickerA-circle-100-32x32.jpg authentication Archives - IDPro https://idpro.org/tag/authentication/ 32 32 Authentication and AI: A Race Against Time https://idpro.org/authentication-and-ai-a-race-against-time/ Mon, 22 Apr 2024 19:40:04 +0000 https://idpro.org/?p=2560 Disclaimer: The views expressed in the content below are solely those of the author and do not necessarily reflect the […]

The post Authentication and AI: A Race Against Time appeared first on IDPro.

]]>
Disclaimer: The views expressed in the content below are solely those of the author and do not necessarily reflect the views of the IDPro organization.

True confession: Many decades ago, my 17-year-old self created a synthetic identity with ready-made biometric authentication…otherwise known as a fake ID. Living in Hawaii, I needed a faraway place to call my fake home, and I picked Yonkers, New York. You could call me a real-life reverse McLovin.

Get yours today! Credit: Amazon

Fast forward to now. Identification is, of course, much more easily checked – but it’s also much more easily faked. In large part that’s thanks to generative AI, which dramatically increases the scale and automation of attacks.

Crowdstrike’s Global Threat Report documents how “identity threats exploded in 2023” with a boost from genAI, and that’s not even the half of it. Read on to understand where the threat is coming from and what to do about it.

Biometrics, We Hardly Knew Ye

Many organizations have been making upgrades to strengthen their authentication capabilities, often through the application of biometrics.

But is biometric authentication the factor you think it is?

Authentication Factors: Thou Shalt Count to Three

Classically, there are three factors used to verify the authenticity of a credential; using them in combination contributes to authentication strength. (Other contextual cues in their infinite variety form a phantom fourth factor. Five is right out!)

  • Something you know, like a password, is what NIST’s Digital Identity Guidelines call a “memorized secret”.
  • Something you have, like your association with a particular mobile device, is what NIST refers to as an “out-of-band authenticator”.
  • Something you are, like your particular face or fingerprint, is what NIST calls a “biometric characteristic”.

Two of my financial services providers just rolled out voice authentication as a new “strong” method lately, and tout not just its ease of use but also its security. We are assured, for example, that “Your voiceprint is stored securely as a mathematical equation, and only works for verification with our system.”

Now why would there be a Spinal Tap reference here? Credit: MakeAGIF

Is that really how things work?

Biometrics Are Different

The unfortunate fact is that biometrics make a better username than a password. That is, they’re pretty good at distinguishing “you” from “other people”, but limited in their ability to confirm that you are you. As NIST says:

For a variety of reasons, this document supports only limited use of biometrics for authentication.

Their reasons are important to understand:

  • The nature of biometric comparison is to be probabilistic – based on statistical likelihood – rather than deterministic, such as when a system compares a presented vs. pre-registered password or device. It gets a letter grade vs. a pass/fail.
  • The false match rate (FMR) and false non-match rate (FNMR) of a biometric method are critical stats — but you don’t interpret a low FMR alone as giving high authentication confidence. This rate doesn’t even account for spoofing attacks.
  • Unlike with a password or device, there are few circumstances where you can properly revoke a biometric. After all, you can’t just do a “fingerprint reset” on yourself.
  • The biggest distinction is that biometric characteristics aren’t secrets! Many biometrics make terrible secrets because they’re part of our exhaust data, both online and IRL. It’s a losing battle to protect something like a unique face from being seen.
  • As a result, we must rely on liveness detection to ensure a binding between the presented biometric and the person. And that means we must trust a complex chain of detection sensors and processors.

The Last Decade Saw a Legit Biometrics Revolution

This isn’t to say that biometrics can’t form a crucial part of secure ecosystems.

Touch ID’s launch in 2013 started something big. Its immediate impact was to make the iPhone 5s easier to unlock. Fingerprint readers had previously required cumbersome end-user processes and erred on the side of extra-low FMRs. For the price of a few more false positives, and with a painless enrollment process built into the experience, Touch ID – and in 2017, Face ID – led to a remarkable cascade of use cases.

  • Phone usage increased. In 2013, the year of Touch ID, people were checking their phones 110 times a day. By 2022, that number was up to 352 times a day, or once every three minutes on average. (You know you’ve done it!)
  • Phone security increased. In 2013, 53% of phones were kept locked. By 2021, locked phones were ubiquitous at nearly 99%.
  • Phones became de facto data wallets. The new mobile environment, involving a secure element, made on-device storage of personal data – including items beyond biometric templates for face and fingerprint matches – attractive.
  • Phones became wallets, period. The availability of this data, and the ability to bind it to the end-user with biometrics, unleashed a flood of payment scenarios and the digital wallet era.

Mobile OS-level biometric unlocking isn’t without complications, such as reliance on a memorized secret (PIN) for confirmation and recovery. But the sheer weight of improved security and value has been impressive.

AI Cut Short the Server-Side Biometrics Revolution

Unfortunately, we’re in a dramatic new threat landscape.

I’m focusing on the “server-side” revolution because wholly digital identity scenarios – foreign travel pre-authorization, remote employee onboarding, direct-to-consumer eCommerce, gaming – have become inescapable. And they rely more and more on server-side biometrics for identity verification and authentication. These scenarios are now at extra risk when they use these biometric checks without a trusted device as another factor.

The generative AI revolution took mere weeks to explode from a bubbling low-level concern into a bona fide threat. November 2022 saw the launch of ChatGPT’s API, DALLE-2, and Whisper. Just two months later, organizations experienced disturbingly widespread AI-boosted identity fraud: In a survey concluding in January 2023, Regula Forensics found that 29% of organizations were being targeted by video deepfakes and 37% by voice deepfakes.

By December 2023, iProov’s Threat Intelligence Report revealed that face swaps increased 704% from the first half of the year to the second. They warned that “Face swaps are now firmly established as the deepfake of choice among persistent threat actors,” and that nearly half of the threat groups they’re tracking were newly created.

The report shares an up-to-date example of face swap technology (see the second listed video) that provokes amazement among viewers but is becoming routine among threat actors.

Creepy. Credit: iProov

AI technology can be used cleverly for good even in the deepfake realm – check out HYPR’s Bojan Simic “speaking” in Japanese — but even the creators of the base technologies are spooking themselves about the consequences. OpenAI has stated its Voice Engine should be held back from general release because it’s so good that it’s certain to be misused.

A Brief Tour Through the Consequences

The monetary costs of this new landscape are shocking – but we should also recognize the societal costs of these very personal forms of attack.

Classic Cyber

The most obvious consequence is classic cyber risk and fraud. Most of the attacks are intended for financial gain. A dramatic example came in early February 2024 when a Hong Kong finance professional experienced a unique form of spear phishing: a faked-up request to transfer HK$200 million, supported by an entire cast of senior exec characters deepfaked in the context of video conference calls.

Political

Nonmonetary but serious motivations include disrupting the political landscape. A voice deepfake, not the real President Joe Biden, was behind a series of robocalls in January 2024 urging New Hampshirites not to vote in their state’s primary election. Granite Staters who remembered a similar controversy from mid-2022 may have been extra confused because the earlier instance was a false alarm.

Cultural

The constant uncertainty about what’s real affects not just famous people but all individuals.

Every 100% digital interaction without a definitive authentication method now has question marks around it. We could call this the Voight-Kampff challenge, after the test in the Blade Runner movie (and source novel) to root out non-humans that relied on micro-expressions, bodily functions, and expressions of empathy. To the question “How can people not tell this is AI?” posted in March 2024, one Redditor said:

“Seeing AI pictures, reading AI generated text, I’m starting to feel like Rick Deckard. I’m no longer able to trust anything I see or even ‘people’ I talk to through chat OR voice. I’m giving everyone and everything around me the Turing Test without even realizing it.”

Another fake ID you can go and buy. Credit: eBay

Check out the TRUE project, which is taking this societal risk very seriously indeed.

Doing Battle Against These Risks

What are our best options to mitigate and prevent these risks, when AI is powering high-scale attacks and elaborate spear-phishing episodes alike?

Some options count as obvious CISOcraft (or are perhaps emerging as CIDOcraft). A Zero-Trust mindset and a commitment to layering signals and decision-making actions still go a long way. A LastPass employee recently batted away a social engineering attack that had a deepfake element but smelled wrong for traditional reasons. And successful attacks like these stolen ChatGPT credentials are AI-adjacent but not necessarily a consequence of the AI era.

Here are additional recommendations for battling these dramatic new threats.

Respect the New Arms Race We’re In

Now is the time to develop a deep appreciation for the ways biometrics are different and the ways AI is rapidly creating unknowns. Stay attuned to NIST’s Digital Identity Guidelines in these areas, and stay alert for the forthcoming final fourth revision. As well, check out the work of the Kantara Deepfakes group.

The Liveness.com site reminds us that two-dimensional liveness checking isn’t all it’s cracked up to be, yet. So, increase your awareness of the state of the art in liveness detection and participate in the security community surrounding it. If you’ve got a great solution, consider taking part in Face 2024 and other competitions. The FTC’s recent voice cloning challenge produced heartening results.

Pair Biometrics With Other Authentication Tricks

Passwordless experiences that get still-extant passwords off the wire are still better than password-bearing interactions. Much like Touch ID, they have the potential to reduce ecosystem-wide risk. So, accelerate your plans to move to phishing-resistant authentication methods. Liminal research says 48% of practitioners who are planning to adopt passwordless solutions in the next two years prefer biometric authentication.

FIDO multi-device credentials aren’t perfect, but they hit a new sweet spot for security, privacy, user choice, and user experience. So, use passkeys where possible. They typically leverage biometrics in proper fashion, binding the user to the channel used.

Get Fine-Grained About Verifying Identity Data

If you want to be sure you’re not looking at a “swapped face”, add more identity verification signals to your registration and authentication user journeys. The trick is to scope those signals to individual pieces of data, make them more privacy sensitive, and reduce their invasion into the user experience. An example is privacy-sensitive age estimation, a new biometric technique for responding to the age-appropriate design codes and website age-gating mandates sprouting up.

The emerging verifiable credentials era presents an intriguing opportunity to start trading in verified-identity “small data”. If you could ask for and receive individual verified identity signals from a user’s wallet — with biometric and binding assurances about the quality of those signals — what would you ask for?


Finally: Be wary of simply participating in a classical security arms race as your only strategy. Bots battling bots for inches of fraud detection ground won’t get us where we need to go. Incremental gains in liveness detection will be swamped by AI’s endless invention. We’re in the biometrics singularity now — so we need to innovate more than ever before.


Eve is a globally recognized pioneer in identity and access management and standards. Her roots are in semi-structured data modeling and the API economy and include a passion for fostering successful ecosystems and individual empowerment. At Venn Factory she drives identity, security, and privacy success in the connected world by bridging the gap between technical intricacies and strategic business outcomes.

Eve’s leadership on pivotal protocols such as XML, SAML, UMA, and HEART as well as industry efforts like UK Open Banking, US government health IT, and the medical Internet of Things demonstrate her unwavering commitment to innovation.

As CTO of ForgeRock, Eve oversaw emerging technology R&D, evangelism, and innovation culture, and empowered her team and cross-functional colleagues to deliver results to dozens of Global 5000 customers, partners, analysts, publications, and events. She previously served as a Forrester Research security and risk analyst covering IAM, strong authentication, and API security.

Thanks for reading! Visit the Venn Factory to request an expanded version of this article.

The post Authentication and AI: A Race Against Time appeared first on IDPro.

]]>
Client-Initiated Back Channel Authentication Finalized https://idpro.org/client-initiated-back-channel-authentication-finalized/ Tue, 30 Nov 2021 22:10:52 +0000 https://idpro.org/?p=1394 The OpenID Foundation membership voted to approve the Client-Initiated Backchannel Authentication (CIBA) Flow – Core 1.0 on September 1. Though […]

The post Client-Initiated Back Channel Authentication Finalized appeared first on IDPro.

]]>
The OpenID Foundation membership voted to approve the Client-Initiated Backchannel Authentication (CIBA) Flow – Core 1.0 on September 1. Though the CIBA flow has been available for a couple of years now in some identity products, becoming finalized represents a major step forward for hastening its adoption. So what does this new flow bring to the table, and why should we care?

CIBA, like other OpenID Connect profiles, is fundamentally about authenticating users and authorizing clients. However, unlike many other OpenID Connect authentication flows, this one affords relying parties much more flexibility in how they go about doing it compared to more familiar OIDC flows. CIBA also introduces a couple of new concepts as part of this flow. 

The first concept is authentication devices. As we can infer from their namesake, authentication devices are “the device on which the user will authenticate and authorize the request, often a smartphone1.” We can imagine using our phones to respond to a push request through an authenticator app, or via a legacy SMS or voice channel. In either case, the phone is the device we will use for authentication.

The other concept CIBA introduces is that of consumption devices. Consumption devices are intermediary devices that facilitate the consumption of a service. The specification is careful to highlight that a consumption device might not be under the user’s control (unlike the authentication device), but is simply a device that aids consumption of a service. The relying party may control the consumption device. That device could be sophisticated enough to operate its own client, or be a more simplistic interface, such as a gas pump, or a credit card payment terminal at a shop. In these situations the consumption device would be the terminal accepting your payment information. Consumption devices are not required to be technologically limited; they may have sufficient compute capabilities as to house or control the relying party’s client. Consumption devices, in conjunction with authentication devices, are what opens new opportunities for secure user authentication in some interesting, new contexts. 

There is one more unique characteristic of CIBA that needs explaining. Unlike the traditional browser or app-based flow like the authorization code flow, CIBA doesn’t use redirects between the relying party and offering party in the user’s browser. In fact, there may not be any browser to speak of in a CIBA flow. Using the gas pump example, a user could be authenticated in order to raise the assurance at the point of sale, all from the gas pump (the consumption device) triggering a push to the user’s phone (the authentication device). Setting aside the UX improvements the authentication push can offer, authenticating the person interacting with the pump prior to taking payment represents a significant enhancement for both the security and assurance of that transaction. 

CIBA can perform this redirect-free authentication flow in one of three methods: poll, push, or ping modes. Given the simplicity of each of these flows, much of the information below is taken from the CIBA specification document2.

In poll mode, the client will poll the offering party’s token endpoint at intervals and wait for information on the status of the authentication event to appear in the response.

Under the push mode, the offering party pushes (or more accurately, POSTs) the result of the authentication event to the client once it has an authentication response.

Finally, under ping mode, the offering party will post the unique identifier of the authentication session to the client. The client then retrieves the authentication result from the offering party’s token endpoint. 

Though these three methods vary slightly in how they handle authentication, they are all designed to offer comparable user experiences in environments where authentication is necessary or desired, but a typical browser-based experience may not be feasible. These methods allow relying parties to offer improved user experiences by keeping them at their own site, or by offering  interaction through a consumption device, all while raising the confidence and security of the transaction.

For more information on using the CIBA flows in your applications, check out the full specification on the OpenID Foundation website.

  1. https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0.html#rfc.section.2
  2. https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0.html#rfc.section.5

Jon Lehtinen

Director of Okta on Okta at Okta, Board Member IDPro

Jon Lehtinen has 16 years of enterprise identity and access management experience, and specializes in both the strategy and execution of Identity & Access Management transformation in global-scale organizations like Thomson Reuters, General Electric, & Apollo Education Group. He works to deliver automated, future-oriented Identity solutions that provide the bedrock for information security, governance, and new opportunities for business. Moreover, Jon is dedicated to the growth and maturity of IAM as a profession, and serves on the Board of Directors and Treasurer of IDPro.org. He’s a member of the Kantara Initiative, ISC2, OpenID Foundation, and Women in Identity, served as an advisor to EvidentID, and a published author.

Jon has presented on his work at several conferences, including RSA, Identiverse, and KuppingerCole’s European Identity & Cloud Conference. He currently owns the workforce and customer identity implementations at Okta as their Director of Okta on Okta.

            

The post Client-Initiated Back Channel Authentication Finalized appeared first on IDPro.

]]>