I was fortunate to have three different mentors that made my career. One was Bob English. What we used to say about Bob was – ‘Bob is always right, we just don’t always listen to Bob.’ Bob and I used to talk about technology and I enjoyed those conversations. And I thought it would be fun to have them. Most of them were the result of him writing something I barely understood and didn’t agree with.
Almost 20 years ago, I was working on a streaming media appliance. And Bob was irritated because he felt that there was a business model that could make streaming work, and selling appliances was not it. Ironically he was arguing for NetFlix like streaming models where residuals were a thing about 10+ years before NetFlix became a thing.The current strike makes me wonder what Bob thinks about AI and media.
Who is Bob?
Robert M English is a computer systems architect with experience in server development, systems internals, and large-scale systems deployment.
ChatGPT and deepfake technologies have generated new concerns for computer security, mostly due to the possibility of much stronger, more personalized phishing attacks conducted at a large scale. Such attacks attempt to get users to divulge the secrets underlying most account security and are effective precisely because authentication is based on such secrets. An alternative approach, tying authentication to the identity of the user, would be far less vulnerable to such attacks and much stronger overall.
To see the relative strength of an identity-based model relative to secrets associated with accounts, consider the way we access websites. We contact DNS, which points us to a set of IP addresses, and then we open a secure connection. Passwords do not play a role in this process. Google.com does not have accounts with its users. Instead, it authenticates itself with a certificate, which clients can verify using the website’s public key. The private keys associated with this system are still secrets that must be guarded, but the number of secrets is small and tightly controlled. Successful impersonations of websites are rare and typically limited to the site where the security breach took place.
With account security, the number of secrets that require protection is the product of users and websites, and the secrets themselves are widely spread. Users often choose passwords themselves, so learning a single password on a single site can compromise a user everywhere, making users only as secure as their weakest account. Password managers can prevent the re-use of passwords and help users manage the resulting password explosion, but they rarely work with all sites or applications.
Multi-factor authentication helps by treating the user more as a person with an identity separate from the account and requiring that the user respond through a separate channel, with its own authentication mechanisms, in order for the password to be accepted. Unfortunately, MFA implementations tend to be limited. Some effectively replace passwords entirely, so that the secondary communication channel becomes the true single factor in security. Some create serious account recovery challenges in the event of device loss. Most require additional steps in a typical authentication sequence, creating a poor user experience.
The situation is worse with accounts that predate the web. In many financial systems, access is granted with the account number, a ‘secret’ shared whenever the system is used. Social security numbers are used both as personal identifiers and secrets that can verify identity. Systems sometimes attempt to verify these tokens with additional information, but the information they use is often publicly available.
The recent introduction of passkeys improves security by replacing passwords with public keys similar to those used in website authentication, but the approach remains fragmented, based on shared knowledge at the level of individual accounts. Both accounts and users must track the public/private key pair associated with the user and service, increasing complexity in operation, storage, and recovery.
A better alternative is to base authentication on the identity of the person or entity taking the action. Instead of the knowledge of a secret (however constructed) giving access, the identity of the person gives access. Jane Doe might have access to an email account, an online retail account, a credit card, and a bank account. Steve Smith would not, whether or not he knew a password or account number. Jane could give access to Joe simply by granting Joe access privileges, without the need for an explicit interaction between Joe and the account.
Prior to the arrival of mobile devices, identity was difficult to verify. A person might hold a driver’s license, but a website (for example) would have no way to determine that or to determine who held the card. Today, mobile devices are ubiquitous, able to perform secure protocols to signal the identity of their owners and equipped with layers of mechanisms to determine whether their owner is, in fact, the person using the device. Most authentication today uses these mechanisms to drive access without making them central to the process. Making identification central to authentication would both greatly enhance security and simplify the lives of users.
In digital identification architectures (such as the ones described in this NIST standard), a user establishes credentials via a Credential Service Provider, and those credentials establish the user’s identity. Individual services associate the credentials with the account. The CSP is responsible for verifying that users are, in fact, who they say they are and reflecting to services a level of confidence in that assessment. Users have control over how much information they reveal about themselves to services, allowing privacy to be protected, even when the CSP has access to enough information to make identification very strong.
Users might choose, for example, to allow a CSP to track their locations on a regular basis as a means to enhance security. In such a case, a successful impersonator would have to both defeat whatever mechanisms the CSP used to verify identity and either match the user’s movements or prevent the user from updating the CSP with their new location. Users might be unwilling to share such information with every service they interact with but might be willing to share it with a CSP with strong data protection policies.
Account recovery within such a framework can be greatly simplified. With MFA approaches, for example, a lost device might require an MFA interaction with every affected account. With an identity-focused approach, a user has to reverify with the CSP, and that implicitly re-verifies with all associated accounts. The fact that it can be done once for all accounts allows recovery to be more secure as well as more complete. A user could, for example, have limited access on initial recovery, and only have full access restored by having their identity physically verified at a trusted institution such as a bank.
Identity-based authentication is intrinsically additive. If Google and Facebook both provided identity services, for example, users could verify with both, and account penetration would require simultaneous penetration of both Google and Facebook. A user with particular concerns could require verification through multiple devices simultaneously.
One remarkable aspect of today’s online security is how close we are to this, how many of the pieces of it we have, without reaping the benefits. Our phones verify us with a combination of biometrics and a secret that is never shared, protecting both types of data with high effectiveness. Our phones implement password managers, and to some extent, the sum of those passwords represents a digital identity. Particular accounts, such as Google, may store additional secrets on our phones to enable MFA. The phones have location services and the ability to update servers with our locations, our gait, even our heartbeat.
In spite of all that capability we carry with us every day, someone who gains access to our credit card number can still use it to make fraudulent purchases, harming vendors and service providers if not us directly. Additionally, if we lose our phones, we may have to re-verify with a range of service providers, and the extent of that range is limited only by the amount of inconvenience we’re willing to tolerate in the pursuit of security.
All of the necessary pieces are in place, and all the technologies are known. The primary obstacles aren’t technical issues but business ones. Large tech players haven’t fixed these problems not because they can’t, but because they don’t see it in their private interest to do so.