The changing face of digital identity.
When we talk about identity, it is a far more interesting topic than you might imagine. Largely because nature has perfected identity between humans, animals, insects, and even microbiological systems. It is fascinating to think that as earth has evolved ‘trust’ and ‘identity’ have become two common elements for every living thing on earth, including humans. We are the grand communicators and how we have developed trust & identity as a species is remarkable. We use sight, sound, smell and even touch to determine identity. As multi-sensing organisms, our ability to build trust quickly and lasting trust between individuals is remarkable when you truly think about all that is going on from physiological perspective.
To illustrate this point, a common moth has developed a very complex form of communication through chemicals. As a female moth flies around she diffuses a trail of chemicals that a male moth can follow, identify, and ultimately find the female moth. In a test, a male moth was given the choice to fly to a female moth it could see that was in a transparent air-tight box or with silk paper that was infused with the complex chemical smell of a female moth. The male flew to the chemical every time. Which means that a male moth has developed the capacity to understand the identity of the chemical, not the sight of the female moth. Simply put, the moth uses smell over sight as a far ‘safer’ way to verify identity. Since all moths look the same to avoid predators it would be impossible for a male moth to identify a female. So the male moth uses the chemical identifier that is far more accurate and also safer method of verifying identity.
Chimpanzees use complex systems that include verbal, non-verbal cues to build trust and communicate. What is interesting about Chimpanzee communication is they do not talk per-se but rely more on touch and visual movements to communicate and build trust. New groundbreaking research shows that Chimps can communicate far better than we thought and can recognize symbols on a keyboard to communicate with humans. Researchers in Iowa have shown that Chimps can memorize around 250 symbols and even know how to lie. Yes, Chimps can and will lie to get something they want or even manipulate others to get what they want.
Knowing that nature has naturally created a set of ‘rules’ around identity and trust how has digital identity and trust evolved? Digital identity first started when a PHD student from MIT named Fernando Corbató had been doing research on a project for CTSS in the 1960s to provide better access security for computer networks. As he would say, “passwords were a no brainer!” However, you cannot tell this story without mentioning IBM that was also working on a project called Sabre at around the same time. IBM was using a password with Sabre to protect access, but I cannot verify this fact and was not sure if this was around the same time. So, Fernando Corbató has largely been hailed the inventor of the username and password.
As we began PC era, Microsoft launched one of the first ‘commercially available’ username / password to unify online identity with a product called Passport (yes, I am old enough to remember using it). Passport’s goal was to give customers a trusted online identity from a well-known company (i.e. Microsoft’s Hotmail). By creating a trusted login, online identity could allow more robust interaction in applications like email or through the completion of online data forms. Sadly, due to a poor user experience and bad user preferences it ultimately died a slow death. A screen shot of the Passport login screen is below.
As the internet era began, Facebook made a significant contribution for online identity. They pioneered a way to build ‘trusted’ identity for its website. As you might recall, personas were the death blow to Myspace because you never really knew if the person online was real or a persona. What Facebook did is to require every user to login with their given name and a valid email address to prove they were a real person. As Facebook’s users began to trust the ‘real identity’ approach of Facebook and started requesting it on other sites. To Facebooks credit, they developed a way to allow websites and mobile applications to take advantage of its ‘trusted’ login and provide credentials all cross the internet on many of the most trusted websites. You must give a lot of credit to Facebook for creating and ultimately proliferating.
As we move into the mobile era, Google has been a visionary in the digital identity space by creating one of the better multi-factor authentication capabilities today. The idea of ‘proving’ identity using Multi-factor Authentication (MFA) where a user must provide additional login requirement about the user something you have (a mobile phone), something you know (a password) and something you do (login to your phone and tap ‘yes’) is the gold standard. Unfortunately, some very good hackers proved recently at a Black Hat event that MFA can easily be broken and it is no longer the infallible form of identity for digital users. Learn more here from famed lifelong hacker Kevin Mitnick.
So, to create a secure digital identity, you need math (protected keys), you need secrets (things only you know that prove you are you), but those were kept on your computer. What if you could always have your security with you, but not on your computer. And facial recognition become the next big leap forward.
When we talk about facial recognition, yes, Apple devices use facial recognition today, but they are by no means the pioneer of the technology. To tell the history of facial recognition we need to take you back to 1965 when Woody Bledsoe, Hellen Chan Wolf and Charles Bisson worked on a project to get computers to recognize faces. This work paved the way to recognize various landmarks on a face such as the eye centers, mouth, nose, etc.… and this image was mathematically rotated so a computer could understand different facial references depending on the angle of your head. Very brilliant mathematics and the beginning of facial recognition technology. Over time, facial recognition matured, and new algorithms were created, better accuracy could be verified and even the combination of facial recognition with other technologies to prove you are live and not an image.
In the 60’s, Woody struck out with two colleagues to found their own company called Panoramic Research Incorporated in Palo Alto, California. Panoramic Research ultimately failed but one of the outcomes was the ability to create a machine that could recognize 10 photos of different people and see if the computer could recognize the images. The whole idea of recognizing a ‘face’ was truly a quantum leap and especially when you think about a 3-dimensional face. His ideas around recognizing the relationship between the eyes, ears, nose, eyebrows, and lips was revolutionary. Over time, the accuracy of facial recognition has become more accurate with advancements in pattern recognition, bio-metrics, and machine learning capabilities and will continue to advance. Today, facial recognition can be used successfully as a new factor in a multi-factor approach to identity management. Still, it is not 100% secure but certainly moving us in the right direction.
Speech Recognition is an identifier that has progressed from the 60’s and is still very viable today. Most know speech recognition from devices like Siri, Alexa, and Google Voice. What most people don’t know is again like facial recognition it has roots in the 60’s when Bell Labs patented technology that could recognize voice and comprehend 9 consonants and 4 vowels. Thanks to DARPA and the US Department of Defense, ‘Harpy’ was developed by Carnegie Mellon which could comprehend 1011 words and had a far more efficient way of searching for logical sentences. In the 90’s the speech recognition technology matured, and Dragon became one of the first companies to develop ‘voice dictation’ technology, allowing user full dictation at up to 100 words in a minute. However, voice could not be relied upon as a recognizable identifier. Since a sound wave can be captured, manipulated, and ultimately spoofed by algorithms.
The newest identifier is still in development but shows incredible promise. It is called Keystroke Dynamics. Keystroke Dynamics identifies you by how you type on a keyboard and what makes this unique is it’s ‘something you do’ that requires ‘effort’. You could argue the beginning of this technology started in 1844 with the advent of the telegraph. In fact, many of the operators of that time had their own style or tapping speed that could be identified by those doing Morse Code (tapping in a certain speed or inflection). Then the military had an interesting way to identify allies by using a system of ‘dots’ and ‘dashes’ that would allow you to clearly identify the sender or receiver based on the speed of taps or delays. It was a brilliant way to identify if someone was a friend or foe.
As the people looked at more bio-metric identification measures a new field of study emerged called Behavioral Biometrics. This is the study of identifying and measuring patterns in human activities. Biometric verification studies keystroke dynamics, gait analysis, voice ID, mouse and even touch analysis on a screen. All of these forms of biometrics can be used to create identifying patterns, by picking out specific points of data as match points and storing the ‘matches’ in a database for validation in “real-time”. One of the pioneers of keystroke dynamics is Dr. John Rome and his brilliant colleague Tom Ketcham. They have developed the first commercially available ‘real-time physical behavior authentication system at Intensity Analytics. This technology can accurately identify you by how you type and has become a widely adopted second factor in a multi-factor authentication strategy.
As you can see ‘identity’ has changed significantly throughout the years and especially as we have moved into the digital age. Building trust and most importantly ‘proving’ trust in a digital world is very challenging. Today there are new tools, revitalized old tools and emerging technologies that will help ensure that identity access to devices will become more secure.
With this post, I wanted to let you see how authentication is important to us at Secured2 and how the market of identity has evolved over time. When you combine some of these exciting new and even old technologies with our security you are creating an end-to-end solution that protects you, your company and your data. Delivering our promise, ‘with Secured2 your data is safe. Period.’