WHY THE ROOT OF TRUST ABSOLUTELY MATTERS FOR DIGITAL ACCESS
by Jeff Scheidel, Vice-President, authID
Shakespeare said “a rose by any other name would smell as sweet,” saying that he would adore Juliet no matter her last name. Alas, our digital world doesn’t look that way. If the name, the SSN, the physical id, the face, and the rest of it don’t match, you shouldn’t get in, no matter how nice you smell. Bad guys try to insert a different rose with the same name in order to access that other name’s assets, and they do it successfully all the time. But this shouldn’t be the case.
This week we’re learning that the gaming industry got hit pretty hard by a vicious attack on principals’ passwords. Compromised passwords led to infiltration, disruption, and ultimately millions in ransom. Internal systems and even slot machines were affected. In this case, the roses did not match the names.
For ages, the root of trust for identity has been the lowest center of gravity, the weak-sauce combo of name and password. Social engineering, keystroke catchers, breaches, phishing, forgotten password links, OTP, stupidity, and just plain easily guessed phrases have rendered this pair more of a liability than useful.
In an attempt to move away from sheer reliance on name and password, various organizations have migrated to leveraging device. Put your credentials on your phone, keep them off your laptop keyboard, and now that phone is the new root of trust. Easy, huh?
Except that our phones are the newest targets. State-sanctioned actors have created rootkits that can infiltrate our devices and steal that precious identity data from the very thing in your pocket, and once again, you have become your own worst enemy when it comes to safeguarding the baseline of who you claim to be to the world. If the phone is simply the conduit for OTP, it’s really no better than what you had before. Hate to say it, but we need to protect our accounts from our own selves, especially the perceived safety of our devices.
So how do we do this? In ancient times, even before spoken language, we identified to each other in the simplest possible way: our faces. We didn’t have alphabets or pronounceable names, but we had our eyes and noses. So let’s go back to the person.
I can phish your name and password for your bank. I can phish your Social Security number, your kids’ names. But I can’t phish your face. I can’t steal your mug and insert into a verification process.
But you can use your face to forcefully assert yourself. The device isn’t the thing – it’s simply the delivery mechanism. If your face is registered as your root of trust, it doesn’t even matter which device you use. After you’ve identity-proofed and associated your face with your access, you are good, and without the baggage, liability, and risk of a password. If you are employing passkeys (i.e. a FIDO2 credential) for app- or site-specific assets, you can unlock those with your face as well.
So here’s how it should work. On Day Zero, when I don’t yet know you or if I should trust you, you provide your physical id, such as driver’s license or passport (or one of 12,000 possible documents we support from around the world), and you take pictures of front and back, along with a selfie. We do all this with a user experience that makes image capture incredibly easy. Just taking pictures in these situations is the number one reason consumers give up on these kinds of solutions. It’s too damn hard. authID provides a simple, user-friendly experience.
We OCR the data from the front of the doc, match it to the bar code data on the back, and then run dozens of quality checks on the various security markers ad other features of that document to make sure it’s bona fide. Untampered, legitimately issued by the purported authority (eg. DMV). The image wasn’t pasted on. And that image matches the selfie.
It’s really you. The document isn’t a printout or picture of a document. Same with the selfie. Liveness checks. It’s you, it’s your face, it’s your physical presence at this very moment. And all processed in just 700 MILLISECONDS. So let’s review: easy, accurate, and fast. It doesn’t get any better than that.
That’s Day Zero. From Day One and beyond, when you are authenticating for each session, you produce your face. That same face the cavemen used for identifying each other. No password, no OTP, no PIN. Just your face. The risk of the device itself is eliminated. It serves its purpose by providing a camera (although you can use your laptop camera as well), but the actual trust lies in that face. Yes, it’s you, c’mon in. Oh, lost your phone? Broke it, upgraded it? New device? No sweat, recover your account and your access with your face. No IT help desk intervention or lag. Just you. The user controls not only their own enrollment, they also control their own access, and (when needed) their own recovery.
There are so many attack vectors and attack surfaces out there, there is no reason to provide any more to the bad guys. Don’t give them a password to compromise, don’t give them your dependency on a device that they can hack as easy as your desktop. Give them something they can do absolutely nothing with to hurt you, and which you will have when you successfully and safely access your digital world: a happy face.
For more information on how your face can be your passport to your online assets, please visit www.authid.ai where we’ll put on a happy face for you.