authentication – Bredemarket

Even Jedis Can Face Ephemeral Challenges

“NHI visibility and AI agent visibility feel like the same problem. They’re not. A service account is relatively static. It was created for a purpose, it has credentials, it authenticates to something. You can find it, document it, rotate its credentials, put it in a vault. That’s a solvable problem with existing tooling.

“An AI agent is different in almost every dimension that matters. It’s dynamic. It’s often ephemeral. It doesn’t have a fixed identity. It borrows one, or several. It makes decisions at runtime about what it needs to access. And it operates at machine speed, which means by the time your SIEM fires an alert, the transaction is already done.”

A Heart Of Bone (Non-Human Identity Verification)

One more from Lyria.

“I have created a slow, atmospheric blues and folk track reflecting on the ideas of non-human identity verification.”

A Heart Of Bone.

The Continuing Adventures of Will and Chad

Technically Chad Smith engaged in identity fraud on Saturday Night Live when he started giving Will Ferrell’s monologue.

But no harm was done.

And while the face modality fooled many of us, the voice modality gave Chad away. Score one for multimodal authentication.

Non-Human Identity Verification Via Humans

Another way to verify non-human identities is to link them to human ones. This NotebookLM explainer (not by me) offers the details.

From NextgenID.

Non-Human Identity Verification

How do you verify non-human identities?

One of the reasons that I titled my ebook “Proving Humanity” is because the six (yes, six) factors of identity verification and authentication that I discuss only apply to identifying humans, and do not apply to non-human identities.

Again, so how do you verify non-human identities?

Cryptographics

One way is via cryptographics. As I discussed previously, the Secure Production Identity Framework For Everyone (SPIFFE) and the SPIFFE Runtime Environment (SPIRE) provide non-person entities with “strongly attested, cryptographic identities.”

Problem solved, right?

As any human who has used a password knows, a single factor can be stolen. And that includes cryptographic factors.

Provenance

Which means that we have to look at provenance. But instead of looking at the provenance of an AI-generated image or video, we are looking at the provenance of an agent that performs actions. The network origin. The environment. The associated attributes. Is the agent running on a specific, authorized, and known virtual machine or container at a specific network address, or is it running…somewhere else?

Behavior

And if you’ve read my book, you know that human identities can be evaluated based upon their behavior (either tendencies or intent). You can also look at the behavior of agents. Is the agent acting at an unexpected time of day? Is it executing an unusually high volume of requests? Is it “scoping out the joint”?

Multi-factor authentication

Again, it’s possible to spoof one factor, but much harder to spoof multiple factors. And that applies to both humans and non-human agents.

Be safe out there.

Proof of Humanity Does Not Prove Identity

If you have a database of people worldwide, you can use irises to see whether someone is in the database or not.

This lets you buy the world a Coke. One per person.

But it doesn’t tell you WHO they are.

For that you need to test them against the factors of identity verification and authentication.

All six of them.

Learn more. Purchase the ebook.

Four pages from "Proving Humanity: The Six Factors of Identity Verification and Authentication" by John E. Bredehoft, Bredemarket. Click on the image to purchase. — Proving Humanity: The Six Factors of Identity Verification and Authentication.

Factors Are Independent

One important thing about factors is that they are independent of each other.

The fact that a person has a particular password bears no relation to the fact that a person has a particular fingerprint ridge structure.

And even modalities within a factor may be independent of each other. When Motorola sold its Biometric Business Unit to Safran in 2009, I joined a company (MorphoTrak) that promoted three biometric modalities: finger, face, and iris. While all three biometrics came from the same person, there was no relationship between any of them. Knowing a person’s right forefinger did not tell you what the person’s iris was like. (But beware: driver’s licenses and passports share information, such as dates of birth.)

If you have a critical security issue, you don’t want to depend upon just one factor, or one modality.

Double or triple them up by requiring multiple identity verifications and authentications with unrelated modalities and factors.

Learn more about the six identity factors

Six identity factors. One Bredemarket ebook. Total identity protection. Purchase “Proving Humanity: The Six Factors of Identity Verification and Authentication.”

Why Are Identity Verification and Authentication Critically Important?

Imagine if we didn’t have identity verification and authentication.

I could walk into a luxury car dealership and buy a car, telling the salesperson that my name is Bill Gates. I could buy the car, and Gates would get the bill.

Sounds great…until someone impersonates YOU and gets YOUR money.

Learn more about the six identity factors

Six identity factors. One Bredemarket ebook. Total identity protection. Purchase “Proving Humanity: The Six Factors of Identity Verification and Authentication.”

How to Figure Out Someone’s Mother’s Maiden Name

Something you know…and that someone else knows. It can happen.

Many systems require more than one knowledge-based modality, which is why they sometimes ask for other things like your mother’s maiden name.

This of course is not foolproof. Your sister that hates your guts, for example, obviously knows your mother’s maiden name. And even complete strangers, especially those with nefarious intent, can deduce your personal information.

Let me introduce you to Doug.

How Doug learned Donna’s mother’s maiden name…and more

Assume that Doug wants to hack Donna’s account but needs some personal information to do so. This is somewhat tough, since Donna’s Facebook account is private and can only be seen by her friends. Well, Doug knows that Belle is a friend of Donna’s, and Belle’s Facebook password is “password1.” Problem solved.

Doug uses Belle’s account to read Donna’s posts and finds some remarkably interesting ones. Not that she’s posting her Social Security Number or anything, but what did she post?

“Happy birthday to my mom!” (This particular post was loved by Jane Davis, who wrote “Thank you dear daughter.”)
“Happy 30^th birthday to me!”
“Hey, look at this picture of my new driver’s license. My picture actually looks halfway decent.”
“Hey, look at this picture of my senior citizen bus pass. Yeah, I’m old.”
“I cried when I looked at this old picture of my dog Scamper, taken in front of my childhood home on Mulberry Street.”

If you’re keeping score at home, Doug now knows the following information about Donna:

Her mother’s maiden name.
Her date of birth (from her birthday post and her driver’s license picture; her senior citizen’s bus pass doesn’t have her birthdate but does have her birthday).
Her driver’s license number.
The name of her favorite pet.
The name of the street she lived on as a child.

More than enough for Doug to impersonate Donna.

Learn more about the six identity factors

Six identity factors. One Bredemarket ebook. Total identity protection. Purchase “Proving Humanity: The Six Factors of Identity Verification and Authentication.”

Types of Knowledge-Based Modalities

Something you know.

We know a lot of things, we can tell the system the things we know, and the system can confirm that the person accessing the system knows these same things.

Here are a few examples of knowledge-based information:

Passwords.
Personal Identification Numbers (PINs).
Social Security Numbers.
Driver’s License Numbers.
Dates of Birth.
Employee IDs.
Mother’s maiden name.
Name of your favorite pet.
Name of the street you lived on as a child.

Some of these pieces of personally identifiable information (PII) are more commonly known than others. The, um, secret is to choose a piece of knowledge that ONLY YOU know.

But remember: anything that you know is potentially known by others.

Learn more about the six identity factors

Six identity factors. One Bredemarket ebook. Total identity protection. Purchase “Proving Humanity: The Six Factors of Identity Verification and Authentication.”