The FIDO Alliance is one of the chief proponents of the “death of passwords” movement, and is working on delivering secure authentication. But even the most secure authentication method is not 100% secure. Nothing is.
Authentication is a complex undertaking, and the ability to authenticate on a new device is a special challenge. But the FIDO Alliance has addressed this:
“Cross device authentication allows a user to sign in with their device using a QR code.
“FIDO Cross-Device Authentication (CDA) allows a passkey from one device to be used to sign in on another device. For example, your phone can be linked to your laptop, allowing you to use a passkey from your phone to sign into a service on your laptop.
“CDA is powered by the FIDO Client-to-Authenticator Protocol (CTAP) using “hybrid” transport. CTAP is implemented by authenticators and client platforms, not Relying Parties.”
“After entering their username and password on the phishing site, the user was presented with a QR code….
“What happened behind the scenes is the phishing site automatically sent the stolen username and password to the legitimate login portal of the organization, along with a request to utilize the cross-device sign-in feature of FIDO keys. The login portal then displayed a QR code….
“In the case of this attack, the bad actors have entered the correct username and password and requested cross-device sign-in. The login portal displays a QR code, which the phishing site immediately captures and relays back to the user on the fake site. The user scans it with their MFA authenticator, the login portal and the MFA authenticator communicate, and the attackers are in.
“This process—while seemingly complicated—effectively neutralizes any protections that a FIDO key grants, and gives the attackers access to the compromised user’s account, including access to any applications, sensitive documents, and tools such access provides.”
Presumably the FIDO Alliance will address this soon.
If you ignore what Yves-Alexandre de Montjoye et al said about the validity of 12 fingerprint minutiae points in their 2013 study (cited in phys.org), their conclusions about cell phone locations deserve consideration.
“By analyzing 15 months of cell phone mobility data from 1.5 million people, researchers have found that only four spatio-temporal points (an individual’s approximate whereabouts at the approximate time when they’re using their cell phone) are all that’s needed to uniquely identify 95% of the individuals.”
Why?
“[T]he researchers’ data shows that just four spatio-temporal points are needed to uniquely identify the mobility trace of an individual. In other words, it’s not likely that someone else will be in the same locations as you are at four different times of day.”
And once you perform multi-factor authentication by combining geolocation with another factor, such as an address or a social media post, privacy disappears.
“The documents were forged Labour Market Impact Assessments, or LMIAs. Employers typically receive the documents from Employment and Social Development Canada (ESDC) if they want to hire a foreign worker.”
Biometrics aren’t enough. The person may be who they say they are, but the documentation they are holding may be fake.
I’m admittedly fascinated by the parallels between people and non-person entities (NPEs), to the point where I asked at one point whether NPEs can use the factors of authentication. (All six. Long story.)
When I got to the “something you are” factor, which corresponds to biometrics in humans, here is what I wrote:
Something you are. For simplicity’s sake, I’ll stick to physical objects here, ranging from pocket calculators to hand-made ceramic plates. The major reason that we like to use “something you are” as a factor is the promise of uniqueness. We believe that fingerprints are unique (well, most of us), and that irises are unique, and that DNA is unique except for identical twins. But is a pocket calculator truly unique, given that the same assembly line manufactures many pocket calculators? Perhaps ceramic plates exhibit uniqueness, perhaps not.
But I missed one thing in that discussion, so I wanted to revisit it.
Understanding IMEI Numbers
Now this doesn’t apply to ceramic plates or pocket calculators, but there are some NPEs that assert uniqueness.
Our smartphones, each of which has an International Mobile Equipment Identity (IMEI) number.
IMEI stands for International Mobile Equipment Identity. It’s a unique identifier for mobile devices, much like a fingerprint for your phone’s IMEI number.
Now some of you who are familiar with biometrics are saying, “Hold it right there.”
Can someone assert that there has NEVER been two people with the same fingerprint in all of human history?
But let’s stick to phones, Johnny.
Each IMEI number is a 15-digit code that’s assigned to every mobile phone during its production. This number helps in uniquely identifying a device regardless of the SIM card used.
This is an important point here. Even Americans understand that SIM cards are transient and can move from one phone to another, and therefore are not valid to uniquely identify phones.
What about IMEIs?
Are IMEIs unique?
I won’t go into the specifics of the 15-digit IMEI number format, which you can read about here. Suffice it to say that the format dictates that the number incorporate the make and model, a serial number, and a check digit.
Therefore smartphones with different makes and models cannot have the same IMEI number by definition.
And even within the make and model, by definition no two phones can have the same serial number.
Why not? Because everyone says so.
It’s even part of the law.
Changing an IMEI number is illegal in many countries due to the potential misuse, such as using a stolen phone. Tampering with the IMEI can lead to severe legal consequences, including fines and imprisonment. This regulation helps in maintaining the integrity of mobile device tracking and discourages the theft and illegal resale of devices.
IMEIs in India
To all of the evidence above about the uniqueness of IMEI numbers, I only have two words:
So what?
A dedicated person can create or modify multiple smartphones to have the exact same IMEI number if desired. Here’s a recent example:
The Indore Police Crime Branch has dismantled two major digital arrest fraud rackets operating in different parts of the country, seizing a massive database containing private details of 20,000 pensioners in Indore….
A dark room in the flat functioned as the nerve centre of the cyber fraud operation, which had been active since 2019. The group specialised in IMEI cloning and used thousands of SIM cards from select mobile networks.
IMEIs in Canada
“Oh, but that’s India,” you say. “That couldn’t happen in a First World country.”
A Calgary senior is warning others after he was scammed out of $1,000 after buying what he thought was a new iPhone 15 Pro Max.
“I didn’t have any doubt that it was real,” Boyd told Global News….
The seller even provided him with the “original” receipt showing the phone had been purchased down east back in October 2023. Boyd said he also checked the phone’s serial number and the International Mobile Equipment Identity (IMEI). All checked out fine.
Boyd said the first sign of a problem was when he tried to update the phone with his own information and it wouldn’t update. It was only after he took it to a representative at a local Apple retailer, that he realized he had been duped.
IMEIs in general
Even IMEICheck.net, which notes that the threat of stealing one’s phone information is overrated, admits that it is possible (albeit difficult) to clone an IMEI number.
In theory, hackers can clone a phone using its IMEI, but this requires significant effort. They need physical access to the device or SIM card to extract data, typically using specialized tools.
The cloning process involves copying the IMEI and other credentials necessary to create a functional duplicate of the phone. However, IMEI number security features in modern devices are designed to prevent unauthorized cloning. Even if cloning is successful, hackers cannot access personal data such as apps, messages, photos, or passwords. Cloning usually only affects network-related functions, such as making calls or sending messages from the cloned device.
Again, NOTHING provides 100.00000% security. Not even an IMEI number.
What this means for IMEI uniqueness claims
So if you are claiming uniqueness of your smartphone’s IMEI, be aware that there are proven examples to the contrary.
Perhaps the shortcomings of IMEI uniqueness don’t matter in your case, and using IMEIs for individualization is “good enough.”
(Imagen 3 image. Oddly enough, Google Gemini was unable, or unwilling, to generate an image of three smartphones displaying the exact same 15-digit string of numbers, or even a 2-digit string. I guess Google thought I was a fraudster.)
Do you believe in intentional ignorance, stupidity, and idiocy?
Let me put it another way:
Do you believe in the “death of passwords”?
The rationale behind the decades-long death of passwords movement is that passwords do not provide 99.99999% security, therefore NO ONE should EVER EVER EVER use a password, or ANY other form of knowledge (PIN, first pet, what a traffic light looks like, college GPA, favorite RGB value).
I have a different view.
Knowledge CAN be part of a robust multi-factor identity verification or authentication solution.
Just like biometrics CAN be part of a robust multi-factor identity verification or authentication solution. Oh, you think biometrics should be the SOLE (geddit?) factor? I hate to break this to you, but biometrics do not provide 99.99999% security either.
And for the simpler use cases (such as garage sale money boxes), knowledge-based authentication such as a combination lock is a viable security system.
Don’t rely on passwords alone…
…but don’t completely ban them either. Knowledge ain’t dead.
In “On Attribute-Based Access Control,” I noted that NIST defined a subject as “a human user or NPE (Non-Person Entity), such as a device that issues access requests to perform operations on objects.” Again, there’s a need to determine that the NPE has the right attributes, and is not a fake, deep or shallow.
There’s clearly a need to identify non-person entities. If I work for IBM and have a computer issued by IBM, the internal network needs to know that this is my computer, and not the computer of a North Korean hacker.
But I was curious. Can the five (or six) factors identify non-person entities?
Let’s consider factor applicability, going from the easiest to the hardest.
The easy factors
Somewhere you are. Not only is this extremely applicable to non-person entities, but in truth this factor doesn’t identify persons, but non-person entities. Think about it: a standard geolocation application doesn’t identify where YOU are. It identities where YOUR SMARTPHONE is. Unless you have a chip implant, there is nothing on your body that can identify your location. So obviously “somewhere you are” applies to NPEs.
Something you have. Another no brainer. If a person has “something,” that something is by definition an NPE. So “something you have” applies to NPEs.
Something you do. NPEs can do things. My favorite example is Kraftwerk’s pocket calculator. You will recall that “by pressing down this special key it plays a little melody.” I actually had a Casio pocket calculator that did exactly that, playing a tune that is associated with Casio. Later, Brian Eno composed a startup sound for Windows 95. So “something you do” applies to NPEs. (Although I’m forced to admit that an illegal clone computer and operating system could reproduce the Eno sound.)
Something you know. This one is a conceptual challenge. What does an NPE “know”? For artificial intelligence creations such as Kwebbelkop AI, you can look at the training data used to create it and maintain it. For a German musician’s (or an Oregon college student’s) pocket calculator, you can look at the code used in the device, from the little melody itself to the action to take when the user enters a 1, a plus sign, and another 1. But is this knowledge? I lean toward saying yes—I can teach a bot my mother’s maiden name just as easily as I can teach myself my maiden name. But perhaps some would disagree.
Something you are. For simplicity’s sake, I’ll stick to physical objects here, ranging from pocket calculators to hand-made ceramic plates. The major reason that we like to use “something you are” as a factor is the promise of uniqueness. We believe that fingerprints are unique (well, most of us), and that irises are unique, and that DNA is unique except for identical twins. But is a pocket calculator truly unique, given that the same assembly line manufactures many pocket calculators? Perhaps ceramic plates exhibit uniqueness, perhaps not.
That’s all five factors, right?
Well, let’s look at the sixth one.
Somewhat you why
You know that I like the “why” question, and some time ago I tried to apply it to identity.
Why is a person using a credit card at a McDonald’s in Atlantic City? (Link) Or, was the credit card stolen, or was it being used legitimately?
Why is a person boarding a bus? (Link) Or, was the bus pass stolen, or was it being used legitimately?
Why is a person standing outside a corporate office with a laptop and monitor? (Link) Or, is there a legitimate reason for an ex-employee to gain access to the corporate office?
The first example is fundamental from an identity standpoint. It’s taken from real life, because I had never used any credit card in Atlantic City before. However, there was data that indicated that someone with my name (but not my REAL ID; they didn’t exist yet) flew to Atlantic City, so a reasonable person (or identity verification system) could conclude that I might want to eat while I was there.
But can you measure intent for an NPE?
Does Kwebbelkop AI have a reason to perform a particular activity?
Does my pocket calculator have a reason to tell me that 1 plus 1 equals 3?
Does my ceramic plate have a reason to stay intact when I drop it ten meters?
When marketing your facial recognition product (or any product), you need to pay attention to your positioning and messaging. This includes developing the answers to why, how, and what questions. But your positioning and your resulting messaging are deeply influenced by the characteristics of your product.
If facial recognition is your only modality
There are hundreds of facial recognition products on the market that are used for identity verification, authentication, crime solving (but ONLY as an investigative lead), and other purposes.
Some of these solutions ONLY use face as a biometric modality. Others use additional biometric modalities.
Similarly, a face-only company will argue that facial recognition is a very fast, very secure, and completely frictionless method of verification and authentication. When opponents bring up the demonstrated spoofs against faces, you will argue that your iBeta-conformant presentation attack detection methodology guards against such spoofing attempts.
Of course, if you initially only offer a face solution and then offer a second biometric, you’ll have to rewrite all your material. “You know how we said that face is great? Well, face and gait are even greater!”
It seems that many of the people that are waiting the long-delayed death of the password think that biometrics is the magic solution that will completely replace passwords.
For this reason, your company might have decided to use biometrics as your sole factor of identity verification and authentication.
Or perhaps your company took a different approach, and believes that multiple factors—perhaps all five factors—are required to truly verify and/or authenticate an individual. Use some combination of biometrics, secure documents such as driver’s licenses, geolocation, “something you do” such as a particular swiping pattern, and even (horrors!) knowledge-based authentication such as passwords or PINs.
This naturally shapes your positioning and messaging.
The single factor companies will argue that their approach is very fast, very secure, and completely frictionless. (Sound familiar?) No need to drag out your passport or your key fob, or to turn off your VPN to accurately indicate your location. Biometrics does it all!
The multiple factor companies will argue that ANY single factor can be spoofed, but that it is much, much harder to spoof multiple factors at once. (Sound familiar?)
So position yourself however you need to position yourself. Again, be prepared to change if your single factor solution adopts a second factor.
A final thought
Every company has its own way of approaching a problem, and your company is no different. As you prepare to market your products, survey your product, your customers, and your prospects and choose the correct positioning (and messaging) for your own circumstances.
And if you need help with biometric positioning and messaging, feel free to contact the biometric product marketing expert, John E. Bredehoft. (Full-time employment opportunities via LinkedIn, consulting opportunities via Bredemarket.)
In the meantime, take care of yourself, and each other.
Checking the purported identity against private databases, such as credit records.
Checking the person’s driver’s license or other government document to ensure it’s real and not a fake.
Checking the purported identity against government databases, such as driver’s license databases. (What if the person presents a real driver’s license, but that license was subsequently revoked?)
Perform a “who you are” biometric test against the purported identity.
If you conduct all four tests, then you have used multiple factors of authentication to confirm that the person is who they say they are. If the identity is synthetic, chances are the purported person will fail at least one of these tests.
Do you fight synthetic identity fraud?
If you fight synthetic identity fraud, you should let people know about your solution.
AAL1 (some confidence). AAL1, in the words of NIST, “provides some assurance.” Single-factor authentication is OK, but multi-factor authentication can be used also. All sorts of authentication methods, including knowledge-based authentication, satisfy the requirements of AAL1. In short, AAL1 isn’t exactly a “nothingburger” as I characterized IAL1, but AAL1 doesn’t provide a ton of assurance.
AAL2 (high confidence). AAL2 increases the assurance by requiring “two distinct authentication factors,” not just one. There are specific requirements regarding the authentication factors you can use. And the security must conform to the “moderate” security level, such as the moderate security level in FedRAMP. So AAL2 is satisfactory for a lot of organizations…but not all of them.
AAL3 (very high confidence). AAL3 is the highest authenticator assurance level. It “is based on proof of possession of a key through a cryptographic protocol.” Of course, two distinct authentication factors are required, including “a hardware-based authenticator and an authenticator that provides verifier impersonation resistance — the same device MAY fulfill both these requirements.”
This is of course a very high overview, and there are a lot of…um…minutiae that go into each of these definitions. If you’re interested in that further detail, please read section 4 of NIST Special Publication 800-63B for yourself.
Which authenticator assurance level should you use?
NIST has provided a handy dandy AAL decision flowchart in section 6.2 of NIST Special Publication 800-63-3, similar to the IAL decision flowchart in section 6.1 that I reproduced earlier. If you go through the flowchart, you can decide whether you need AAL1, AAL2, or the very high AAL3.
One of the key questions is the question flagged as 2, “Are you making personal data accessible?” The answer to this question in the flowchart moves you between AAL2 (if personal data is made accessible) and AAL1 (if it isn’t).
So what?
Do the different authenticator assurance levels provide any true benefits, or are they just items in a government agency’s technical check-off list?
Perhaps the better question to ask is this: what happens if the WRONG person obtains access to the data?
Could the fraudster cause financial loss to a government agency?
Threaten personal safety?
Commit civil or criminal violations?
Or, most frightening to agency heads who could be fired at any time, could the fraudster damage an agency’s reputation?
If some or all of these are true, then a high authenticator assurance level is VERY beneficial.
One advantage of an open source project is that there are far fewer secrets to hide. If a commercial firm develops biometric products, it has a responsibility to its investors to not release sensitive information.
Although findings…describe potential attack surfaces and are of high or medium severity, (Trail of Bits’) analysis did not uncover vulnerabilities in the Orb’s code…
Bredemarket 