Tag Archives: identity verification

Even Jedis Can Face Ephemeral Challenges

From a recent Identity Jedi post.

“NHI visibility and AI agent visibility feel like the same problem. They’re not. A service account is relatively static. It was created for a purpose, it has credentials, it authenticates to something. You can find it, document it, rotate its credentials, put it in a vault. That’s a solvable problem with existing tooling.

“An AI agent is different in almost every dimension that matters. It’s dynamic. It’s often ephemeral. It doesn’t have a fixed identity. It borrows one, or several. It makes decisions at runtime about what it needs to access. And it operates at machine speed, which means by the time your SIEM fires an alert, the transaction is already done.”

Non-Human Identity Verification

How do you verify non-human identities?

One of the reasons that I titled my ebook “Proving Humanity” is because the six (yes, six) factors of identity verification and authentication that I discuss only apply to identifying humans, and do not apply to non-human identities.

Again, so how do you verify non-human identities?

Cryptographics

One way is via cryptographics. As I discussed previously, the Secure Production Identity Framework For Everyone (SPIFFE) and the SPIFFE Runtime Environment (SPIRE) provide non-person entities with “strongly attested, cryptographic identities.”

Problem solved, right?

As any human who has used a password knows, a single factor can be stolen. And that includes cryptographic factors.

Provenance

Which means that we have to look at provenance. But instead of looking at the provenance of an AI-generated image or video, we are looking at the provenance of an agent that performs actions. The network origin. The environment. The associated attributes. Is the agent running on a specific, authorized, and known virtual machine or container at a specific network address, or is it running…somewhere else?

Behavior

And if you’ve read my book, you know that human identities can be evaluated based upon their behavior (either tendencies or intent). You can also look at the behavior of agents. Is the agent acting at an unexpected time of day? Is it executing an unusually high volume of requests? Is it “scoping out the joint”?

Multi-factor authentication

Again, it’s possible to spoof one factor, but much harder to spoof multiple factors. And that applies to both humans and non-human agents.

Be safe out there.

Proof of Humanity Does Not Prove Identity

If you have a database of people worldwide, you can use irises to see whether someone is in the database or not.

This lets you buy the world a Coke. One per person.

But it doesn’t tell you WHO they are.

For that you need to test them against the factors of identity verification and authentication.

All six of them.

Learn more. Purchase the ebook.

Four pages from "Proving Humanity: The Six Factors of Identity Verification and Authentication" by John E. Bredehoft, Bredemarket. Click on the image to purchase.
Proving Humanity: The Six Factors of Identity Verification and Authentication.

Factors Are Independent

One important thing about factors is that they are independent of each other.

The fact that a person has a particular password bears no relation to the fact that a person has a particular fingerprint ridge structure.

And even modalities within a factor may be independent of each other. When Motorola sold its Biometric Business Unit to Safran in 2009, I joined a company (MorphoTrak) that promoted three biometric modalities: finger, face, and iris. While all three biometrics came from the same person, there was no relationship between any of them. Knowing a person’s right forefinger did not tell you what the person’s iris was like. (But beware: driver’s licenses and passports share information, such as dates of birth.)

If you have a critical security issue, you don’t want to depend upon just one factor, or one modality.

Double or triple them up by requiring multiple identity verifications and authentications with unrelated modalities and factors.

Learn more about the six identity factors

Six identity factors. One Bredemarket ebook. Total identity protection. Purchase “Proving Humanity: The Six Factors of Identity Verification and Authentication.”

Four pages from "Proving Humanity: The Six Factors of Identity Verification and Authentication" by John E. Bredehoft, Bredemarket., Click on the image to purchase.

Why Are Identity Verification and Authentication Critically Important?

Imagine if we didn’t have identity verification and authentication.

I could walk into a luxury car dealership and buy a car, telling the salesperson that my name is Bill Gates. I could buy the car, and Gates would get the bill.

Sounds great…until someone impersonates YOU and gets YOUR money.

Learn more about the six identity factors

Six identity factors. One Bredemarket ebook. Total identity protection. Purchase “Proving Humanity: The Six Factors of Identity Verification and Authentication.”

Four pages from "Proving Humanity: The Six Factors of Identity Verification and Authentication" by John E. Bredehoft, Bredemarket., Click on the image to purchase.

Identifying Non-Human Identities with SPIFFE and SPIRE

I once tried to see if non-human identities could verify and authenticate with the six human factors. (Yeah, six. Watch for the book.)

Definitions

In reality, non-human identities use entirely different authentication methods…with their own acronyms. For example:

  • SPIFFE is the Secure Production Identity Framework For Everyone.
  • SPIRE is the SPIFFE Runtime Environment.

So what are SPIFFE and SPIRE?

“SPIFFE and SPIRE provide strongly attested, cryptographic identities to workloads across a wide variety of platforms”

That wide variety of platforms is distributed.

“SPIFFE and SPIRE provide a uniform identity control plane across modern and heterogeneous infrastructure. Since software and application architectures have grown substantially, they are spread across virtual machines in public clouds and private data centers.”

Distinguishing between the two, the SPIFFE Project “defines a framework and set of standards for identifying and securing communications between application services, while the runtime environment SPIRE “is a toolchain of APIs for establishing trust between software systems across a wide variety of hosting platforms.”

Benefits

Forget all that. Let’s get to the benefits.

Enable defense in depth: Provide strongly attested identities to reduce the likelihood of breach through credential comprise

Reduce operational complexity: Consistent, automated management of identity reduces the burden of devops teams

Interoperability: Simplifies the technical aspects of full interoperability across multiple stacks

Compliance and auditability: Enables mutually authenticated TLS and multiple roots of trust to meet regulatory requirements

Use at Uber

But does anyone use it? Yes. Take Uber:

“We use SPIRE at Uber to provide identity to workloads running in multiple clouds (GCP, OCI, AWS, on-premise) for a variety of jobs, including stateless services, stateful storage, batch and streaming jobs, CI jobs, workflow executions, infrastructure services, and more. We have worked with the open source community since the early stages of the project in mid-2018 to address production readiness and scalability concerns.”

More here.

Now this is admittedly a whole new world for me, far afield from the usual 12345 and gummy arguments where I usually reside. But since bots will soon outnumber people (if they don’t already), we had all better learn it.

What About the Data Labelers Themselves?

Earlier this month I discussed a class action lawsuit, originated in the United States, from people who believe their privacy is being violated by the use of Kenyan data labelers to view their video output.

And the data labelers themselves are not happy, according to a 404 Media article “AI is African Intelligence.”

Before I get to the Kenyans, let’s talk about the reality of AI. No, AI output is not 100% generated by computers alone. There is often human review.

In some cases human review is understandable. There was a recent brouhaha when it was publicly highlighted that when a Waymo vehicle runs into a problematic situation, Waymo calls upon a human reviewer to intervene. People’s anger about this is pointless: would they prefer that Waymo NOT call upon a human reviewer, and just let the car do whatever?

Back to Kenya and the Data Labelers Association (DLA) reports of what data labelers actually do.

“Every day, Michael Geoffrey Asia spent eight consecutive hours at his laptop in Kenya staring at porn, annotating what was happening in every frame for an AI data labeling company. When he was done with his shift, he started his second job as the human labor behind AI sex bots, sexting with real lonely people he suspected were in the United States. His boss was an algorithm that told him to flit in and out of different personas.”

I’ve previously seen reports about people in the U.S. reviewing shocking material for social media companies, but it’s a heck of a lot cheaper to outsource the work abroad.

Unless the U.S. Government insists on bringing data labeling work to the United States, in the same way that it wants to bring call center jobs back here.

I do offer one caution: there is a lot of data labeling work that is NOT pornographic. In the identity verification industry, data labelers review real and fake faces, real and fake documents, and the like to train AI models. Such work does not have the emotional stress that you get from watching certain videos.

But it’s still hard work.

“We Use AI” Marketing Goes Beyond the IDV Realm

I recently mentioned again how ALL the identity verification companies use the following two elements in their product marketing:

  • “We use AI.”
  • “Trust!”

If you read three marketing messages from three IDV vendors, I defy you to tell them apart. Admittedly my last comparison took place years ago, so I took a fresh look at the 2026 versions. Here are two:

“Industry-leading AI-driven Technology”

“We make it easy to safeguard your customers with AI-driven identity verification.”

Thankfully the companies are finally mentioning differentiators other than trust, but the magic letters AI still persist.

AI is everywhere and nowhere

But you can’t really blame the IDV vendors when everyone is injecting the two letter word in their messaging.

20 years ago, anyone who talked about an AI-powered vacuum cleaner would have been relegated to the back of the hall and told to put on his Vulcan ears.

Now we have things like AI pens.

“Handwrite only the critical points. Let Flowtica AI summarize and visualize the rest-audio, photo and even your sketches – into insights. Stay focused in the flow”

And lest you think that such efforts are fringe, Open AI and Jony Ive are reportedly working on one.

But AI pens make as much sense as AI influencers. If you have AI, why do you need the influencers? And if you have AI, why have a pen?

But that won’t stop people from hawking AI pens, and pencils, and erasers, and 3 hole punches, and maybe even…paperclips.