But can it be hacked?
Of course it can, but the correct question to ask is, can it be defeated?
Recently when asked “can Personal Identifier” be hacked the unvarnished truth is yes, of course it can. To be sure, anything one person can create another can hack, especially true of automated computer processes. When presented this question I always point out the bigger question is, “but can it be defeated?”
The answers are yes and yes when asking these questions of credentials based identification and authentication. Verizon researches report that in 2017 credentials based identification and authentication was hacked and defeated over 40,000 times to leverage a like number of successful cybercrimes. Another real-world case in point is the hack and defeat experiences at Google. Hacking and defeating their internal password identification and authentication based processes lead to the adoption of Google Authenticator 2FA. In 2017 Google revealed abandoning the use of Google Authenticator 2FA in favor of Yubikey USB 2FA token. This companywide move is thought necessitated to combat hack and defeat of authenticator.
Hacking prevention is impossible, that’s a simple truth. But being defeated as a result of being hacked is avoidable. If there were no “credentials” in the credentials based identification and authentication process, then the hack and defeat chain of events would be broken. That is also a simple truth. Novel new approaches to conceal and protect the credential do not prevent defeat; they simply forestall it by making defeat more difficult. Such is the case with advances like Yubikey USB token and PIV/CAC smartcards. The pursuit of credentials defeat prevention ignores the time component that plays to the advantage of the hacker. The hacker may see it a great success if hack and defeat take only a few milliseconds, seconds or minutes. But if it takes a year or more, no problem as success is still realized, it just took longer.
The interviewer was justified in his question “but can it be hacked?” A link between hack and defeat of credentials based identification and authentication is the norm and has been for the past two decades. But that link does not hold where Personal Identifier methods are employed.
The advent of Personal Identifier (PId) and its adoption of human traits based identification break this link. It does so by removing the “credential” from the identification and authentication process. While it is true one can hack any implementation of PId, it is likewise true that no one can defeat the well-implemented PId. To do so would require the attacker to climb into the skin of the person the PId identifies and obtain possession of their PId smartphone.