The problem of identification is out of control. Put simply, the method we rely on to identify a person is not working. It is not working now, it has never worked and it never will work. To put this into context cnsider these shocking statistics:
From the Verizon DBIR reports we learn that 50% of all cyber attacks in 2014 were leveraged by stolen or weak credentials. That percentage grew to 63% in 2015 and in 2016 it mushroomed to an astounding 81% of all cyber attacks. Could it get worse? Of course, it could and it did as indicated in the 2017 report where Verizon staff gave up reporting the statistic as a percentage and simply stated there were “over 43,000 successful accesses via stolen credentials in 2017”.
Think about this, statisticians unable to frame that number as a percentage is a sure sign the problem of identification is out of control.
The root cause of the problem is the credential and the way it’s employed to identify a person.
Credentials are at the core of the problem as every credential is subject to fraudulent use. No matter the type from simple password to sophisticated facial recognition, the only perceptive difference is the amount of time and complexity of process to defeating them.
And, the underlying process is no less at fault. An authenticator evaluating a credential “assumes” an unknown person at a remote location is the person the credential belongs to.
Multi-factor is the supposed solution but is subject to being defeated too. Indeed consider use of a smartphone or device providing the second factor in an authorization session. The authenticator “assumes” the smartphone or device is in the possession of a human, which may not be the case, and “assumes” the user with possession is the person the smartphone or device belongs to when in fact it could be in anyone’s possession. Multi-factor is a process that may be more difficult to defeat but one that is not immune to attack and defeat.
When the “assumption” of identification is combined with “potential of credential theft or spoofing” the results can, will and should be exactly what we are experiencing.
So the big question becomes, how to solve these issues? When I asked myself that question I, like Bill Burr the recognized inventor of modern-day passwords, concluded credential based identification is broke and cannot be fixed. Without fixing the credential issues, there is no fixing the authentication issues.
What is needed is a solution that can actively identify a person to be who they claim to be. Doing so in a way that cannot be spoofed or stolen. A solution that is adaptive. It must be frictionless, ubiquitous, inexpensive and far-reaching. What evolved is now known as the “Personal Identifier” methodology.
What is Personal Identifier? At its core, Personal Identifier is simply the ability of a smartphone like device to report if is in the possession of its owner or assignee.
At the outset the commandments were:
- no use of contemporary forms of identification (password, PIN, phrase, fingerprint, facial scan, drivers license, social security number, last four etc.);
- based on uniquely identifiable device such as a smartphone;
- active identification without statically stored credentials;
- adaptice requiring no user initiated updates; and
- automated continuous mode 24/7/365 real-time determination of identity.
Research has shown, if a person’s habits are captured using smartphone sensor technology and reduced to datasets, then those same datasets can be used to project future activities and actions of that person, with a predictability accuracy of 93% or better. It stands to reason then, the same datasets could be used to identify the person, with the same accuracy of 93% or better.
Aremed with several research results, some as noted above, and a full evaluation of the current status of smartphone technology a project now known as Personal Identifier was begun and brought through to a completed design and methodology. The methodology was applied for and allowed US Patent # 10037419, granted on July 30, 2018. During a research period, two proof of concept designs were implemented, one to confirm the suitability of smartphone sensors for detection of human traits and a second confirming an application of same would not stress battery or CPU. The methodology was validated as to meeting all objectives described above and more. Development of a fully operational demonstration app for both Android and iOS smartphones is now underway.
The principals and methods of “Personal Identifier” are more fully described in the Personal Identifier White Paper . More specific details are found in the Personal Identifier Details document. For tutorials reference the . More specific details are found in the Personal Identifier Tutorials document.More information can also be found in blog posts on the subject.