Identity verification: The New Turing Test
- 21 December, 2016 01:36
This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter’s approach.
Have you seen the movie Ex-Machina? It’s a fascinating journey through the life of a reclusive Silicon Valley billionaire, and examines artificial intelligence (“AI”) as manifested in a very engaging robot. The plot explores the 1950 Turing Test, in which Alan Turing – the father of modern computing –proposed that real AI will have been achieved when a human cannot detect they are talking to an AI bot; that is, in conversation, the AI bot passes as a real human partner in dialogue.
There is an interesting parallel between the Turing Test and where we are in digital identity today.
Bob Blakely, global head of information security at Citigroup, laid out this interesting thought model for the identity problem, what he called “The Table Set for Three” problem, which goes like this:
There is a dinner table set for three people: an online bank, a customer and a crook. Now, imagine you are the bank and the lights are off, and your task is to determine who the customer and crook are by having a conversation. Both the customer and the crook are asserting they are John Smith, born on July 2, 1960. You proceed to ask questions. But the crook and the customer both have equally convincing answers about current and past addresses, date of birth, mother’s maiden name, previous and current car loans and mortgage relationships, schools attended and favorite colors.
This technique is known as knowledge-based authentication (“KBA”). The concept is to ask questions only a legitimate customer would know, in order to make it easy for the customer but difficult for the crook. However, the ironic truth today is that it’s hard for the customer but easy for the crook; the crook has a well curated set of identity information trolled from social media and the dark web. While the customer often can’t pass the test because they forgot who, say, they formed a recent lending relationship with. Worse, the legitimate person has no way to know about the crook mounting an identity theft takeover.
This is the state of digital identity today.
We need a way to do digital identity that is trustworthy and effective for service providers, while also being a method customers can accomplish and feel comfortable with. Above all, it needs to increase customer privacy, rather than reduce it.
The classic Turing Test was satisfied when an AI persona could fool a human. With digital identity, our goal is to create a parallel test that is satisfied when the dark web cannot fool a human. Rather, successful digital identity is met when a process has been established for enrolling a customer in a service where they have complete control over the information they share. Currently, when customers sign up for a service, they need to reveal something about themself in order to verify their identity and to gain access on subsequent visits. To move to a more secure digital identity, the trick is to make sure the volume and sensitivity of the information being shared is proportional to the value of the service being sought.
A good example of a successful authentication solution, and one that has contributed to keeping the global payment system safe, is use of EMV chip cards, which are clone-resistant, tamper-resistant and easy to operate with a four-digit pin code, and both the bank and user work in tandem to monitor and address issues. Banks use analytics and user behavior to quickly detect out-of-pattern transactions, and will take cards out of service when cards are lost or stolen.
This is centered around the idea of motivation to recover. Motivation to recover revolves around two processes: first, the user will notice there is a problem; secondly, they will act quickly to point out the problem to the trusted service (like a bank). Customers are driven to report and replace the important items as a defense mechanism, but will often neglect reporting any unusual activity on smaller items – providing an opportunity for the bad guys to easily hack or steal information.
So how can we apply this to digital identity? We need to determine how we can construct a user ritual simple enough that users are actively engaged, yet still are protected from being tricked into rogue transactions.
Identity services constructed from things users are motivated to recover – such as bank cards, mobile phones and driver’s license – will shut down the bad guys. Masquerading goes to zero when hackers 1) have to steal the user’s stuff, 2) have to break in to the user’s stuff and 3) have to keep the user from acting to deactivate the stuff they lost. An identity system constructed this way would pass the Turing Test for Identity.
One of the major buzzwords this year and a step in achieving secure digital identity is blockchain, as it has the potential to become a foundational element of a new approach to privacy, security and digital identity for consumers. Companies and governments around the world have begun to seriously look at the ways that distributed ledger methodologies can improve everything from payments to identity to security, and begin planning innovative new approaches to the ways we build products for the next generation of online services. This is a great first step in improving the state of digital identity today, and reinforces the notion that we’re not far from achieving a private and secure digital identity ecosystem.