A few months ago, security researchers at 4iQ uncovered a 41-gigabyte file being sold on the dark web that contained 1.4 billion username and password combinations from online services such as Netflix, Last.FM, LinkedIn, MySpace, Zoosk, YouPorn, Minecraft, Runescape, and others.
Unfortunately, this is something that happens a lot. The sale of user credentials remains a very lucrative business, earning cybercriminals billions of dollars every year. This is because for a lot of us, the only thing standing between our online accounts and hackers is a username and password. This means as soon as they obtain our credentials from the dark web, hackers will be able to access our most sensitive online assets. And let’s face it, we’re very bad at using passwords. We reuse them across accounts, don’t change them often, keep notes of them on our fridge, or pick something like — yes, this still happens —123456.
Over the years, several techniques have been developed to protect users against account theft. But they have yet to reach widespread adoption because, for the most part, they add too many steps to authentication and introduce friction and complexity that many users don’t appreciate.
This reflects a reality: Our authentication technologies have not kept pace with the sensitivity and value of our online services. But that might change thanks to advances in artificial intelligence. Machine learning and deep learning algorithms, which in recent years have found their way into many domains and industries, will usher in an era where authentication becomes a smooth experience that doesn’t require users to trade convenience for security.
AI-powered biometric authentication
For many years, companies tried to use biometric authentication such as voice, fingerprint, retina and face scans as alternatives to passwords. But for the most part, these techniques required expensive hardware and could easily be circumvented.
The problem with biometric authentication is that it’s like printing your password. For instance, hackers were easily able to circumvent earlier generations of face recognition authentication technologies using still images, such as public photos obtained from Facebook.
Meanwhile, these technologies quickly break under poor lighting condition or in the case that the user changes their facial hair style or wear a hat. Even iris scanners found on newer smartphones can be fooled with commercial hardware available to all users.
AI can add a level of enhancement to biometric authentication that makes it (almost) hack proof and smart enough to avoid irritating the user. An example is Apple’s new Face ID authentication technology, found on its flagship iPhone X smartphones. Face ID creates a complex model of the user’s face using infrared sensors and an on-device neural network processor, an AI software architecture that seeks correlations and patterns between different data points and turns them into application rules.
This means that instead of comparing whatever it sees in its front camera against still images of the user, the phone will make a sophisticated comparison that takes into account the shape of the user’s face along with other features. The deep learning model powering Face ID can work under different lighting conditions and gradually becomes used to changes that the user’s face undergoes over time, such as changing a hairstyle, growing a beard or wearing a scarf or hat. It will also be able to detect if a user is awake and aware and prevent unintended unlocking of the phone.
To be fair, Face ID is not a perfect solution. Hackers have been able to circumvent it (though at a high cost and under very mysterious circumstances) and it tends to go awry if it hasn’t been trained well (which basically means right after the initial setup). It is not recommended for very high profile celebrities and politicians (or paranoid users like me), but for most users, it is a reliable and convenient alternative to the plain passwords and PINs.
One of the benefits of AI algorithms in user account security is that they can find potentially compromised accounts in real time without breaking the user experience. Deep learning algorithms can create a model of a user’s behavior by analyzing the way the user interacts with a platform, such as login times, IP addresses, devices, or even more detailed actions such as typing, clicking and scrolling habits or the use of keyboard shortcuts.
Afterward, AI algorithms will transparently monitor future interactions through the same account and flag or block behavior that deviates from the established baseline. The process is called adaptive authentication or risk-based authentication, and requires users to perform extra authentication and identity verification steps only if the application’s AI algorithms deem their behavior as suspicious.
For instance, the system can detect a sudden uptick in the downloading of documents and user data in a cloud storage application; abnormal access to archived emails; a large purchase being shipped to a new location; or maybe an abnormal typing and clicking pattern. In such cases, the application will ask the user to provide further proof of account ownership such as typing in a verification code sent to an associated mobile device or email address or plugging in a security USB key.
The addition of AI behavioral analytics smarts to online account protection will make it exponentially more difficult for bad actors to spoof the identity of users. While they might be able to obtain passwords from the dark web, hackers will have a very hard time imitating every behavior and habit that the targeted user has. Meanwhile, real users will have an uninterrupted experience and won’t be bothered with constant security checks as they go about their business.
The future of authentication
The explosion of data and connectivity will provide plenty of ways for AI algorithms to distinguish between imposters and real users. To some, the future of authentication might look a little creepy. And although there will be new concerns to address, specifically on the issue of protecting user data and privacy, once those hurdles are overcome, the future of authentication will offer exciting new opportunities and technologies.
PwC is globally recognized as a leader in cybersecurity — and plans to stay that way. Which is why they’re looking to grow their team with people who are naturally inquisitive, have an investigative mind and get a buzz from solving challenges— such as implementing smart authentication.
Kickstart your career via PwC’s Cyber Security Fast Track and enter an extremely diverse working environment where both the quality and integrity of our products and services is of paramount importance. Apply before July 14.
This post is brought to you by PwC.
Published July 13, 2018 — 08:17 UTC