In my previous blog post Credential Hacking: The Dark Side of Artificial Intelligence, I shared how AI can be used for nefarious purposes, including password hacking, and the means to ensure sound authentication and leverage the use of zero trust in tandem to use AI to fight criminals. I have also shared my view in Password Hygiene: The Present and Future State that we need to go beyond passwords and start think about password-less solutions.
Recently, ISACA released an excellent and comprehensive white paper on Examining Authentication in the Deepfake Era. This white paper gives good background on traditional authentication methods and why they fall short in the era of accelerated AI adoption and use of deepfakes for social engineering attacks. Reading this paper gave me a flashback to the Arup Engineering incident. The British multinational design and engineering company confirmed that it was the target of a deepfake scam that led to one of its Hong Kong employees paying out millions of dollars to fraudsters. Purportedly, not only an online deepfake “live” version of the CFO was in the call, but his colleagues were also “live” in the call as well. This case really brought about a paradigm shift in adversarial tactics.
Amid the sobering backdrop of advanced adversarial tactics, this white paper explores opportunities for new developments, especially with artificial intelligence and quantum computing. It starts off by discussing traditional forms of authentication and how they have evolved, from simple passwords to MFA and biometrics. The white paper then highlights the concern with deepfake threats to biometrics, considering the number of applications of biometrics these days (border control, access to our mobile phones and cloud storage are increasingly reliant on biometrics to reduce friction to users). The paper then proceeds to analyze five deepfake risk vectors relating to biometrics and further discusses associated cybersecurity implications. To anyone considering how to develop a contextualized threat model against biometrics or conduct a risk assessment for the application of biometrics at your organization, this paper becomes a very useful resource.
The paper subsequently highlights the shortcomings of modern authentication and then proceeds to detail advancements to overcome them. There are always two sides to the same coin. What I liked about the paper is that it is thorough in discussing the advantages of AI-driven adaptive and risk-based authentication while also discussing the risks associated with AI in authentication. It also discusses the benefits of using blockchain for authentication and looked further ahead to the use of quantum computing within authentication, reminding me of a blog post I published: Quantum-Resistant Cryptography Not a Matter of ‘If’ but ‘Right Now.
There is also exploration of the importance of authentication in zero-trust architecture. Never trust, always verify is the doctrine behind zero-trust, and we need to apply that to limit the attack surface as well as limit the attacker’s blast radius should a breach occur. Authenticating the right device and ensuring only healthy devices are allowed onto the network is an endeavor we should all strive for.
In this world where the irresistible force paradox (IFP) abounds, the strongest spear will always encounter the strongest shield and vice versa. It is a constant game of cat and mouse. The paper closes by further highlighting the increasing sophistication of cyberattacks, requiring further innovation to counteract them. Truly, I agree that we need to fight hackers with the same tools they are exploiting. The ongoing evolution introduces new paradigms. Cybersecurity needs to be agile and far-sighted, and to adequately invest in continuous innovation in order to keep pace with cyberthreats.
If you haven’t yet given the paper a read, do check it out. It helps to uncover blind spots that you might not have known exist in the risk assessments of your current authentication measures and corresponding risks. It is especially useful to cyber professionals who are responsible for securing their organization’s systems and data.