Tag Archives: identity

Who are you? – Identifying yourself, from a security perspective

They say you are what you eat. I think that you are whoever you seem to be plus who you really are. Others perception of you while not truly important may attribute to the scope of “who you are”.

Who are you?

In a doctors office they would start off with questions regarding name, address, gender, family, and then get into activities you do. They are attempting to triage you based on your lifestyle, the activities you perform and your genetic history. There is obviously merit to this as it is certainly a strong factor in well being. The car you drive, the clothes you wear…while they own’t affect your health, they certainly factor in to how others perceive you. The way you walk, the way you curse (or not), is it rude to text while talking to someone else. All of these things come together to form an image, you.

Let’s explore these relationships and how understanding them can help identify and understand “you” the best we can.

1. You are a person.
2. Your gender is male.
3. You have dark hair.
4. You wear glasses.
5. You are left handed.
6. You live in Baltimore.
8. You are married.
9. You have two children.
10. You work in Baltimore.
11. You drive to work in a car.
12. You drive a sedan.
13. You own a mobile phone.
14. You are a Software Engineer.
15. You enjoy solving challenging problems.
16. You enjoy classic rock.
17. You are a passionate person.
18. You talk loudly.
19. You do not like hot weather.
20. You like to eat blueberries and do not like bananas.

Okay, so these are all true observations about myself. Let’s analyze this list for a second. Most of this list can be broken up into categories:

1. Observable physical attributes
2. Observable personality traits
3. Family members
4. Possessions
5. Preferences and opinions

I would call all of these attributes “core” attributes. They can change over time, like I may drive a different car, or own a different phone. Ultimately this list would be up to date and relevant.

There is a new buzz word being used, IoT or Internet of Things. This notion isn’t a new idea…just like the “cloud” isn’t a new idea. IoT emphasizes the relationships between objects that do not need human interaction. A prime example could be a door that has a special lock that is linked to your mobile phone and unlocks the door when you are within a certain proximity to it. Most of these items to date have been more about convenience and have not really been adopted by the layman.

I think that IoT can be utilized to fill in the blanks between our lives in more ways than you might think. Combining the proper IoT devices and highly advanced software you can build an ecosystem that can make your security and connectivity as simple as snapping your fingers.

I have a phone a work, my mobile phone when I’m on the go, and a phone at home. Imagine that when I am work all of my calls were routed to my work phone. When I am on the go, all to my mobile phone, and when at home all calls routed to my home phone. Aside from a nice convenience, this buys you a lot more. That call never rings at work and therefore no one can answer it for you.

Replace a phone call with my computer. I have one at work, and at home. When I’m at home my work computer is locked and home computer is unlocked. When at work, my work computer is unlocked and home computer is locked.

Now replace a computer with a virtual account like your bank account. When the user is “you” you have access to your account. Somebody else doesn’t have access to your bank account.

Today, you use things like inputted secret credentials to authenticate yourself. Since you know this secret information you must be the account holder. Therefore, anyone who knows this secret information may access your account.

Additional precautions have been added to further lock down your account. You need your smartphone in order to receive a code in addition to your secret credentials. Not only do you need to know the secret information, but also have access to your phone. This is an obvious step in the right direction, but certainly makes it more difficult for “you” to access your account. Obviously, to date the extra step has been worth the added security measures to prevent unauthorized access. What if you could just say to your bank account…it’s me let me in!?

Let’s take what we have already established about your core attributes and what we know about secret credentials. What if we could take properties from the five categories we listed above and use them to build a signature that would clearly identify you, and no one else.

Let’s pretend that we walk around with a special bleeding edge recording device that captures all sorts of information for a month. This device takes everything and categorizes its data into these five different categories. It breaks down that data into a knowledge database that has facts and assumptions. Associated with each assumption may be a corresponding confidence, expressing the level of certainty of each assumption. Certain types of facts may also have confidence levels, perhaps this fact was observed but only rarely or special circumstances. Assumptions may have been suggested based on facts that haven’t yet reached the threshold of a fact.

Next time you want to access your bank account instead of logging in with your secret credentials and multi-factor code, what if you provided your signature? After you walked around with this recording device and the data was converted in a knowledge database that generated a signature. This signature is a representation of the knowledge about you. Now when you want to access your account you need to satisfy the knowledge base to produce a compatible signature.

What is this signature?
How is it derived from the knowledge base?
How do you produce a valid signature that is compatible with the initial signature?

We said earlier that there will be a confidence associated with facts. Assumptions are assertions that are less than a fact but may be true.

If you asked me to write down a list of five items that identify you with your core attributes, I would most likely respond with some version of the list of twenty.

– Location is easy…high confidence
– Certain attributes change, that would be specified in their definition and taken into account according to the nature of how they change
– Data feeds from other “people” can be linked into yours like the next evolution in social networking
– I may be acting slightly different, but because I am sitting here with my son, and daughter I must be me. Using data from other people in conjunction to your own data. Data is published to granted parties for consumption.

You are what you do – Identification based on behavior

Thinking about the desire for a password-less society. When it boils down to it there are a few major leagues of password security.

1. You need something physical that only the owner would possess
2. You need some sort of knowledge that only the owner would posses.

We are familiar with the first and second one. The first can be a simple lock and key. The second a username and password.

The third and less common and much more difficult to achieve is the password that isn’t a password, rather that which can verify that you are “acting” or doing something the same way that the authenticated party would. There are movies that use voice recording and match the voice signature against the authenticated parties known voice. I’ve read articles about detecting a distinct electrical signature that the owner gives off unique to himself. I’ve also heard of individual keystroke patterns much like handwriting recognition.

I had written about an idea that learned what websites you went, your purchase history, radio history, Netflix, etc.. essentially giving it as much as data as possible. All to use to train a model to use to authenticate yourself with predictive algorithms.

I like this idea, but it’s really complicated and will require significantly sophisticated models.

One additional factor that has not been mentioned is whether or not the authentication is occurring according to the account holder’s will or against their will. If an account owner is held at gun point or some of situation that would threaten their life or that of a loved one, they may give up credentials to access the sensitive information. For some things that is obviously okay and the “smart” thing to do. For other things, like matters of national security some may say that giving that information up is so damaging that they would not want to divulge this information even when their life is being threatened.

It is an unfortunate but real situation that certain types of data may have. A security mechanism would be ideal if it could prevent the account owner from authenticating even if they have “given up” and are trying to safe their life…the data may not be compromised no matter what and a safeguard must be in place.

We can utilize the human factor to add additional layers of security. Biometric data such as heart rate, the account holders posture, their walking gate, their speech patters, hand gestures. All of these charcteristics can be used to identify anxious and unusual behavior. If we are dealing with a case of torture certainly their will be tell tale signs.

This is obviously an extreme yet real case one that I used to help illustrate a point. In extreme scenarios even the best trained soldiers will react under pressure. I think that with a well calibrated “mechanism” using a multitude of sensor data a baseline can be established to identify a user. This could not only identify the user but also identify certain behaviors, moods and reactions of the user.

Let’s take facial recognition. Utilizing a few dozen positions on the user’s face measuring the distances and locations of certain parts of the face can yield a very accurate model to identify that individual in the future.

Now take that same facial recognition while the user is watching a comedy, and a tear jerking movie. We can establish a baseline for emotion for each individual response we want to associate. Utilizing heart rate, hand gestures, and the like once well trained a few quick images could reveal instantly who the user is.

Utilizing tools like Kinect and Leap motion adding in things like infrared and close images of the pupil and the face a great deal of information can be used to identify a user.

Imagine if you could watch a movie and the next time you do I can predict how you will react at each frame with a percent of certainty.

I am not suggesting that we understand merely the psyche of the user, but more about their innate responses and tendencies…these are not things that can easily be broken.

At least one thing we can take from this at a minimum is the ability to add in the “scared” factor, or rather unusual behavior we can protect many things. I want to use this to identify yourself and when I know it is you but you aren’t acting like yourself. Obviously certain traits will be more dominant than others.

We can take this just a layer on top of a standard multi-factor system that incorporates tests to help verify that the account holder is not under duress.

The completely other application for this is for convenience and AI facilitators. If we can get the pattern down to identify an account holder and then be able to detect variances in their behavior we can trigger different things in response to that. This goes well beyond security and much more into the realm of IoT and automation, but let’s explore it.

You come home and you walk in. Of course your car has pulled up and your home already knows that you are approaching with your Wifi connected phone. You are emitting your mac address and a public key alerting your house that you are approaching. Your door is unlocked with NFC automatically but really, Wifi with a unique signature ID can trigger that as well. You walk in and your home is already lit to your specifications and temperature control as well. Nest helps with some of this, as well as detecting ambient lights in conjunction with the room and the individuals involved. Depending on the activities different illuminations settings can be triggered. When a “reading” action is triggered lighting should accommodate your preference. Okay…I’m leading up to it…now when you get to your computer it is unlocked because you are using it. My vision of the ultimate in security and convenience is really one solution. Tracking your behavior, your adjustments, your actions, your reactions. Learning from them to better identify you and make your life more secure.

Your house knows it is you because it knows your stride, your face, your smile, and the way you hum. All of these sort of things that your girlfriend may pick up on can be incorporated into the ultimate system which help to “get to know you to protect you”.

Authentication: The real me

Authentication as we use it in the security world is obviously from the word “authentic”, meaning genuine. Today we find most common authentication means are simply fulfilling an already established contract with secret information that only the account owner would posses. This gives no insight that the given user who initially established his account let’s call him Bob is in fact Bob logging into his account or Alice, a third party listener may have somehow obtained Bob’s authentication credentials. Since Bob’s credentials may be a username and password pair, the only thing that protects this account is possessing this secret information. You haven’t missed anything, all I have said is that modern day authentication means rely on secrecy or private information that only the account hold would posses. What if we were able to actually establish that Bob, is the same Bob that initially established his account. Not due to knowledge of a simple pair of username/password credentials, or a selected picture and the like. Rather, what if Bob was somehow able to expose his likes, dislikes, habits, tendencies, interests, etc. and this information may be used to not verify that Bob knows his password, but that Bob is Bob.

The closest thing I have seen that somehow utilizes this is during credit checks. The questions are almost entirely address verification related multiple choice questions. Did you live in the street X?

Imagine you have a browser extension installed. You read an article that makes you “sad”, or makes you “happy”. You click on your “authentication” icon and use an emoji to express what you feel, or perhaps use a few tag keywords to convey your response. This data may be collected and used to build a statistical model to build verification questions for a authentication service. Your web history, emails, shopping tendencies, music you listen to. All of this can be used to provide data to help paint a picture of things that would show “how” you think and how your react.

Pandora does this to provide you with recommended music. The more you show how you like and dislike the recommended music the more you train your station. Imagine if the next time you logged in to “Bob”s account he was asked two questions which songs in this list would you prefer to listen to. This is not ironclad and different types of data can have different results and predictability.

This is a very general idea, but I think that ultimately just as now we can use Facebook and Google as ways to login into our account…imagine if we used our Pandora, Netflix, and Amazon account as seed data to ask us questions to verify our identity!!

I am about to post another idea about CAPTCHA’s but look at this post http://en.wikipedia.org/wiki/Google_Image_Labeler I remember when this game was around and Google used people to help train/verify its image search results. I could certainly see a game such as this use to both train and verify a user’s identity.

This can become a great deal more abstract. I have read recently about http://www.washingtontimes.com/news/2015/jan/24/true-cybersecurity-intelligent-computer-keyboard-i/ recent efforts in keystroke analysis in identifying by their unique electronic signature.

A bit of a rant, but I think there are some solid ideas here.