Two predominant themes stood out at last week's Identiverse 2024 conference in Las Vegas. First, there was the issue of how to defend against rapidly evolving advances in deepfakes, especially for live remote verification. Second, there was a common assumption that widespread adoption of passkeys is right around the corner, and that organizations must prepare to manage and secure passkeys when they become mainstream.
FIDO Alliance Executive Director & CEO Andrew Shikiar touched on both topics in a session Wednesday (May 29) titled "FIDO, Passkeys and the State of Passwordless."
He announced the alliance's new certification standard for facial-recognition technologies. The first (and so far only) organization to receive that certification is iProov. In a keynote address Thursday (May 30), Shikiar added that the FIDO Alliance was ready to offer independent testing of facial-recognition technologies.
As for passkeys, the passwordless, FIDO-certified PKI-based WebAuthn credentials that reside on hardware keys, smartphones, PCs and in the cloud, Shikiar said the question was not if consumers would adopt them, but when.
The FIDO Alliance's goal is "to make passkeys inevitable," Shikiar said. No one at Identiverse expressed any doubt that they would be.
Is it live, or is it Memorex?
Andrew Bud, founder and CEO of iProov, discussed defense against deepfakes an interview we conducted with him Thursday for CyberRisk TV.
"When people present online, either to have their identity verified, or maybe to authenticate themselves, or just when they turn up on a video conference," Bud told us, "there is no longer any reason to believe that you're looking at who you think you're looking at."
Bud related an incident earlier this year in which a financial employee at a Hong Kong firm was fooled by a deepfaked conference call into sending $25 million to scammers.
"The attackers had deepfaked every single board member's face," Bud said. "They had deepfaked the CEO, they deepfaked the entire interaction. There was no way that the financial controller could have known that he wasn't dealing with the real board giving him a real instruction to wire $25 million to some thieves."
Because of rapid advances in deepfake technology, it's getting very difficult for humans to tell the difference between the real thing and an inexpensively made deepfake, Bud added.
"Twelve months ago, you still needed quite a lot of money and quite a lot of skill to produce a deepfake, and you could probably see some artifacts," he said. "Now, just in the last year, everything has changed."
This has a direct impact on remote live verification, such as when conducting online job interviews or verifying identity for financial purposes. For example, the U.S. Internal Revenue Service demands a live remote interview if you're setting up an online account with the agency.
"The task is to make sure that a remote person is whom they claim to be, that they're the right person, that they're the real person, and that they're there right now in the comfort of their own living room in an untrusted environment on an untrusted device," explained Bud.
Deep-sixing the deepfakes
So how can you thwart deepfakes and make certain that you're talking to a real person? iProov does this by introducing random interference into the video feed.
"We introduce an unpredictable element into the scene. We use the screen of the user's device to flash a series of colors which illuminates their face. It's an unpredictable, never-repeated sequence of colors," Bud said.
"And while their face is being illuminated," he added, "we stream video back to our servers where we analyze the reflection of those screen colors from the user's face. The way that it reflects off the face and interacts with the ambient light tells us that we're looking at a live skin-covered human-face-shaped 3D object. And the sequence of colors tells us that they're right there, right now."
The ease and realism of deepfakes was demonstrated during sessions and keynotes in which deepfake videos were shown to the audience, which had trouble telling the fakes from the real thing.
In a session we attended titled "Biometric Authentication Versus the Threat of Deepfakes," 1Kosmos Chief Security Officer Mike Engle quickly switched his face with those of actors Tom Cruise, Jude Law and John Krasinski. Those weren't even very good deepfakes, Engle said, because they used still images as their source materials and had to guess the shapes of the movie stars' profiles as Engle turned his head.
There are various technical ways to spot deepfakes, Engle added. A copy of a photo won't have the same color dynamic range as the original, which an image analyzer can quickly spot. But that won't stop someone from creating a fake driver's license using a stolen photo and then presenting the fake license as proof of identity during a video call.
To spot such fakes during video job interviews, you need a lot of data points, explained Jason Pratt during the same session. Pratt is a principal identity architect at a large travel company that he wouldn't name -- he doesn't even reveal it on his LinkedIn profile.
But Pratt would say that his company has thousands of temporary staffers all over the world, many of whom are hired over Zoom. Naturally, that makes it hard -- but not impossible -- to verify the IDs that the job prospects present.
For example, most U.S. driver's licenses can quickly be checked with a lookup in the database of the American Association of Motor Vehicle Administrators. Similar systems exist for passport verification.
Email addresses, social-media accounts and mobile-phone numbers can also serve to verify identity, Pratt said. If someone has had the same Facebook account and cellphone number for 15 years, that's a pretty good indicator they're real. The billions of email addresses collected in data breaches over the past two decades can also serve as a good indicator, Pratt added -- if an email address ISN'T in the public corpus of breached data, then it may be fake.
Presumptive problems with passkeys
To bolster his contention that widespread consumer acceptance of passkeys would come very soon -- and to counter passkey skepticism -- Shikiar cited the rapid growth in companies that offer passkey support. (There are at least 24 companies that provide device-bound passkeys as full password replacements, and many more that support passkeys as a factor in MFA.)
A recent FIDO Alliance survey makes the somewhat incredible claims that 62% of 2,000 respondents queried in the U.S. and U.K. said they had heard of passkeys, and 53% had activated them on at least one account. (Survey respondents received an emailed invitation to participate.)
Many sessions we attended at Identiverse focused on potential security issues with passkeys, and possible solutions for those problems.
Rew Islam, director of product engineering and innovation at password-manager Dashlane, got into the technical details of supporting passkeys in a session Friday morning. He pointed that some passkey implementations were less secure than others, such as when user verification of the intent to use a passkey was not required.
However, Islam added, some passkey authenticators may not support user intent verification, so the best option for relaying parties -- the services that users are trying to sign into -- is to set user intent verification as "preferred" rather than "required."
Jose Rodriguez and Shane Weeden, respectively chief product architect and senior technical staff member at IBM, discussed Big Blue's ongoing experiences with implementing passkeys (very slowly) for employees. Despite the very smooth process available -- they demonstrated using Touch ID on a Mac laptop to log into IBM's SaaS intranet with a passkey -- 97% of IBM's 37,000 staffers still use passwords, Rodriguez and Weeden admitted.
To get more employees to switch over, IBM is using "nudge theory" to coax users, forcing regular password expiration and offering passkeys as an convenient alternative when renewing passwords. Education is key, Rodriguez and Weeden said, and to that end, IBM has created passkey support channels on Slack and on the workplace helpdesk.
There was one other issue. When device-bound passkeys were first deployed internally at IBM, Rodriguez and Weeden said, the internal security team considered them strong enough to not require MFA. But then Apple introduced Keychain-based syncing of passkeys "and our security chief s*** the bed."
Now, Rodriguez and Weeden said, internal IBM passkeys are subject to contextual MFA challenges, such as push notifications or another passkey. The strictly device-bound passkeys on Windows ended up being an advantage.
'A really nice honey pot'
Dean Saxe, senior security engineer with AWS Identity and co-chair of the FIDO Alliance Enterprise Deployment Working Group, was part of four different sessions, panels and workshops, including a late-Thursday session about the threat model (!) posed by passkeys.
"You should be using passkeys," Saxe told the audience. "Passkeys are better than passwords. But passkeys are not risk-free."
Passkeys synced among Android or Apple devices are recoverable by the user, Saxe pointed out, but as the IBM team discovered, that creates a security risk because those passkeys are saved in a (highly encrypted) cloud. Certification of that "sync fabric" is on the way, Saxe said, and will hold passkey providers to a baseline standard of security.
Furthermore, Saxe said, echoing Islam's comments, not all passkey providers (he named a couple of password managers) enforce user intent when authenticating passkeys. That creates a potential avenue for phishing synced passkeys, especially because some passkey providers do not encrypt the export of a private key when a user is changing credential managers.
The FIDO Alliance is working on a credential-manager migration standard, Saxe said, but passkey-recovery protocols would still not be able to discover that credentials may have been migrated. In other words, a passkey authenticator might not be able to tell whether a passkey has been stolen or phished, because the passkey would lack attestation that it was being used by the authorized user.
The trust models for passwords and passkeys are very different, Saxe explained. The password trust model is based on entropy -- the password's degree of random uniqueness -- and secrecy, and password users can decide whether or not to place all their trust in a password manager.
But passkeys force users into passkey-provider ecosystems, Saxe said, and the passkey trust model depends on the security of the passkey provider, whether that is Apple, Google, Microsoft or one of the other 21 providers so far.
"Passkeys make a really nice honey pot for attackers," said Saxe.
Passport to passwordless
So if you need to recover a passkey, or regain access to a passwordless account, you should in theory provide a credential that is even stronger and more trusted than the credential you are trying to recover. What could that possibly be?
Rob Brown of Inverid has a possible answer -- your biometric-chipped, government-issued passport. Most modern passports have a NFC-ready microprocessor embedded somewhere in the cover or internal pages that can be accessed by an NFC reader. (Brown had audience members download a smartphone app to test it out.) On that chip is your photograph, vital details, and other personal details that verify your identity.
Those passport chips aren't just RFID transceivers, Brown said. In fact, they have an operating system, and they can respond to a public-private key challenge in much the same way as a FIDO/WebAuthn authenticator. This makes a chipped passport the ultimate verifiable credential, or, as Brown said with chuckle, "the OG VC."
"We've got a technique available to billions of people to recover accounts securely," Brown said.
He said that BankID in Norway and two Dutch banks were already accepting chipped passports as verifiable credentials in account recovery. However, because a passport can always be stolen, Brown said the best way to go about the recovery process is to couple the passport with an in-person presence.
Other Identiverse developments
Kateryna Semenova and Diego Zavala, Android developers at Google, previewed a credentials-manager API coming to Android that would offer a unified interface for passwords, passkeys, and Google-provided federated/single-sign-on credentials, as well as digital credentials like drivers' licenses stored in wallet apps. Passkey support is also coming to Google's Wear OS smartwatch platform, they said.
Sean O'Dell, senior staff security engineer of identity security at Disney, spoke about implementing zero standing privileges -- the concept that no user should have permanent special access to any system, but should instead be temporarily granted those privileges on a need-based basis.
"Passwords should no longer be the golden key, and sessions should no longer give you permanent access," O'Dell said. Quoting well-known identity expert Ian Glazer, he added, "User accounts should have no standing access rights. They should not be able to do anything except log in."
Getting to zero standing privileges isn't as difficult as it seems, he said. You can implement it incrementally, starting with the areas of highest risk such as privileged access systems. O'Dell also provided a demonstration of how to grant, wait, and then remove user access to an AWS account.
Melanie Maynes and Sarah Scott, product marketers at Microsoft, gave a demonstration of how Microsoft's Copilot could assist with routine IAM tasks, such as discovering users, sign-in logs, user roles, groups, and risky users. Copilot also did a deep dive about a potentially risky user, quickly gathering information about the user's history and behavior. Most of the demonstrated abilities involved data gathering and analysis, but Copilot also set up a basic onboarding process.
And to flip the script on identity, Lisa LeVasseur, executive and research director of Internet Safety Labs, pointed out that there a gigantic, hidden identity infrastructure on the internet. It consists of all the data amassed about consumers and internet users over the past three decades by advertisers, marketers, data brokers, fraudsters, internet service providers and others using ad technology, browser fingerprinting, device IDs, and more.
You don't choose to be included in the hidden ID infrastructure, LeVasseur said -- it chooses you. One completely legal data aggregator has 900 synchronization partners from whom it gathers data through cookies, pixels, and other means, and then distributes this data to its customers. Some other companies strictly maintain data analytics and don't share data.
The goal of the "visible" ID infrastructure is to control and limit access to resources with a low tolerance for error, LeVasseur said. But the hidden ID infrastructure seeks to broadly join diverse swathes of information and has a high tolerance for error.
"There is a massive demand for hidden identification," she said. "Consumers didn't ask for this -- but we do like 'free.'"
