In the world of Cyber today, there is a plethora of
technojargons out there. Two of them
have been around for a long time, and these are “Authentication” and “Authorization”. While the two have totally separate meanings,
they are often used in conjunction with each other.
So before we move any further, it is important now to
distinguish these two, so here we go:
Authentication can be defined as:
“Authentication is the act of validating that users are who
they claim to be. This is the first step in any security process.”
(SOURCE: https://www.okta.com/identity-101/authentication-vs-authorization/)
Authorization can be defined as:
“Authorization in system security is the process of
giving the user permission to access a specific resource or function.”
(SOURCE: https://www.okta.com/identity-101/authentication-vs-authorization/)
So as you can see, authentication is merely confirming who you
are, and authorization is giving you access to what you need on a shared server. It is also important to note that the former
comes first, then the latter (believe it or not, even if this is a point of
confusion).
In relation to this, there are two other pieces of
technojargon that you need to be aware of: Two Factor Authentication (2FA) and
Multifactor Authentication (MFA).
With the first one, you are using at least two methods to confirm
the identity of an individual. With the
other one, you are using at least three (and perhaps even more) methods of
authentication. For the longest time,
2FA was the preferred choice instead of just using the password, but even this
has proven to have weaknesses.
So, now the choice is to use MFA, because of all of the possible
combinations that it can offer.
But as in anything else, there are also some weaknesses that
can be found with MFA as well. So, now a
new idea has emerged, and that is using Generative AI as a possible means of identification
in an MFA methodology. I think I recently
wrote a blog about this recently, but in simple terms, Generative AI is when you
use it come up with new outcomes, or approaches.
A good example of this is in content creation. Many writers are now using ChatGPT to come up
with new content, rather than having themselves do it (I have my views on this,
but I will save it for a later time). So
how can Generative AI help with an authentication approach? Here are three ideas:
1)
Confirming the user:
As mentioned earlier, there are
numerous ways in which to confirm the identity of an individual, and at the present
time, it is the password that is most heavily used. There is a strong movement to get away from
this in an MFA setting, and the preference is now to start using Biometrics,
such as Fingerprint Recognition, and even Iris Recognition. But, there is some squeamishness with end
users about this, especially if their templates get hacked into. Plus, every that time that an employee uses a
Biometric modality, they have to keep submitting their fingerprint or have
their iris scanned. So, the hope here is
that a Generative AI system can alleviate these bottlenecks, by “remembering” a
template when it is first created. But
the worry here is what if a Generative AI can automatically recreate a template,
and be used for nefarious purposes. At the
present time, the templates are just mathematical representations of either the
finger or the iris. So even if it were
to be stolen, they cannot be reverse engineered to recreate the actual finger or
iris. But can Generative AI do
this? I really don’t know, to be honest. It is also important to note as well that
most Biometric systems require what is known as “Live Scan”. This simply means that a person needs to have
a pulse first before it can be authenticated.
2)
Creating user profiles:
This is when a network security device,
for example, creates a profile over a certain period of time of network
traffic. This is very often used to determine
what is normal activity and what is not.
In this regard, Generative AI could potentially be used to create baseline
profiles of people as a means of identification. For example, a Generative AI system could
possibly be created to keep track of the activities of an employee, and build a
profile on them. If all is normal, then
it is quite like that the employee will be confirmed. But if anything falls out of the norm, then
they will be rejected. As far as I know,
nothing like this is being used in the real world. But if it ever does happen, businesses will
have to notify employees of this happening.
Keeping profiles of network traffic is one thing, but using it on people
is totally different thing. And if they
are not notified, it could be a sheer violation of privacy rights.
3)
Document Security:
With the world being almost totally
digital today, making sure that documents are original and the signatures are
legitimate is a huge concern. While the Blockchain
has proved useful here, the Cyberattacker of today can still find ways to alter
documents and their corresponding signatures.
But Generative AI can be used here to confirm the legitimacy of these two
items. But once again on the flip side,
what is to prevent a Cyberattacker from using ChatGPT to create an identical looking
document and use that to launch a Business Email Compromise (BEC) Phishing
attack? But it is expected that Corporate
America will spend more money to fight fraudulent documents, as some 60% of
businesses plan to increase their budgets to help fight fraud. More information about this can be seen at
the link below:
http://cyberresources.solutions/blogs/fraud.pdf
My Thoughts On This:
Honestly, I never thought about Generative AI being used in
this context, when it comes to authentication.
It could be a great way to secure the identities of individuals, but
also at the same time, given the easy access of it (as exemplified by ChatGPT) the
flip side is also clearly evident. Therefore,
before rushing into using AI for anything, test it out first in an isolated
environment.
Make sure it “behaves” nicely with all of your other systems,
and that it does not pose any further risks or vulnerabilities.
No comments:
Post a Comment