Saturday, July 22, 2023

Will Generative AI Be The Boon Or Bane Of MFA?

 


In the world of Cyber today, there is a plethora of technojargons out there.  Two of them have been around for a long time, and these are “Authentication” and “Authorization”.  While the two have totally separate meanings, they are often used in conjunction with each other. 

So before we move any further, it is important now to distinguish these two, so here we go:

Authentication can be defined as:

“Authentication is the act of validating that users are who they claim to be. This is the first step in any security process.”

(SOURCE:  https://www.okta.com/identity-101/authentication-vs-authorization/)

Authorization can be defined as:

“Authorization in system security is the process of giving the user permission to access a specific resource or function.”

(SOURCE:  https://www.okta.com/identity-101/authentication-vs-authorization/)

So as you can see, authentication is merely confirming who you are, and authorization is giving you access to what you need on a shared server.  It is also important to note that the former comes first, then the latter (believe it or not, even if this is a point of confusion). 

In relation to this, there are two other pieces of technojargon that you need to be aware of: Two Factor Authentication (2FA) and Multifactor Authentication (MFA).

With the first one, you are using at least two methods to confirm the identity of an individual.  With the other one, you are using at least three (and perhaps even more) methods of authentication.  For the longest time, 2FA was the preferred choice instead of just using the password, but even this has proven to have weaknesses. 

So, now the choice is to use MFA, because of all of the possible combinations that it can offer.

But as in anything else, there are also some weaknesses that can be found with MFA as well.  So, now a new idea has emerged, and that is using Generative AI as a possible means of identification in an MFA methodology.  I think I recently wrote a blog about this recently, but in simple terms, Generative AI is when you use it come up with new outcomes, or approaches. 

A good example of this is in content creation.  Many writers are now using ChatGPT to come up with new content, rather than having themselves do it (I have my views on this, but I will save it for a later time).  So how can Generative AI help with an authentication approach?  Here are three ideas:

1)     Confirming the user:

As mentioned earlier, there are numerous ways in which to confirm the identity of an individual, and at the present time, it is the password that is most heavily used.  There is a strong movement to get away from this in an MFA setting, and the preference is now to start using Biometrics, such as Fingerprint Recognition, and even Iris Recognition.  But, there is some squeamishness with end users about this, especially if their templates get hacked into.  Plus, every that time that an employee uses a Biometric modality, they have to keep submitting their fingerprint or have their iris scanned.  So, the hope here is that a Generative AI system can alleviate these bottlenecks, by “remembering” a template when it is first created.  But the worry here is what if a Generative AI can automatically recreate a template, and be used for nefarious purposes.  At the present time, the templates are just mathematical representations of either the finger or the iris.  So even if it were to be stolen, they cannot be reverse engineered to recreate the actual finger or iris.  But can Generative AI do this?  I really don’t know, to be honest.  It is also important to note as well that most Biometric systems require what is known as “Live Scan”.  This simply means that a person needs to have a pulse first before it can be authenticated.

2)     Creating user profiles:

This is when a network security device, for example, creates a profile over a certain period of time of network traffic.  This is very often used to determine what is normal activity and what is not.  In this regard, Generative AI could potentially be used to create baseline profiles of people as a means of identification.  For example, a Generative AI system could possibly be created to keep track of the activities of an employee, and build a profile on them.  If all is normal, then it is quite like that the employee will be confirmed.  But if anything falls out of the norm, then they will be rejected.  As far as I know, nothing like this is being used in the real world.  But if it ever does happen, businesses will have to notify employees of this happening.  Keeping profiles of network traffic is one thing, but using it on people is totally different thing.  And if they are not notified, it could be a sheer violation of privacy rights.

3)     Document Security:

With the world being almost totally digital today, making sure that documents are original and the signatures are legitimate is a huge concern.  While the Blockchain has proved useful here, the Cyberattacker of today can still find ways to alter documents and their corresponding signatures.  But Generative AI can be used here to confirm the legitimacy of these two items.  But once again on the flip side, what is to prevent a Cyberattacker from using ChatGPT to create an identical looking document and use that to launch a Business Email Compromise (BEC) Phishing attack?  But it is expected that Corporate America will spend more money to fight fraudulent documents, as some 60% of businesses plan to increase their budgets to help fight fraud.  More information about this can be seen at the link below:

http://cyberresources.solutions/blogs/fraud.pdf

My Thoughts On This:

Honestly, I never thought about Generative AI being used in this context, when it comes to authentication.  It could be a great way to secure the identities of individuals, but also at the same time, given the easy access of it (as exemplified by ChatGPT) the flip side is also clearly evident.  Therefore, before rushing into using AI for anything, test it out first in an isolated environment.

Make sure it “behaves” nicely with all of your other systems, and that it does not pose any further risks or vulnerabilities.

No comments:

Post a Comment

How To Launch A Better Penetration Test In 2025: 4 Golden Tips

  In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.   I have written man blog...