<img src="https://secure.ruth8badb.com/159098.png" alt="" style="display:none;">

Authentication vs. Privacy

SHARE

Like many “teeter-totter” issues, there is a give-take relationship between new authentication technologies and privacy rights. Maybe I am biased (or paranoid), but it seems like people's concerns over digital privacy have waned into apathy, and I, for one, don’t think this is a good thing. Maybe the privacy we have given up by having free* social media accounts, browser cookies, cheap Chinese IOT devices, and free* email and phone apps have sent us into a neurological state scientists call Learned Helplessness.

 

Learned Helplessness, according to CoPilot AI, is “a psychological state in which an individual, after repeated exposure to uncontrollable negative events, believes they are powerless to change their situation, even when opportunities to do so arise.” That sounds like the problem we are dealing with here. According to neurologists, the principal symptoms are emotional numbness and a lack of motivation. I have seen this same situation in organizations that have badgered their employees with phishing emails and misused security awareness products for remediation rather than following adult learning science.

 

Privacy issues are serious for both individuals and organizations, and with advocates potentially being underdogs right now, that is not a good thing.

 

Good authentication techniques are critical and are often our last line of defense from the greatest threats to our organizations. Multifactor authentication and facial recognition authentication are arguably the most effective tools we have for thwarting the onslaught of social engineering attacks and ransomware. Sadly, what can be used for good can also be used for evil. Multifactor often relies on employees using their own devices, such as a cell phone or tablets. Breaches of biometrics data from Suprema and other multifactor vendors have released millions of people's fingerprints and facial images. 

 

Authoritarian and oppressive governments are increasingly using biometrics to monitor, target, and silence activists, undermine democratic processes, and consolidate power. Through mass surveillance, facial recognition, predictive policing, online harassment, and electoral manipulation, and now with AI integration, authentication technologies have become a potent tool for authoritarian control. Even if we don’t have to worry about living under an authoritarian government, evil hackers sell and broker biometrics information on the dark web and use it for identity theft and other cybercrimes.

 

While biometrics such as facial recognition can be an easy and convenient way to do multifactor authentication, keep in mind that, unlike passwords, biometric data cannot be changed or replaced if compromised.

 

So that is our current situation, but what is on the horizon?

 

In this article, I would like to speculate about some of the uses of AI and quantum computing in emerging multifactor, encryption, and biometrics.

 

Let’s start with the easy stuff...quantum computing. Easy? Well, quantum computing itself is not easy, and that is why, for us, the mitigations are potentially easier. Quantum computing so far has been nearly all hype and speculation. At one of the nation’s top cybersecurity conventions a few weeks ago, I ran across a number of industry practitioners who thought (erroneously) that quantum computing was being actively used in current security products like firewalls. So here is our reality check on quantum computing. At the time of this writing, there are no useful quantum computers. Even IBM’s quantum computers have yet to perform any useful tasks that could not be done with digital computing. Recent announcements about new Microsoft quantum technology breakthroughs have turned out to be a big flop. We could still be many years away from useful quantum computers, and even once those are online, learning how to program them will take even longer.

 

The fact that quantum computers are not yet ready for prime time gives us a chance to prepare for this disruptive technology. We can prepare for Q-Day** by bolstering our public key encryption and authentication systems with symmetric algorithms and hash functions. It is (pardon the pun) key to use large cipher keys with these symmetric ciphers, at least twice the commonly recommended key sizes.

 

One big misconception is that we can wait until Q-Day to implement these changes; we can NOT. Recorded VPN traffic and encrypted data at rest, such as saved files and other information we are using now, could become clear text in minutes and would be wildly useful to cyber criminals even years in the future.

 

Quantum communications also bear watching, and with China being the clear leader in this research, the topic becomes more important every day. Please see my previous blog Did we miss China’s Quantum Sputnik?

 

A few things you might consider:

  • Don't use IKEv1, use IKEv2
  • Check your algorithms used in VPNs and other Public Key systems.****
  • Manually create your keys, some predict that human generated random numbers or non-algorithm generated keys 128 characters or larger are more resistant.
  • Check your CA to see if it uses 4K RSA key sizes or better.
  • Use SHA hash sizes no smaller than SHA-384 or, ideally, SHA-512.
  • Use TLSv1.3 with Perfect Forward Secrecy.

 

The next topic is new biometric technology

 

We have likely all heard about how China and other countries have used facial recognition technology against political enemies and citizens. Something that we should be keeping an eye on now is gait identification. Walking gait analysis has been developed primarily in medical fields. Now, AI technology has become a method of identifying large numbers of individuals from videos of large crowds. This is a means of mass privacy loss on a scale we have never seen before. AI like most tools is not inherently evil, it is how we use it that matters.

 

Gait analysis can be used at great distances at any angle, side, or even when walking away, unlike facial recognition, which requires a clear view of a face. When I brought this up with some of my friends, they replied that they would just join the Ministry of Silly Walks***. Sadly, this does not stop gait analysis as it uses angles formed by the joints at the hip, knee, and ankle, as well as the angles of the torso, thighs, and feet, so you can walk as silly as you like, but it likely won’t fool the system.

 

So, what do we do about all of this?

 

The first step to protecting ourselves, our families, and our organizations is to learn. I hope this article is a helpful start. We must fight off Learned Helplessness by knowing that knowledge is power and our greatest ally. Visit and, if possible, support the Electronic Frontier Foundation (EFF).

 

The next steps are to educate others and influence policy. Organizational policies and local and national policies on how these technologies are used are the absolute most powerful tools against widespread misuse. These policies must include independent oversight as we have plenty of examples of police departments and even federal agencies misusing or even incompetently storing authentication-related information.

 

Leave your comfort zones of controls in data centers and cloud systems. Be active in the security community and encourage privacy discussions and presentations at events. Learn the ABC’s of civil discourse as well as how government and institutional polices are created.

 

As practitioners in Information Technology and Information Security, we have, I believe, an ethical responsibility to keep our understanding of these topics current and raise awareness when it is called for. 

 

I hope this article was helpful or at least interesting to you. Please check out my other articles here  and engage with me on LinkedIn. If you would like assistance with Risk Assessments or other cybersecurity issues, contact me through our Assessments page.

 

*so-called free services such as email and social media services are paid for by selling your profiles, behavior, demographics, and other tracked information.

** Q-Day, the day when current algorithms will be vulnerable to quantum computing attacks.

***It would not be a good article if it did not contain at least a Star Trek or Monty Python reference, would it?

****https://en.wikipedia.org/wiki/Grover%27s_algorithm

 

AI did not generate this article.

 

In fact, this article was drafted on a 1982 Apple LISA computer, the computer that introduced the most profound advancement in personal computer history…

No part of this material may be used or reproduced in any manner for the purpose of training artificial intelligence.

Apple LISA

 

 

 

 

 

 

 

 

 

 

Sources, references and further reading:

https://www.rfc-editor.org/rfc/rfc6379.html

https://en.wikipedia.org/wiki/Shor%27s_algorithm

https://en.wikipedia.org/wiki/Internet_privacy

https://www.pewresearch.org/internet/2019/11/15/americans-and-privacy-concerned-confused-and-feeling-lack-of-control-over-their-personal-information/

https://youtu.be/bGOGK0-3fcw?si=_28jbAMoMjn4qtG-

https://youtu.be/bJTsFZtD7xE?si=uqht38MTE_w2V_L4

https://computerhistory.org/blog/the-lisa-apples-most-influential-failure/

https://www.youtube.com/watch?v=rZjbNWgsDt8&t=417s&pp=ygUNbGlzYSBjb21wdXRlcg%3D%3D

https://www.youtube.com/watch?v=psAeTDYezdo&t=327s&pp=ygUNbGlzYSBjb21wdXRlcg%3D%3D