RSAC: AI may force a reboot of America’s identity system

SAN FRANCISCO — The entire American system of identity— not just online digital identities, but drivers' licenses and passports too — is a barely functioning mess that may collapse as it is undermined by deepfakes and other forms of AI-generated fraud, a security researcher said at the RSAC conference here Wednesday (April 30).

"It's just pathetic," said Caleb Sima of the Cloud Security Alliance. "It's a massive problem. A $43 billion-a-year problem," he added, citing the estimated annual cost of consumer identity fraud.

A system built on sand

Sima said the problem is that American identities are based on two very weak pillars: birth certificates and Social Security numbers.

Neither was intended to be used as identity verification, and both fail at that task. Millions of Social Security numbers have been stolen. Birth certificates can often be faked, and in many states, any doctor or registered midwife can have one issued.

Our entire system of identity and authentication, from getting a driver's license or a passport, to opening a bank account or buying a house, to verifying identity for remote employers, ultimately depends on those two flimsy pieces of paper.

"The Social Security number and birth certificate are not enough," said Sima. "Yet these two documents have become the core root of our identity system. This approach fails for even the analog world."

Let your body be the guide

To try to augment this obviously weak foundation, we have turned to biometric factors like fingerprints, facial recognition, or DNA.

None of these is infallible. Fingerprints can be lifted from clean surfaces and duplicated, images of faces can be altered, and DNA can be obtained from a hair sample. And while fingerprints are truly unique, DNA isn't if it's shared with an identical twin.

The only truly reliable unique biometric identifier, Sima said, is a retina pattern. But even that can be duplicated by using high-definition photography and carefully manufactured contact lenses —the “Mission Impossible” effect. (Retina-based identification also may not work if someone happens to have cataracts, glaucoma or no eyes at all.)

To counter passive replication of biometric factors, we ask for proof of life: movement during a video interview, heat or electric charge from a live finger, a blink during a retinal scan. And that has mostly worked — until now.

Advances in AI-generated deepfakes have made weaker biometric identifiers like voice recognition useless and are rapidly eroding the credibility of live video conferencing. (You may have heard the story of the Hong Kong firm swindled by a deepfaked conference call.)

Soon, we may not be able to trust the authenticity of anyone we encounter online and may even be suspicious of anyone we meet in the flesh unless they submit to a biometric scan.

To continue with online banking, remote work, and e-commerce, we should come up with a more secure form of physical and digital identity.

"We're getting to the point where anything can be easily created — images, voice, video," said Sima. "How do I know something is really created by you? We need stronger identity verification."

The Estonian example

Other nations have put national systems of identification in place that securely connect the physical individual to a digital identity.

Singapore's Singpass lets the city-state's 5 million citizens and legal residents access more than 2,700 government services online, and transmit relevant personal information to banks, doctors and so forth, skipping the need to fill out forms whenever engaging with a new financial or medical provider.

Many European countries have national identity cards containing security chips that electronically verify identities, but Estonia's may be the most advanced. It lets citizens access online banking, almost all government services, sign digital signatures and even vote online.

The system's decentralized identity architecture gives card holders full control over their data, letting them decide what kind of data to share with organizations that ask for identity verification.

Estonia and Singapore are both small, rich countries. But Sima pointed out that the biggest country of all, India, has had its voluntary Aadhaar biometric-based digital identity system since 2016.

Nearly all of the country's adult population, more than a billion people, participate. Aadhaar has let millions of poor and illiterate Indians open bank accounts, Sima said, and saved millions of dollars in paperwork and fraud.

You'll put a national ID into my cold, dead hands

Why don't we have the same thing in the U.S.? There's a cultural resistance to having a national ID, voluntary or not — "the Mark of the Beast," Sima joked. After all, it's taken 20 years to get the individual states to issue driver's licenses that comply with the federal government's Real ID standards.

Then there are privacy concerns. Do you really want the government to have all that data? (It has it already, of course, but that won't reassure anyone.)

Sima counters that a secure, digitally based identity would actually give us more privacy. Like the Estonian ID card, a U.S. equivalent could use a decentralized architecture that lets the card holder share only that which is necessary — age to access adult-only areas, medical records to doctors, addresses to utility companies.

That's a much better system than filling out seemingly endless forms by hand, revealing all your personal details to potentially thousands of people.

"I've copied my personal information on a hundred different forms," said Sima. "Half of these forms are online."

However, he thinks that the U.S. will not change its identity system unless there's a massive crisis —or when deepfakes make most existing methods of verification useless.

The way forward

Sima doesn't pretend to have the answer to our identity problem. But he believes there are certain features that a working, digitally secure, American ID system will need to have.

There are four layers in Sima's "identity stack." The most basic is proof of person, or biological uniqueness measured by biometric identifiers like DNA or retina scans.

Credit: Caleb Sima

Next is proof of life, which can be verified by heartbeat, movement or touch.

On top of that is the identity label, which we often think of as an ID: a driver's license, passport or national identity card. A full name could also be considered as an identity label.

Finally, there's proof of intent, which verifies that the person wants to be authenticated, such as by providing a passcode or PIN code.

Sima said that these four layers should be tightly bound together and treated as reinforcing each other, unlike the situation today where each is treated as an individual factor.

Multi-factor authentication is obviously a step in the right direction, when it's required, but the system needs to be more tightly integrated than occasionally requesting more than one authentication factor.

Sima would enroll people in the identity system at birth, using biometrics to measure uniqueness. From there, a chain of custody of secure documentation can be established for an individual's entire existence.

"I'm not giving a solution or how this should be done," said Sima. "But I think we have to strongly tie proof of person and proof of identity from birth and follow that person throughout their life."