September 8, 2017 | By Wenke Lee
Co-Director, Institute for Information Security & Privacy
As millions of Americans affected by the Equifax data breach ask, “What do I do now?” the information security industry should be asking, “How do we make personal data meaningless?”
If we could completely devalue the importance of personal background data (addresses, maiden names, birth dates), we could give the public control again over their histories and identities. That is to say, we could give them control over fears of financial loss, personal embarrassment, or denial of service because of lifestyle choices.
As it is now, information that is leaked or stolen even once, even partially, is no longer “personal” -- making one’s identity easier to impersonate to gain access to financial accounts, medical histories, school records and more. This is bad enough. Even worse, the common counter-solutions that help victims set up new privacy guards today rely on that same “personal” data. For example, under a national registry, data breach victims can choose to opt out of credit card and insurance solicitations using their name, address, social security number and birth date – the same data criminals have and can use to reverse any protection put in place.
It is time to worry less about keeping data private and worry more about creating the next best technology to prove you are you.
So what is that? Using multi-factor authentication technologies that combine a password (what you know) and a phone (what you have) are a good start, but still fall short. “Static” biometrics, such as fingerprint matching, also fall short because it, too, is stored data that can be read, replicated or stolen. Ultimately, we need an authentication mechanism that unequivocally verifies who you are and does that quickly. I believe such a mechanism should be based on dynamic biometrics, such as a live streaming video of the user providing an audio response to a challenge question that is unpredictable. A live, on-camera response to a randomly generated question uses three forms that when combined would be difficult to quickly impersonate: your face, your voice, and your knowledge. Researchers are busy at work developing live, biometrics-based authentication like this. For example, at Georgia Tech, one current project combines live biometrics with public key technologies for stronger authentication. We have developed a prototype and proof-of-concept application. I am optimistic that such technologies will be in the marketplace within the next few years. Then the next challenge will be to push for widespread technology adoption by organizations and individuals.
Once we develop methods to verify identity based on who you are today – not where and when you were born – we can overcome many of the fears of identity theft and loss. In summary, I see a silver-lining in the latest news of data breaches: it forces us to double-down on strong authentication, which will reduce the “value” of personal data and hence the incentives of data breaches in the first place.
For further reading
- CNN: http://money.cnn.com/2017/09/07/technology/business/equifax-data-breach/index.html
- Equifax response: https://www.equifaxsecurity2017.com/