Are You You?

Not a day goes by that you are not asked to prove that you are you. Turn on your phone, and you likely had to key in the 4-digit code that you set when you first purchased it. Or maybe you've shifted to the increasingly common facial recognition approach, wherein you have to stare into your camera for a few seconds so it can match the file picture it has of you with your real-life mug. Or if it's a web site to which you are trying to gain access they might send you a 6 or 8 digit key, the so called 2-factor verification system, which connects something you have (the phone) with something you know (the key).

In most cases those approaches are all that's needed to open the gates to your phone, your bank account or your Instagram feed. But as hackers employ more sophisticated tools, it's not uncommon to be challenged in more empirical ways. And so you may be prompted to respond to security questions to which you've formerly provided answers. The idea is that only you and your elementary school pals know that your nickname used to be "Itchy."  And let's face it: if one of them is trying to impersonate you all these years later and remembers that forgettable item, they deserve access to your Netflix account.

So what constitutes a good challenge question? Experts say there are five characteristics that mark secure authentication. The first is confidentiality: no one else should be able to guess, research or obtain the answer. Next is memorability: users need to be able to recall something quickly and after a long time. It has to be consistent: opinions and favorites are likely to change over time, while facts do not. Simple is also good: if it's all about the exact shade of green it will cause confusion. And there have to be multiple possible responses, the more the better: a hacker shouldn't be able to guess with a one-in-three chance of success.

I saw this in action when I called to link my new credit card's reward account with another from the same bank. Because one was a business account and the other a personal version, the surface data didn't line up perfectly, and so I was shunted to a specialist. They explained the issue, and said they could connect the two, but they had to go deeper to confirm my identity. Agreeing that that my financial underwear should be protected at all costs, I told him to have at it.

The first queries were routine: mother's maiden name, last four digits of my social. Then it got deeper into me: please tell us a former address. Well, we've lived in our home for more than 30 years, so it took a few moments to plumb the memory banks for that one. And another: what was the color of the Buick Skylark once registered in your name? If memory serves it was an old clunker that my parents gave to our kids as a starter car, so old it was retro. Yes, it sat in our driveway for a few years, but that was 2 decades ago. Again, it took some serious recall to dredge that up. And lastly, he asked, what is your age? To be fair, that's a number I try and forget, not remember. Socially I pretend I'm 24, emotionally I'm closer to 11. But he wanted physical age, and so I muttered that, albeit with a deep sigh accompanying my response.

And with that I was in. He and his deep mind accomplices decided that I was indeed me, and that all my accounts could be linked and accessed. It's not that those facts couldn't be ascertained elsewhere with some digging, but how I responded as well as the answers themselves convinced him I was me. After all, an AI clone would have had the answers instantly with no hesitation. My tentativeness helped marked me as the imperfect human I am, with a high statistical probability that I wasn't faking it. 

In the future that might not be enough. There is discussion in certain circles of establishing "personhood credentials" to establishment not only that you are you, but that you are a real being. After all, an AI generated personality can't show up and stand in line at the DMV. Perhaps going forward we may move to three-factor ID system that will include that human component: something you know, something you have, and something sweaty.

-END

Marc Wollin of Bedford is pretty sure he knows who he is most times, but not all. His column appears weekly via email and online on Blogspot and Substack as well as Facebook, LinkedIn and X.