AI and Identity: Taking Stock of Identity Solutions in the Age of AI

It's been just over either months since OpenAI released ChatGPT, and already the new platform has become a household name. With artificial intelligence (AI) being one of the hottest topics in the world today, everyone from techies to the layperson is taking notice.

According to Forbes, “Over 75% of consumers are concerned about misinformation from AI.” While this new technology doubtlessly has exciting potential, it also poses new cybersecurity risks. For reasons such as this, the US Senate is getting started on new legislation that specifically regulates the use of AI.  

Adapting to the challenges posed by AI in identity and access management is crucial. As security professionals, we know that we can’t protect against everything. Long ago, Ping Identity learned that as soon as we detect what bad actors are doing, they find a novel way to circumvent detection methods. Today, we are just beginning to see how advanced machine learning is being used to penetrate established authentication methods.

While there will be challenges ahead, it’s evident that Identity Threat Detection & Response (ITDR) and Decentralized Identity (DCI) can be used in conjunction with one another to combat security threats in the age of AI.

While identity solution providers are aware of the threats posed by AI, most basic identity security practices are behind the curve with this new technology. Yet, in the game of cat and mouse that is identity security, cybercriminals are using AI to circumvent advanced identity controls like voice verification. 

AI Cyberattacks and Voice Verification

One of the most alarming examples of AI-powered threats to identity security is voice verification. Along with adaptive authentication and SMS and email OTP, voice verification is an important component of layered authentication used by call centers, especially in the banking industry. 

In the latest turn of events, cybercriminals are using AI-powered algorithms to copy people’s voices. If bad actors have access to a high-quality recording of your voice–perhaps taken from a spam phone call–they can generate a synthetic copy of your voice in just minutes.

With improvements in AI-powered voice generation, it is becoming very hard for voice verification systems to distinguish between real and synthesized voices. While vendors using biometrics are building safeguards to help mitigate this risk, it still boils down to an escalation game between vendors and cybercriminals.

AI-Powered Phishing Attacks  

Cybercriminals are also utilizing AI to intensify the frequency and sophistication of phishing attacks. While phishing emails and text messages are already daily occurrences in the lives of many people, AI is only going to make this problem worse. 

In their article “Artificial Intelligence is Playing a Bigger Role in Cybersecurity, But the Bad Guys May Benefit the Most,” CNBC explains, “When combined with stolen personal information or collected open source data such as social media posts, cybercriminals can use AI to create large numbers of phishing emails to spread malware or collect valuable information.” Since these phishing emails are AI-generated, they are much less likely to have obvious errors that make most phishing emails so easy to spot. 

Once AI-powered malware enters your network, much like other malware, it can cause major problems. To look again to CNBC, “AI-powered malware can sit inside a system, collecting data and observing user behavior up until it’s ready to launch another phase of an attack or send out information it has collected with relatively low risk of detection.” 

At the same time that AI is growing more sophisticated and targeted in the hands of cybercriminals, outdated identity access management (IAM) practices are leaving operations vulnerable to attack. 

Centralized IAM systems store massive amounts of user data in a single location, making them rich targets for hackers. A perfect example of this problem can be seen with the Equifax breach that happened in 2017. When the system was hacked, cybercriminals captured sensitive information on over 147.9 million Americans–including social security numbers, income data, personal addresses, financial docs, and credit card info. 

The Equifax breach might seem like old news, but the fact is that there are many businesses and government agencies that still rely on massive centralized data stores. While these organizations are tasked with keeping sensitive information protected for millions of people, this job is becoming increasingly difficult with the advent of AI. 

With outdated centralized IAM systems still widely used today, how are you supposed to keep your data protected with AI-powered cyberattacks on the rise? 

At Ping Identity, we believe that organizations need to protect user info, while users should also be empowered to protect themselves. Considering how rapidly things are escalating with AI, we recommend combining ITDR and DCI practices to keep data safe in this new paradigm. 

Following a Zero Trust approach, ITDR helps your organization detect and respond to identity basedattacks. DCI improves security and privacy by reducing your organization’s reliance on centralized data systems. With this two-pronged approach, users control how their identity data is shared, while organizations reinforce users by constantly monitoring the IT environment.  

Identity Threat Detection and Response (ITDR)  

Since ITDR practices carefully monitor your IT network for suspicious and anomalous activity, they are a critical part of Zero Trust initiatives. As ITSecurity Wire explains, ITDR “is necessary to enforce extra areas of trust in addition to user identities to close the gaps in multi-cloud infrastructure. Any implicit or assumed trust across infrastructure and tech stacks has the potential to be eliminated by ITDR.” 

While ITDR is an important element of Zero Trust, it is not sufficient to protect user data in today’s IT environment as a standalone solution. This notion is particularly true concerning massive centralized IAM storage practices. In fact, many people see ITDR as an indirect acknowledgment that large organizations must hold people’s data and credentials simply because it is incumbent upon them to do so. 

When it comes to protecting data in the age of AI, ITDR falls short in keeping sensitive information secure. The simple fact is, if you have “detected” something, it means that you already have a problem on your hands. As such, it may be too late at that point to mitigate the risk of loss stemming from the attack. Unfortunately, the next step is usually clean-up. 

Decentralized Identity (DCI) 

Since ITDR is more of a reactive approach to IAM, it necessitates a complementary method to keep identity more secure. To fill this void, DCI improves security and privacy by reducing your organization’s reliance on centralized data systems. In turn, DCI is architected to limit how much identity information is collected and stored in the event of a breach of a centralized database. 

With DCI, identity verification is predicated on providing a verified credential instead of offering up personal information that is stored in a centralized IAM database. These credentials are cryptographically verified to ensure the authenticity and integrity of a user. Not only does DCI give people the power to manage their own digital identities, but these credentials provide a secure and tamper-proof way for people to authenticate themselves. 

With DCI offering a frontline defense in conjunction with ITDR practices, it becomes a lot harder for cybercriminals to successfully execute takeovers and fraud. Centralized IAM data stores increase the risk that large amounts of data will be compromised with an AI-powered cyberattack. With DCI, the attractiveness of a hack is massively reduced as a breach likely results in a single individual's records being compromised–as opposed to the sensitive data of millions of people. 

Digital Wallets

Digital wallets are software applications that allow users to manage their own digital identity. Unlike traditional identity systems that store data in a centralized location, digital wallets give individuals control over their personal information–just like physical wallets. Specific contents of digital wallets include personal info, identity documents, login credentials, and biometric data. 

The Verification Process

With verification, credentials are shared with a third party such as an employer or financial institution, and then cryptographically verified. The verification process ensures that the credential is authentic and has not been tampered with. Finally, the third party can then rely on the authenticity of the credential to make decisions about the individual's qualifications or identity.

It can’t be denied that the age of AI has arrived. Within this shifting paradigm, identity is the new edge that separates bad actors from legitimate users. If cybercriminals can penetrate centralized IAM systems, they have access to the organization's digital infrastructure and an easy path to stealing valuable IP and data. Luckily, identity solution providers like Ping are ahead of the curve in the current IT landscape. 

By combining ITDR with DCI, you can develop a Zero Trust environment where users can help shoulder the burden of managing their own identity data, while your organization can further help users by constantly monitoring the IT landscape for suspicious activity. In turn, DCI is also helping us revise best IAM practices across the industry. 

One of the key benefits of verifiable credentials is that they allow individuals to maintain control over their personal information and identity. They can choose what information to share and with whom, and they can revoke access to their credentials if needed. Therefore, DCI provides a more secure and privacy-preserving way to prove one's identity or qualifications than traditional centralized IAM systems.

PingOne Neo uses a digital identity wallet to put your users’ verified data at their fingertips. Read more about Ping’s new decentralized identity management solution here.