AI is finding out when the person using your account isn’t you

AI is finding out when the person using your account isn’t you

A few months ago, security researchers at 4iQ uncovered a 41-gigabyte file being sold on the dark web that contained 1.4 billion username and password combinations from online services such as Netflix, Last.FM, LinkedIn, MySpace, Zoosk, YouPorn, Minecraft, Runescape, and others.

Unfortunately, this is something that happens a lot. The sale of user credentials remains a very lucrative business, earning cybercriminals billions of dollars every year. This is because for a lot of us, the only thing standing between our online accounts and hackers is a username and password. This means as soon as they obtain our credentials from the dark web, hackers will be able to access our most sensitive online assets. And let’s face it, we’re very bad at using passwords. We reuse them across accounts, don’t change them often, keep notes of them on our fridge, or pick something like — yes, this still happens —123456.

Over the years, several techniques have been developed to protect users against account theft. But they have yet to reach widespread adoption because, for the most part, they add too many steps to authentication and introduce friction and complexity that many users don’t appreciate.

This reflects a reality: Our authentication technologies have not kept pace with the sensitivity and value of our online services. But that might change thanks to advances in artificial intelligence. Machine learning and deep learning algorithms, which in recent years have found their way into many domains and industries, will usher in an era where authentication becomes a smooth experience that doesn’t require users to trade convenience for security.

AI-powered biometric authentication

For many years, companies tried to use biometric authentication such as voice, fingerprint, retina and face scans as alternatives to passwords. But for the most part, these techniques required expensive hardware and could easily be circumvented.

The problem with biometric authentication is that it’s like printing your password. For instance, hackers were easily able to circumvent earlier generations of face recognition authentication technologies using still images, such as public photos obtained from Facebook.

Meanwhile, these technologies quickly break under poor lighting condition or in the case that the user changes their facial hair style or wear a hat. Even iris scanners found on newer smartphones can be fooled with commercial hardware available to all users.

AI can add a level of enhancement to biometric authentication that makes it (almost) hack proof and smart enough to avoid irritating the user. An example is Apple’s new Face ID authentication technology, found on its flagship iPhone X smartphones. Face ID creates a complex model of the user’s face using infrared sensors and an on-device neural network processor, an AI software architecture that seeks correlations and patterns between different data points and turns them into application rules.

This means that instead of comparing whatever it sees in its front camera against still images of the user, the phone will make a sophisticated comparison that takes into account the shape of the user’s face along with other features. The deep learning model powering Face ID can work under different lighting conditions and gradually becomes used to changes that the user’s face undergoes over time, such as changing a hairstyle, growing a beard or wearing a scarf or hat. It will also be able to detect if a user is awake and aware and prevent unintended unlocking of the phone.

To be fair, Face ID is not a perfect solution. Hackers have been able to circumvent it (though at a high cost and under very mysterious circumstances) and it tends to go awry if it hasn’t been trained well (which basically means right after the initial setup). It is not recommended for very high profile celebrities and politicians (or paranoid users like me), but for most users, it is a reliable and convenient alternative to the plain passwords and PINs.