"Stuff just got real"
By Nelson Santini, BSI
Do you remember the hit movie where Clint Eastwood saves the day and kicks the "Commies" in the a$$ because he was a great pilot; and could think like a Russian?
Before there was Top Gun (sorry Tom) there was Firefox. The 1982 action-thriller movie’s plot was simple; the US decides to steal a "next generation" Russian fighter jet that could be flown through its pilot's thoughts, and was sure to forever tilt the balance in the cold war between the then undisputable global superpowers.
The security around this super valuable asset was multi-layered and complex, as all superpowers have defended their most valuable assets throughout all of recorded history. The plot thickener – whomever was to steal the aircraft, had to speak (and think) like a Russian.
The multi-layer type of protection on the Firefox depended on the pilot’s state of mind, and intent.
Forty years ago, I’m sure that Mr. Eastwood and the rest of the production team were talking to each other through heavy smoke in the production ideation room saying, “this is so far out there”; and yet here we are today, when this security measure is not only possible, but available today.
Today’s superpowers realize that data is the “next generation” asset that can tilt the balance of power. I’m not just talking foreign powers vis-à-vis TikTok or Cambridge Analytica here; and by superpowers I meant Meta, Google, Amazon and the likes of them. Their corporate data and digital assets are guarded just like the Firefox.
We call the multiple security measures around data (digital assets) by many forms, and one of them is multifactor authentication, or just MFA.
Imagine MFA credentials that could not be shared or stolen, because they are linked to the credential originator’s state of mind.
Imagine the MFA process going beyond using simple biometrics like a palm print, retinal or facial scan, and injecting some “prudent friction” to confirm the credential owner’s intent.
You’d be excused for rolling your eyes and tilting your head back in disbelief saying that “only Hollywood can come up with this…”, but in 2023, we have crossed from fiction to reality.
Some of the newest and most advanced MFA credentials can do just that; link credentials to the users and their state of mind. What’s more, it’s not a “cool and shiny” feature, but one that adds value to MFA’s purpose.
In the simplest of forms, your finger-traced signature or written pin on your smartphone may be your single MFA all in one, and not just a useless image.
In its more complex form, imagine needing to start your rental car, or personal EV; perhaps a pilot completing its commercial airliner pre-flight having to enter their signature in a touchscreen to certify that the safety checklists were completed, and that themselves are not drunk or otherwise impaired.
In this context, the MFA credentials prove presence, and the user’s state of mind can be as simple as “what they are not”, as in intoxicated, coerced, nervous, or perhaps sleep deprived. If the user is not any of these, then they must be close to “clear minded” and know what they intend to do with the access sought. This is a unique capability that separates behavioral biometrics from those that are physical based.
So what are the implications related to protecting high value assets?
For the most part, MFA biometric applications and tools focus on the physical traits and how they can be used to expedite authentication. The trendy term for that is “frictionless”. Super useful for many lower-level data transactions.
MFA behavioral biometric credentials linked to state of mind and user intent are not just a vapid novelty. Beyond what classic biometrics do, these credentials add a multi-layered type of protection, a bit of friction, that moves into areas of personal and public safety, attribution of action for legal and insurance purposes, etc. Perhaps a form of MFA factor best used when guarding critical corporate digital and physical assets.
Forty years ago when I first watched Firefox, it was just an “action” film with a futuristic twist. It is still that, but it was also a cybersecurity film that was way ahead of its time.
You need not speak Russian or Mandarin (or English for that matter) to try this kind of MFA, but if you want to, you can give it test flight following this link.