Biometrics could be the key to protecting your digital ID: 5 Things podcast

5 Things podcast SPECIAL | Digital ID: How do we stay safe online?

The ability to maintain a secure digital identity has been a shared, but elusive goal of the online financial and e-commerce industry for decades now. In a world where cyber attacks have grown exponentially more sophisticated with hostile nation states and organized crime accelerating their programs targeting Americans, how do we stay safe? Jeremy Grant who leads the Better Identity Coalition joins the 5 Things podcast to discuss new developments in the world of digital identity.

Podcasts: True crime, in-depth interviews and more USA TODAY podcasts right here

Hit play on the player above to hear the podcast and follow along with the transcript below. This transcript was automatically generated, and then edited for clarity in its current form. There may be some differences between the audio and the text.

Dana Taylor:

Hello and welcome to Five Things. I'm Dana Taylor. Today is Wednesday, September 20th 2023, and this is a special episode of Five Things.

The ability to maintain a secure digital identity has been a shared but elusive goal of the online financial and e-commerce industry for decades now. Then came Worldcoin, a company announced in July that combines AI with crypto that said it would revolutionize the field of digital security. The key, Worldcoin would scan and store every user's iris, a biomarker unique to each person. But privacy experts said not so fast. There are risks involved in sharing biomarkers with any commercial entity. So in a world where cyber attacks have grown exponentially more sophisticated, how do we stay safe? Here to expand on the topic with me is Jeremy Grant, who leads the Better Identity Coalition, and is an expert in digital identity. Jeremy, thanks so much for joining me.

Jeremy Grant:

Thanks for having me.

Dana Taylor:

So Worldcoin's CEO Sam Altman's also the CEO of ChatGPT, and announced the creation of Worldcoin back in July. The news made a huge splash primarily because he claimed that the iris scan, one of a person's unique biomarkers, could be maintained to ensure that you are who you say you are online. Is that true?

Jeremy Grant:

Well, that's a complicated question in that I think when it comes to any biometric, a lot comes down to the implementation details. One of the challenges we've had over the years, particularly when it comes to what my understanding of what Worldcoin's looking to do, which is a central database of biometric information, is it creates a ton of risks from a security and privacy perspective in that if there's one thing we've learned over the last few years, it's that we're not actually really good at securing sensitive data. Government's not really good at it, industry's not really good at it. This is why we keep hearing about big breaches every week where a lot of our data's lost. And so the idea that suddenly, say my iris data, which is the technology for biometrics that Worldcoin is using, if that data was compromised or even if it was just used differently than what they're promising the way it would be used right now, that could potentially lead to some downstream consequences.

To be clear, they're not storing the image of your iris, but what they call sort of an abstract template. But there's been researchers over the years who've shown with biometrics that even if I get your template, I might be able to come up with some sort of a fake of your actual biometric finger face iris that was used to create it. And so that I think is where you start to worry about potential impersonation or potential tracking concerns or things like that.

Dana Taylor:

So I want to back out a little bit and talk about the current threats from a 30,000 foot view and how they've evolved. So we've all gotten those phishing emails from people claiming to be in Nigeria who say that we've inherited millions of dollars or they want to gift us that if they can just get into our bank account. How has cybercrime evolved and primarily who are the people behind these attacks?

Jeremy Grant:

This summer marked the 30th anniversary of a really famous cartoon that ran in the New Yorker back in 1993 where there's two dogs on the computer and one turns to his friend, the dog and says, "On the internet, nobody knows you're a dog." And I often point out ... I was a freshman in college when that came out. It was funny at the time in that as somebody who was just starting to go online at the birth of the internet, you would run into dogs on the internet, but maybe it was your friend down the hall trying to mess with you. It was mostly good nature that wasn't malicious. These days the dogs on the internet are being weaponized against us, and so you're asking who's launching these attacks? A lot of it is hostile nation states like China and Russia and North Korea. There was just news earlier this week that North Korea is looking to monetize some of the billions of dollars in cryptocurrency that they've stolen through a tax on identity, which they're then using to fund their nuclear program. So by the way, this actually has some real consequences downstream.

There's also a lot of organized criminal gangs that are out there that really are in the business of hoarding as much data as they can and then using it to try and compromise your identity so that they can go launch the next attack and steal more money in data.

Dana Taylor:

Well, the search for how to maintain a secure digital identity, that's been around since as long as the internet has been around. Maybe yes, we didn't take it as seriously as we should have in the beginning, but how has the thinking on digital identity and the technology needed evolved?

Jeremy Grant:

Well, I'd say on the industry side there's been a lot of good progress made for both identity proofing and authentication. On the authentication side, I'm really bullish these days that we are on the cusp of finally killing the password and getting to the password-less world. You have most of industry, including the big tech platforms and major banks, and in fact governments across the globe, all collaborating on a set of technology standards run by an organization called the FIDO Alliance. That has created a way to basically replace passwords with essentially a combination of a biometric match but only done on your device. It can't be phished. It's much easier to use, and notably whether you're using a device with an operating system made by Apple or Google or Microsoft, it's all supported with every device you buy today. So I think there's a lot of good things happening right there.

In fact, there was a recent report that came out from a group that the Department of Homeland Security has set up to investigate major breaches called the Cyber Safety Review Board. They put out a major report two weeks ago actually calling for a national effort to accelerate the deployment of technology like FIDO to stop what they're seeing as an increasing wave of attacks that are trying to focus on compromising authentication. So not to say we've won that battle, but we kind of know how to go win it. So the identity proofing side's a lot more complicated in that there is a massive challenge that I would describe as follows. We have a number of nationally recognized authoritative credentials that work for us in the physical world in the US. I was born in Michigan, so the county I was born in gave me a birth certificate.

I live in Washington DC, I have a DC driver's license. The federal government gave me things like a passport and a social security number. Those are all physical credentials that I can walk into a bank across the street or a government building down the street or show up at the airport and present. We know how these things work in the physical world to prove who you are, but there's no counterpart to those credentials in the digital world. And what we're seeing is that as more of the economy is moving more and more online, the gap between physical and digital here in the US is providing a massive attack point that we're now starting to see our adversaries, be they hostile nation states, organized criminals exploit at scale to victimize Americans and American businesses and government agencies for tens of billions if not hundreds of billions of dollars every year. And so I think that is really where more focus is going to be needed going forward.

Dana Taylor:

So who are the big players grappling with the issue, the ones who are leading the charge? Is it mostly banks?

Jeremy Grant:

I run an organization called the Better Identity Coalition, which is a group that has about two dozen companies. We have both a number of what I would call traditional banks as well as FinTech companies that are more upstarts in the space in financial services. We have members from healthcare, from technology, from telecom, and if there's one message that the coalition has collectively sort of been shouting from the rooftops, it's that we think the government needs to play a bigger role. Now that's a little unusual. It's not often that you actually see the private sector asking for the government to do something more or there is a recognition, I would say, basically in every sector that because the government is the only authoritative issuer of identity, but that role is split in the US because we don't have a national ID, so it's split between federal state and local agencies. What we really need is a coordinated hole of government effort to try to figure out how do we close that gap between physical and digital in a way that actually sets a high bar for security, high bar for privacy, high bar for equity.

Dana Taylor:

So you said this coalition is asking for government to get involved. Tell me about the Improving Digital Identity Act, where it is in the House and Senate, and what it might do to protect digital identities.

Jeremy Grant:

So the Improving Digital Identity Act is, from my perspective, a really important piece of legislation in that getting to what I was talking about before about the need for a whole of government approach, it's legislation that would look to drive that forward really through three pillars. The first is to direct the White House to basically convene what would be called an Improving Digital Identity Task Force, give them a fixed period of time to bring together key federal state and local agencies. So think about your state DMV, think about the local Vital Records Bureau, perhaps the Social Security Administration and the State Department who are in the identity business at the federal level, and essentially give them a time boxed set of time to figure out how this is all going to work. Sort of recognizing that digital identity is an important priority for the country, for security, for privacy, for economic growth, for equity, and how do you actually come up with a way to start to create digital counterparts of the physical credentials most of us have in a way that sets a high bar for security and privacy and equity.

The second thing it would do is task ... There's an agency called NIST, which most people probably haven't heard of, the National Institute of Standards and Technology as part of the Commerce Department. This is basically the group that works on cybersecurity and also privacy standards for a whole bunch of different technologies that underpin a lot of the things that we use every day. They've got a tremendous amount of expertise in identity and privacy, and so would direct them to come up with a framework of standards and best practices. So whether I'm the State Department in Washington or the DMV in Idaho or the Vital Records Bureau in Oakland County, Michigan, they all have sort of a playbook that they can consult and follow when it comes to actually implementing digital solutions that ensures that they're really setting this high bar that we've talked about.

And then the third thing that the bill would do would be authorizing grants to states to actually help to jumpstart this shift from physical to digital. Not to say physical is going to go away, but it's really about digital counterparts. As you might imagine, a lot of the states don't necessarily have a lot of resources to invest in this right now. With grant dollars that would be tied to following this playbook of standards and best practices, we can actually solve this problem in three to five, and most notably strike a big blow against many of the adversaries that we're dealing with, these hostile nation states, these organized criminals who are just ripping through our lack of digital identity systems these days to make off with billions of dollars every year. You ask where the bill is. So last Congress, keep in mind, Congress resets every two years with the election.

It passed key committees in both the House and the Senate, and came pretty close to becoming law at year-end and then ran into, I guess, a bit of a snag when one of the key people who would've had to sign off was not willing to. That bill's been reintroduced in the Senate. It was marked up again by a key Senate committee back in March, and largely clear for action on the Senate side. The House has not reintroduced legislation this year, so we're hoping that they get on board with the approach the Senate passed. Washington doesn't always pass standalone bills anymore. A lot of times it's trying to get agreement among the core players on legislation, and then you see a big bill that passes at the end of the year that both funds the government and advances a bunch of non-controversial legislation. It's been a bipartisan bill from the start with great Democrat and Republican co-sponsors.

So we think it's that kind of bill that could be a good candidate to move forward later this year. But I wouldn't make any big predictions right now sitting here in August in terms of what's going to happen. And I think there's been some frustration certainly from the coalition, and I think from a lot of other cybersecurity and privacy experts over the last few years that we're seeing other countries launch different efforts to try and get ahead of these issues, increasing cybersecurity threats, increasing threats to privacy by different technologies. The threat of AI that we talked about before. In the US I think we're pretty unique in being the only major, what people would consider Western country, that does not have a strategy thinking about what we want good to look like when it comes to digital identity and trying to drive us toward there. And so while we've done nothing, that is also an active policy choice in terms of sort of letting the status quo fester.

Dana Taylor:

Okay. And now let's bring it back to practicality. Besides not giving your bank account information in response to an email or text, what are some things that people should keep in mind to stay safe online?

Jeremy Grant:

The first is, while we're trying to kill the password, we're not there yet. So use a password manager. There's a lot of free ones built into your devices or browsers these days, or there's third party companies that are out there that make them. They will come up with a long and unique password for every account that you use and automatically fill it in for you so you're not sitting here worried about trying to figure out how to push the shift key and get the right uppercase letter and then the right symbol next to it. Nobody can do that. Passwords are a terrible combination of security and usability, but a password manager at least makes sure you've got a unique password so that if you've been a victim of a breach, let's say some company you have an account with is breached and you have their email and password shows up, one of the things the hackers do, they'll plug it in at five other sites because people reuse their passwords everywhere.

The second is turn on multifactor authentication wherever possible, and this is where you're augmenting the password with a second factor. The weakest versions are if somebody just texts you a six digit code that's good for 30 seconds, but even though it's weak, it's still going to stop a lot of attacks that are based on authentication. Even better, download a free app. Companies like Google and Microsoft have got free authentication apps that are out there that will generate codes in the app. And then if you really want to protect yourself, get a FIDO security key. So here I've got my car keys and my house keys, and this is something called a YubiKey. I can either plug this into my USB port or tap it on my phone or my tablet, and it provides hardware cryptographic proof of possession, which is a long technical term to basically say something that's very secure and basically impossible to phish. And so this is what I use myself. The third thing I suggest to people is take advantage of a free service that the credit bureaus offer to be able to put a freeze on your account.

So this is essentially something that if somebody steals all your data and is applying for a financial service in your name, so they want to get a credit card, right now, if you don't have a freeze, those applications will get run automatically if somebody submits it in your name. And this is where you often see identity theft challenges emerge. If there's a freeze, then it can't go forward. It can be a little bit of a pain in the butt if you're a consumer, because let's say it's actually you, I had this a couple years ago. We're buying a new car. I'm applying for financing. I had to go into the credit bureau that they were using to run my credit and unlock it. Took about 30 seconds. It was unlocked for a 24 hour period. The car company could run stuff through. I got approved, and then it locked automatically the next day. But this will stop identity thieves who have stolen your data and are trying to apply for accounts in your name from actually being able to advance those to the next phase.

Dana Taylor:

Thanks so much for sharing your insights here, Jeremy.

Jeremy Grant:

My pleasure. Thanks for having me on.

Dana Taylor:

Thanks to Cherie Saunders, our production assistant. Our senior producer is Shannon Rae Green, and our executive producer is Laura Beatty. Let us know what you think of this episode by sending a note to podcasts@usatoday.com. Thanks for listening. I'm Dana Taylor. Taylor Wilson will be back tomorrow morning with another episode of Five Things.

This article originally appeared on USA TODAY: How to protect your online identity: 5 Things podcast