Stay informed with free updates
Simply sign up to the Technology myFT Digest — delivered directly to your inbox.
It’s every manager’s worst nightmare: hiring a remote employee who turns out to be a North Korean hacker intent on loading malware on to your network. But that’s what happened to the US cyber security company KnowBe4 last year, as the company’s founder, Stu Sjouwerman, described in a candid blog post.
KnowBe4 had posted a job ad for an AI software engineer, interviewed candidates by video, conducted background checks, verified references and made an offer. But soon after the company sent a Mac workstation to the remote employee’s notional address, he went rogue. The company quickly discovered he was a fake North Korean IT worker, who had used a valid, but stolen, US-based identity to land the job. He then accessed the workstation remotely from Asia via an “IT mule laptop farm”.
Thankfully, no data was compromised but the company said it sure was a “learning moment”. “If it can happen to us, it can happen to almost anyone. Don’t let it happen to you,” Sjouwerman wrote.
This scary incident highlights the difficulties of authenticating someone’s identity online — even by specialist security experts. But that challenge is about to become immeasurably harder as we outsource more responsibilities to AI chatbots and agents, getting them to perform many administrative functions online, and we generate lifelike video avatars.
Up to now, the internet has mostly involved machines communicating with machines and humans interacting with humans. But increasingly those lines are blurring. We’re close to the point where chatbots and avatars are all but indistinguishable from humans online. How can you be sure that you’re not interacting with a synthetic human?
As is the way with Silicon Valley, some tech executives have come up with a proposed solution to the problem they have created, profiting from both sides of the transaction. Prominent among them is Sam Altman, who triggered the generative AI investment frenzy after his company OpenAI released ChatGPT in 2022.
Altman has also co-founded Tools for Humanity, which has developed an iris-verification device, a white globe about the size of a football, called the Orb. “We needed some way for identifying, authenticating humans in the age of AGI,” he told an event in San Francisco this year. “We wanted a way to make sure that humans stayed special and central.”
Once a user’s eye is scanned, the company sends them a World ID, a global digital passport, and $42 in Worldcoin cryptocurrency as a reward for joining the network. As of April, some 13.5mn people in 23 countries had used the Orb to generate a World ID. The service was launched in the UK last month.
The Orb is undoubtedly trying to address a real user need. But, quite apart from the scary Black Mirror vibes, it is questionable how effective the iris-scanning service will be. The need for a special machine to identify and authenticate any user (there are currently more than 1,500 Orbs in operation) makes the system clunky and expensive. The insistence on one centralised digital identity deprives a user of the freedom to have multiple, disconnected identities, raising privacy concerns. The World ID passport also risks becoming a walled garden that may not interoperate with other ID networks, such as the EU Digital Identity Wallet, which will become operational across the bloc by 2026.
Nevertheless, some security experts suggest that we are rapidly entering a world where our default assumption must be that all online counterparties are synthetic unless they can prove otherwise. That creates a need to demonstrate genuine presence online, or “liveness”, as Andrew Bud, founder of the biometric authentication company iProov, calls it.
iProov’s premium service has been used more than 100mn times by customers, including governments and financial services companies, through a smartphone-based facial recognition system. This shoots multicoloured lights at a user’s face and analyses the reflections, verifying their identity in about 2.5 seconds.
“Digital identity is a set of facts. But trust does not reside in facts. It resides in people,” Bud tells me. That means linking those facts to a human being who controls those facts. “And for that you’re going to have to use biometrics.”
The identification and authentication of users is one of the hardest challenges we face on the internet because technology is evolving so fast, but it is critical that we meet it. The likely next threat? Masses of synthetic hackers.