Stay informed with free updates<\/p>\n
Simply sign up to the Technology myFT Digest — delivered directly to your inbox.<\/p>\n
It\u2019s every manager\u2019s worst nightmare: hiring a remote employee who turns out to be a North Korean hacker intent on loading malware on to your network. But that\u2019s what happened to the US cyber security company KnowBe4 last year, as the company\u2019s founder, Stu Sjouwerman, described in a candid blog post<\/a>.\u00a0<\/p>\n KnowBe4 had posted a job ad for an AI software engineer, interviewed candidates by video, conducted background checks, verified references and made an offer. But soon after the company sent a Mac workstation to the remote employee\u2019s notional address, he went rogue. The company quickly discovered he was a fake North Korean IT worker, who had used a valid, but stolen, US-based identity to land the job. He then accessed the workstation remotely from Asia via an \u201cIT mule laptop farm\u201d.<\/p>\n Thankfully, no data was compromised but the company said it sure was a \u201clearning moment\u201d. \u201cIf it can happen to us, it can happen to almost anyone. Don\u2019t let it happen to you,\u201d Sjouwerman wrote.<\/p>\n This scary incident highlights the difficulties of authenticating someone\u2019s identity online \u2014 even by specialist security experts. But that challenge is about to become immeasurably harder as we outsource more responsibilities to AI chatbots and agents, getting them to perform many administrative functions online, and we generate lifelike video avatars.\u00a0<\/p>\n Up to now, the internet has mostly involved machines communicating with machines and humans interacting with humans. But increasingly those lines are blurring. We\u2019re close to the point where chatbots and avatars are all but indistinguishable from humans online. How can you be sure that you\u2019re not interacting with a synthetic human?<\/p>\n As is the way with Silicon Valley, some tech executives have come up with a proposed solution to the problem they have created, profiting from both sides of the transaction. Prominent among them is Sam Altman, who triggered the generative AI investment frenzy after his company OpenAI released ChatGPT in 2022.<\/p>\n Altman has also co-founded Tools for Humanity, which has developed an iris-verification device, a white globe about the size of a football, called the Orb. \u201cWe needed some way for identifying, authenticating humans in the age of AGI,\u201d he told an event in San Francisco this year<\/a>. \u201cWe wanted a way to make sure that humans stayed special and central.\u201d<\/p>\n Once a user\u2019s eye is scanned, the company sends them a World ID, a global digital passport, and $42 in Worldcoin cryptocurrency as a reward for joining the network. As of April, some 13.5mn people in 23 countries<\/a> had used the Orb to generate a World ID. The service was launched in the UK last month<\/a>.<\/p>\n The Orb is undoubtedly trying to address a real user need. But, quite apart from the scary Black Mirror vibes, it is questionable how effective the iris-scanning service will be. The need for a special machine to identify and authenticate any user (there are currently more than 1,500 Orbs in operation<\/a>) makes the system clunky and expensive. The insistence on one centralised digital identity deprives a user of the freedom to have multiple, disconnected identities, raising privacy concerns. The World ID passport also risks becoming a walled garden that may not interoperate with other ID networks, such as the EU Digital Identity Wallet<\/a>, which will become operational across the bloc by 2026.<\/p>\n Nevertheless, some security experts suggest that we are rapidly entering a world where our default assumption must be that all online counterparties are synthetic unless they can prove otherwise. That creates a need to demonstrate genuine presence online, or \u201cliveness\u201d, as Andrew Bud, founder of the biometric authentication company iProov, calls it.\u00a0\u00a0<\/p>\n iProov\u2019s premium service has been used more than 100mn times by customers, including governments and financial services companies, through a smartphone-based facial recognition system. This shoots multicoloured lights at a user\u2019s face and analyses the reflections, verifying their identity in about 2.5 seconds.<\/p>\n \u201cDigital identity is a set of facts. But trust does not reside in facts. It resides in people,\u201d Bud tells me. That means linking those facts to a human being who controls those facts. \u201cAnd for that you\u2019re going to have to use biometrics.\u201d<\/p>\n The identification and authentication of users is one of the hardest challenges we face on the internet because technology is evolving so fast, but it is critical that we meet it. The likely next threat? Masses of synthetic hackers.<\/p>\n