Identities are under attack and with few ways to either validate or authenticate, it’s difficult to know whether a company or person you are communicating with is fake or not. Today’s guest is Mike Kiser. Mike Kiser is currently the Director of Strategy and Standards at SailPoint. He speaks regularly at events such as The European Identity Conference and The RSA Conference. He is a member of several standards groups and has presented identity related research at Black Hat and DevCon.
“If it is a job offer, interview, or discussion, look for obvious red flags.” - Mike Kiser Share on XShow Notes:
- [0:46] – Mike shares his current role at SailPoint and what he does to help people protect themselves online.
- [1:48] – As identity has risen in importance, so have job scams.
- [2:44] – The rise is not surprising, as more people look for remote work.
- [3:50] – Generally, employment scams are targeting remote and online applicants.
- [6:10] – Mike describes some of the ways these scams work including receiving fake checks and wording to target those who are looking for side work.
- [8:04] – Fake LinkedIn accounts are on the rise and it is very easy to target specific types of people and build off of common connections.
- [10:01] – In 2019, Mike created a fake profile and he describes the easy infiltration to any organization’s LinkedIn connection.
- [11:47] – There has been an obvious uptick in generic LinkedIn contact in the last few months.
- [15:13] – Business people need to connect, so it can be tricky. Mike explains how to take a close look at new connections.
- [17:13] – With generative AI, communications are even more convincing.
- [18:41] – Falsified job applications are also on the rise.
- [20:33] – Fake identities are more and more in play for different malicious use cases, not just for jobs.
- [22:58] – Mike shares the experience of a family member realizing that they were talking to a scammer.
- [25:08] – We all customize a resume to match a job, but AI is making things much more challenging.
- [27:05] – Applicants and potential new hires will be able to easily outsource and it will become more common.
- [31:22] – The pandemic accelerated the importance of validating identity.
- [33:31] – There is also a unique opportunity for privacy to be changed right now and there is some good potential.
- [36:40] – Multi-factor authentication fatigue is a real problem.
- [39:27] – Eventually, Mike believes all things will shift to QR codes.
- [41:17] – What are the pros and cons of QR codes and how can they change the user experience?
- [42:24] – The job market is going to continually change and we have to learn how to interact with people differently.
Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review.
Links and Resources:
- Podcast Web Page
- Facebook Page
- whatismyipaddress.com
- Easy Prey on Instagram
- Easy Prey on Twitter
- Easy Prey on LinkedIn
- Easy Prey on YouTube
- Easy Prey on Pinterest
- SailPoint Website
- Mike Kiser on LinkedIn
- MikeKiser.org
Transcipt:
Mike, thank you so much for coming on the Easy Prey Podcast today.
Thanks for having me, Chris.
Can you give myself and the audience a little bit of background about who you are and what you do?
Sure. My name is Mike Kiser. I'm the Director of Strategy and Standards at SailPoint. I do product strategy. I do some internet identity standards in some working groups. I just work with colleagues in the industry to try and make things better for normal people. Along with that, on the side, I do a lot of research into privacy and how to help people along the way to protect themselves while they are online.
I hate saying it's becoming more and more relevant every day. But unfortunately, I think it is becoming more and more relevant every day.
Certainly.
Today, we're going to talk specifically about employment scams, and then we're going to work out and go down some fun little rabbit holes.
Sounds great.
Let's talk about how big of an issue is employment scams.
Employment scams, very understandably, have always been a thing. They've always been out there on some level. People either impersonating organizations or impersonating jobs or job offers. I would say that in the last three to five years—again not surprisingly since everyone's at home doing work and doing remote types of things—as identity has consequently risen in importance and is having a moment, so have job scams.
Now, more and more if you're doing remote work, you don't necessarily need to be in an office or on site. We've seen an increase year over year. I think the FTC was saying 64% increase in 2022.
It makes sense that you're doing more and more online, like the Zoom call. You know who the person is, but you get to know someone in a remote environment rather than being in-person. Seeing a rise in that is not totally surprising. People are looking for remote work, so there are a lot of legit jobs out there that are being done all remote and distance learning. The right work from anywhere has this side effect as well.
I know some people close to me early on in the pandemic were, “Oh, this work-from-home thing is going to be hideous. I don't think I can survive the first two weeks of this.” Now they're like, “I never want to go back to an office ever again in my life. I will only consider a job if it's remote.”
Totally. It's a beautiful day in Austin, Texas, one of 14 we have each year when it's not stupid hot. I went out for a 45-minute walk today in the trees. I wouldn't be able to do that if I were actually locked in an office someplace, so I totally get it.
Additional time with family, no commute, and all those fun things that you get to do that you wouldn't otherwise be able to do.
Totally.
Do you think that most of these scams are specifically targeting remote workers currently?
I think, in general, they are because once you say we need you to be on site, that could be applied, but most often, that's a massive operation. If someone's setting up an onsite fake facility just for you personally, you're a treasured individual, I'll put it that way. Most often, it comes in multiple formats. I'll say most of them are saying it's a remote opportunity.
I know that either full-time or in addition to what you're already doing is very common. You say, “Oh, I have a day job, but I could make some money on the side and that commute I'm not doing,” for instance. It's always, I would say, it’s targeting remote workers because another way of saying it is that phishing, these kinds of attacks, or attempts at scam or scamming people, are called phishing for a reason. You go where the fish are. If everyone's working remotely, make a new scam that targets remote workers.
That would be probably a shift from if you're looking five or 10 years ago, it was the international workers that were being targeted. “Hey, there's this job in another country, but you need to do these things beforehand.”
Right, and the mobility implied. You can catch a lot less people saying, “Hey, would you want to move to Botswana?” “No, I really don't. My kids are in school, it's inconvenient, and other reasons as well.”
I think the more common were more short-term kinds of scams. This job profile, job offering, job seekers being targeted, is pretty fascinating because you get a high-low attack as well to a much wider swath of what they're trying to obtain. It's not just, “Hey, I'm the classic Nigerian prince emailing you out of the blue.” This is much more, could be cash motivation, but there are other motivations as well.
What are those scammers trying to obtain?
It depends. The classic examples you see in a lot of the headlines are short-term cash. Believe it or not, some people have been mailed fake checks that they're told to go ahead and deposit, then take the money, and send it someplace or buy equipment with them, or something like that. That's your classic scam. That's what I would call a smash-and-grab kind of vibe. They're doing it at scale. They’re doing it one-offs all over the place.
A lot of times, that is not customized to the individual. Recently, I've been getting text messages quite a bit saying, “Hey, we've got this job over here, but they have no idea what I do, how I think, or anything else. It's not customized to me. It's more of a broad sweep.” That's one of the cash motivation.
Then there's a different category, I'll say, that's the low end or the low attack. The high attack is much more sophisticated. It's profiling people in important or key positions in an organization or a target enterprise, getting to identify them, and then trying to develop background information on them. In other words, what this does is this is more of a long-term play. I don't have proof of points of this because I don't know people who are actually doing this actively but personally, but getting open source intelligence on people or organizations.
I've been seeing this more and more. I've seen a bunch of fake LinkedIn profiles out there that are bridges to connection building. What they do is they use these connections to say, “Hey, I've got this job.” And they interact with the person. Once you get a resume and other information, think about how much open source intelligence you've gotten on that individual. Now I have their home address. I have their phone number. I have their email. I may have their ultimate email addresses.
Once you get a resume and other information, think about how much open source intelligence you've gotten on that individual. Now I have their home address. I have their phone number. I have their email. I may have their ultimate… Share on XNow I know their entire history that may not even be on LinkedIn in terms of employment, what hobbies they have, or sidecar attacks. “Oh, you know someone from Cisco 20 years ago.” It turns out we all know someone from Cisco 10 years ago, but human confirmation bias is like, “Oh, they must be all right.” Once they get two or three people to connect to them, then that ball is rolling, and it's much easier to build off those common connections.
It's more of, I would say, open source intelligence approach so that when and if they get entry into the organization, now they have a scope. Now they have a map of who's who in the organization and who they really want to laterally move towards, if possible.
What's the end game? Are they trying to get money out of that individual, intelligence or out of that individual?
Not usually money from what I've seen. It's been more intelligence and networking. It's really much more difficult to identify what they're actually looking for. It's not in general cash because you're not going to say, “Hey, send $20,000 to apply for this job.” They're not being targeted at that level because they have cash, but you're not trying to exploit them for that. It's more, I would say, building rapport, getting entry into organizations, mapping things out, and then it may be just building a network out.
The reason I say it like this, too, is that in 2019 at DEFCON and Black Hat, the tools and arsenal section, I did a talk where I wanted to know how much tracking advertisers were doing and being able to do. I made a completely fake identity. Her name back then was Janet. I won't give her last name. She was a designer in Austin, Texas. She was an avid jogger. I made a tool that would inject content into social media streams to obfuscate who she really was to change advertising.
She went from running to being all into barbecue according to how advertisers saw her. The reason I bring it up is that the hard part was getting that first person or two to connect on LinkedIn, for instance. But once I had two or three, it was an easy sidestep into almost any organization. It's a really fascinating social experience. We trust people who know people.
Absolutely. I get that random LinkedIn connection. The first thing I do is, “Who do we know? Who do we both know?” And, “Gee, you're only connected with six people? OK, something's fishy about that.”
Right, or you only can get six people, or you only know one person out of the industry colleagues I have. Whereas if it's five or six, or if you appear—as my own bias—young or interested in learning, I'm going to be much more open than if you say, “Hey, do you have a job or whatever else?” But then building off of that, you're developing a repository of people to approach on those social media platforms also for scamming purposes, if you're doing it broadly, or for targeted if you're targeting a certain level or above or individual.
It's interesting. Both my wife and I have gotten this wave of people connecting on LinkedIn. Probably within the last month or so, there's been this fairly significant uptick of when they're approaching me, it's young women. When they're approaching my wife, it's young men. The connection request has always been just a little bit off.
The vast majority of people are either, “I've used the default introduction,” or, “I've crafted something.” “Hey, we're in the same industry.” “Hey, we both know Bob.” Or, “Hey, I saw that you did this and that, the other thing.” The generic approaches. “You look like an interesting person to communicate with.”
To be honest, you do, but I’m not sure I’ll pick you out of a lineup and say, that person.
It's just an odd type of, “You look like a fun person.” I'm like, “OK, if you've looked at anything I've posted about LinkedIn, I really don't look like a fun person.”
Clearly, you don't know me if you think I'm interesting.
At least not fun with that said. Sometimes I'm one of those people who are like, “Yeah, I'll occasionally connect with these people because I want to see what the scam is. What's the approach?” Inevitably, almost all these accounts have been shut down within 24 or 48 hours. I'm sure people are reporting them as being suspicious or something. Have you seen that thing going on?
Yes. I have a group of cybersecurity professionals in a Signal chat where we swap pictures and stories of people who are approaching us. They're like, “Oh, this person seems legit.” Usually, that's the part where I made the fake identity back in 2019. I had to go find an image that was not to be blunt, not too attractive, and not unattractive, either. But if it looks like some model type person, male or female, that's just a bad sign.
It's a red flag.
Totally. It's something you go, “This feels a little catfishy,” so to speak. We've tried that. We've shared those kinds of stories. We also share tactics. I know one friend who just engages with them all the time. Basically, his goal is to see how long he can make them waste their time before they give up, either by playing stupid, asking for additional information, or telling them just a long-winded story for no reason. Eventually, you get ghosted or whatever else. There are different techniques there for sure.
I think if you're a C-level or you're the person who's being targeted, how do you discern when it's a real connection request and when something's fishy going on here, other than the thing that you'd had? They're 22 years old. I'm in my 50s. That seems odd, and they don't know anyone I know. But in business, we try to connect with people. We try to expand our networks.
Right. It depends on your personality and your point of view. I think that a large number of people working for enterprises, their persona on LinkedIn and others are probably managed by staff. Some of that helps in terms of having a forward guard.
I think also, you have to think about the use cases differently if it's being approached for a connection versus a job interaction. Job interactions are a much more cynical approach of which I'm pretty good at. I'm a natural born cynic in terms of, yeah, I'm doubting most offers and most contributions until they actually come. In terms of connections, I think it's much, much more difficult.
I think there's going to be an ongoing challenge for the cybersecurity organizations of enterprises, especially. They're already doing it these days to start patrolling social media and the networks of their employees. If they find a profile that is connected to multiple employees, not that it is fake, that's hard to identify, but if it claims some connection to the organization, that's a new frontier for them to at least be aware of. Depending on your budget, you have the capability or not to do that.
If it's a job interview, offer, or discussion, then I think you'll go through the normal steps of, like we said, looking for any obvious red flags, looking for well-developed, well-written communications, looking for things coming from the proper domain, things that we all hopefully have been trained by force security training, to learn and embrace. At the same time, short of confirming it's from a domain, I think that's going to get more and more challenging over time only because back when I was doing in 2019, I was using a Markov Chain Generator.
It's awkward. It worked most of the time, but sometimes it sounded like Janet had fallen and hit her head on the bathtub that morning and started tweeting, you know what I mean? These days with generative AI, things are a lot more challenging. You used to be able to take a picture. I did this the other day.
There was a picture of a suspect LinkedIn profile, and I'm like, “This is a little weird.” I took the image, and I ran it through a reverse Google image search. Back in 2019, you could do that. The picture I used for my false identity, my friend called me up and said, “You don't want to use this picture. I took her from stock photography.”
I was like, “I want to use this person.” He said, “Have you done a reverse Google image search on her?” I went out and did it. I was like, how many hits? 5000? He's like, “No, go do it.” 25 billion because every bot used her.
You can't do that as much anymore, though, because obviously, thispersondoesnotexist.com and other places like that, where you can just do a generation on a face that's unlike others. It's more difficult these days, for sure.
Are you starting to see the opposite employment scams, where you have totally bogus employees looking for jobs with generative careers?
Totally. I think that's on the rise as well. I have several HR professional friends, not in other organizations, but they have had a hard time wading through a couple of different things.
One is falsified backgrounds on resumes because we're hinting at as the job market has been modified, especially for the tech industry but other industries as well, people are looking for more jobs. They're trying to qualify for jobs they may not be qualified for. Some of the requirements are just ridiculous in the first place. That's a whole other conversation.
I've seen some of those posts.
Yeah. Starting entry job, 10 years of experience required. Wait, what? But others, good.
In technology, that's only been around for three years.
“First, invent the time machine. Go get an experience and come back to us.” Right, exactly.
The other are totally fabricated resumes and identities. It's more rare, but I would expect it to be on the rise because again, that's an easy way to get to know the internals of an organization or know more about it through a relatively innocent method.
The third rail I've seen is that people are trying to take multiple jobs. It's inauthentic but in a third way, where you're not getting what you think you're getting out of the person when you hire them because they're split 14 ways to Sunday, so to speak.
I think that's on the rise. I think that fake identities are more and more in play for just different malicious use cases, not only job-related, but as a whole in the industry and in the world.
I've heard more and more stories about people offshoring their job. They go and they apply for the job, they turn around and offer that job to somebody else at 50% of their pay, they collect the difference, and they have three or four jobs where they're doing this.
Totally. To me, personally, it feels like a lot of work. That better be a big payday for me just because I have multiple children as I further dox myself. I'm already exhausted enough without having to manage a team of people doing my jobs.
Yeah, that's crazy. You mentioned that you're on the more cynical side. I don't want to over-exaggerate that for you. You can do that yourself. Have you been the victim of any scam or fraud that you know of?
I would say not that I am aware of. No one, as far as I know, has taken money from me. I haven't had any credit card fraud as I'm just inviting people to attack at this point, but that's fine. I was in some major breaches, but that was my personal information. It wasn't me being targeted.
I would say that I could not tell you who they were, but I'm almost certain I am connected to people on LinkedIn that aren't real or who they say they are. That goes along with my cynical nature. When someone approaches me, I'm like, OK, unless I've met them in real life, and then I sanity check it a little bit.
I saw one LinkedIn profile the other day that was clearly the same name as someone I was already connected to, but they had lifted their name, not their picture. That was fascinating. Like I said, I am naturally cynical, though.
I've gotten emails in the past to do consultative work on the side, or come and advise us and talk to us about this space and identity. I just dismiss it out of hand because I'm like, “Who pays for that?” I talked to a friend the other day afterwards. He's like, “Oh, no, you could have made really easy money for 45 minutes of conversation.” I'm like, it's difficult even for me. You can be overly cynical.
I have relatives that run anything that's going on through me in terms of, “Should I trust this? Should I not trust this?” One of my relatives got halfway through clicking through and changing a password online with a support professional for a bank account. Until somewhere in the back of her head, I think my voice kicked in, and she hung up on them and called me.
Honestly, that's awesome. You have a group of people that trust you enough to stop what they're doing and say, “Is this real or not?”
This morning, three hours ago, I got an email from a poor gentleman who met a woman on a dating app and all sorts of reasons why they could never meet in person. Her father, this, that, hospitals. Started talking crypto, started dabbling in crypto on this platform that the girlfriend recommended, and all of a sudden, it's this very large amount of money. To get to that, you’ve got to […]. Has lost everything, borrowed money from everybody, including several people who told him along the way, “This really sounds like a scam. If you come back and tell me, ‘I told you so.’” I think there's a segment of people who don't realize it until they're way down the road, as opposed to, “I was just about to. Let me take a step back.”
That's why it works for some portion of the population. That's why it's profitable to do it this way. I think the catfishing reference we made before and the dating analogy we just made, that's what job seeking and hiring is. It's matchmaking but just for business. “Oh, my heart is set on the perfect architect.” Then you find them, and, “Wow, they have everything I wanted.” That's great, but maybe there's a reason why it seems. That said, we all custom-made resumes to match the job. There's an examination or just a thought process that has to take place.
That said, with this generative AI stuff, that's about to get a lot more challenging, because now you can't tell who can write anymore. You can't tell who can edit. For a long time, you couldn't tell who could use grammar well because of third-party tools and that kind of thing, but it's going to be customized to what you're looking for.
OK, we're going to go down a rabbit hole. Is that a problem? If the person is always using Grammarly, their grammar is hideous? When you talk to them, you're like, “Oh, my gosh, how in the world did you grow up in the US when you speak?” But if they always use Grammarly or they're always using generative AI with a consistent voice, isn't that a skill set?
OK, yes. This is approximate. It depends on what you're hiring for and it depends on what they're using it for. If it's a tool to promote efficiency, to have good grammar, sure. If you're hiring them to write or create documentation, just know what you're getting into.
Back in 2017 or something, we were hiring for a person who's going to do some product marketing for an organization I was with. She came and we said, “Do you have writing samples?” I always wanted to see writing samples to know if you could write. She turned in a 400-page document.
I was like, “This is crazy. How long did this take you? This is pretty well-written. Kudos on that. If you tell me the process you went through, because this is remarkable.” She looked at me and said, “Oh, well, we outsourced that.” I'm like, “What did you think was the point of a writing sample?”
I think you just have to know what you're getting into. That's going to be more and more common. It depends on what you need. The voice can be shaded based on what it's been trained on. It's up for debate. I'm more pro people who actually create it themselves, unless it's help documentation for a product. I'm probably OK with that being generated.
If you're writing a book, if you're writing something more creative, then I'm OK with you using ChatGPT, a controversial opinion. I think that you should attribute it to ChatGPT and then set yourself as the editor if it's ChatGPT or something else. Just be clear on what you've done.
Some writers association basically came out and said, “Whoever the editor is could take credit for, officially, according to their organization.” Everything can be done on ChatGPT, but the editor gets credit for it if it's a script or something like that.
People already do that. Most people have books ghostwritten or heavily ghost-edited at the same time. I think what it means is—and I'll bring it back to the scam thing for us here—authenticity is going to take a hit in terms of sourcing, in terms of, “Did you create this? Did you write this? Did you draw this? Did you paint this? Is this really you?” All of that immediately becomes more suspect because when you read a resume, when you read a document, when you talk to someone, it's different so far. Knock on fake desk, but you get a feel for the person.
If it's well-written, you're going to trust it more. If I get a well-written scam, I'm like, “Oh, this seems totally legit.” Crisco is obviously a cybersecurity company or whatever. But if it's got lots of issues, and you can tell that it's a non-native speaker or it's just heavily flawed, you're like, “Well, even if this was real, I don't think I'm going to work for an organization that sounds like that.”
I think it raises the bar in terms of being able to identify some of these scams, especially if it's remote, especially its distance, especially if they're not on video like we are here. You could have fabricated this entire podcast. That's a long play just to get at the top.
That's a lot of work.
Right, and I'm definitely not worth it. If you've done that, kudos to you. It just raises the bar in terms of what you need to be guarded about or guarded against. Especially as we mature as a society who's been online, more and more information about me is available. If you wanted to recreate me personally, it should be fairly easy to do because I'm out there a lot. My face is out there a lot. My writing is out there quite a bit. The more that it's out there, the more it's easier to replicate and impersonate someone on some level.
You're talking about this concept of identity. Where do you see things going in the next couple of years, whether it's employers, employees? Identity is just starting to get this more nebulous thing.
It used to be, “Here's my driver's license. Here's my Social Security card. I'm here in front of you.” That's becoming less and less of an issue. I have people working for me that aren't in the US. In fact, I've never met them. I think there are a couple of people and I've actually never even seen them. I don't know who they are.
Right, but you do feel like it's the same person each time that you're talking to. I think that it's a fascinating cultural moment because the pandemic shifted us all into this hybrid gear that we might have gotten to before but it accelerated things. The safeguard's identity is the key safeguard, knowing who and someone is, authenticating that, and making sure they have the right connections, the right access to people, and information, is huge.
That means that identity is under attack as a consequence. Long-term, I think that we've realized that. There are a couple of standards that are coming out that are going to try to make sure that given the sensitivity and the power that identity has, your defense against scammers is going to be you controlling information about your identity, being able to share that with others, and provably, at least until quantum computing takes over in a provably cryptographically signed way. All of that has to be super, super, super dead easy.
Long term, you could say, “Yeah, OK, this is a text or an email from some unknown person. Prove to me you are who you say you are with some kind of credential or identity that's signed by a secondary authority,” if that makes sense. It's very different if I have a conversation and I tell you my name is Mike Kiser. It's very different than if, and I'm not going to pull it out on camera, but if I pull out my driver's license, especially in real life and your physical presence. You can look at that and see all the proofs that make sure that it's authentic.
Like I said, authenticity is going to be key. How we prove authenticity is going to pay off in terms of protecting against scams and also be a target. Even as I talk about some of these digital credentials, there are some people targeting them specifically and trying to take them and reuse them with mixed success.
Identity verification, I suppose, is maybe the more appropriate phrase in this state of flux, where the resources we currently have aren't designed for an always online world.
Right, and there's an opportunity. There's a benefit, but there's also an opportunity for privacy as well here, which I'm super excited about. Before, once I give you my identity, and my identity attributes my data, who knows where that's going? I don't have control over consent.
With GDPR, CCPA, and other things, you are giving consent. There's potential. I'm not saying it's going to work or it's solved. I'm saying there's potential for some of this as well as we totally go into a side issue here. Again, if it's not dead simple, intelligible, and channeling people into best practices that protect them against scams, phishing, impersonation, job scams, and all these other things, but does so in a way that that protection is the easier choice, then we will have failed.
I don't want people to take protection because they're worried about what the consequences are. I'd much prefer people to choose the right path because that's just easier than jumping through 13 hoops to make the wrong choice.
I don't want people to take protection because they're worried about what the consequences are. I'd much prefer people to choose the right path because that's just easier than jumping through 13 hoops to make the wrong choice.… Share on XI need my thumbprint, I got an authenticator token I've got to enter, then I have to look around like this so that you can get all the sides of my face, and then post up for retinal scan in order to open my front door.
The fact that I can have biometric strong authentication by looking at my phone, which I'm going to do anyway, and as long as that biometric information is locked into the Secure Enclave on the phone, it doesn't leave the phone, that's fantastic.
I'm going to try out an analogy; I'm just going to make it up right here. It's why people on busy streets build fences in their front yard on some level with small children to be more clear. It's not going to keep the child from climbing the fence and running out into the street getting hit by a car, but it's going to make it a lot more work for them to do that, rather just stay in the yard, play with a ball, and be happy in a safe environment. It's that guardrail to funnel people into easier, better choices.
Now I'm going to go down another rabbit hole again because we're talking about privacy. Security authentication. I've had this discussion with a number of people, SMS or two-factor authentication in general. Some people will be identity purists and say, “SMS is not two-factor. It's too weak. It's too abusable. It's basically useless. You're better off doing nothing. Not me.”
You've got a physical token. You’ve got software tokens, and then maybe you've got biometrics as a fourth wheel. Where do you see the balance? And what would you suggest people do?
It's complicated. You're getting into a holy war territory for some people, which makes it exciting. I would say that MFA fatigue and those kinds of things are starting to suffer from the same issues we had with passwords and others, where it's like, “Oh, this is the 400th MFA I've had to accept on my phone. Whatever. I'm just going to start default saying yes to everything.”
I think that the world is shifting from a what-you-know to more of a what-you-have combined with who-you-are vibe. I'm a huge fan of Passkeys, which are emerging and coming out, where it's locking a biometric on your device to a key to get into something. It's a strong biometric all tied into a generated key that's hopefully bound to the device, for instance. There are issues with that, too. You can do bad practices, but I think that thing is going to do more than, say, an SMS OTP kind of thing.
That said, it depends on what your current state is. When the pandemic hit, everybody rushed to put in MFA, which was exactly the right move. People found out, “Oh, maybe we should have scale-tested this before we turned it all on.” History is a good educator.
Again, if you're using SMS to verify an authentication and those kinds of things, you're going to have to educate people about their potential scams and exploits. SIM-jacking is the most obvious one. It just depends on what your situation is, what your budget is. As long as you're growing and maturing, I think you can make good progress along the way. It would be my hot take.
It's like AI and ML, another controversial. Do we have it? Of course we do. OK, great. That's the use case, though, that you're serving. I tell customers all the time, you can hear a lot of terms thrown around, but find out how it addresses your pain, your felt need, and what the dangers and risks are associated with that compared to going to someplace else?
If you have a choice between SMS, using Passkeys, or some other two-factor authentication, I would jump over SMS if possible, but it just depends on what's possible in your world and your environment.
If grandma's not going to figure out domain keys or Passkeys, she's not going to figure out and care for an authenticator with her SMS. It’s at least better than nothing.
Right. What's going to happen is despite the issue with these already, but it's all going to be QR keys, QR codes eventually, which is a whole different ball of wax. But if I can not have to enter anything manually and having it all cryptographically provable, it will be, “Oh, you need to get access to this, take your QR code, scan it, and then have it presented from your wallet, have consent or anything built in, that's great because people are used to using QR codes.
Look at the airport, TSA in the United States, the security. Am I going to use that? Is it going to be easier? Yeah, it is. Having a boarding pass on my phone rather than a paper that I'm constantly checking, “Which pocket did I stuff that in?” said the old man.
I think that's the gateway drug. You're used to it because they want the convenience of getting access quickly and not standing in this line. “I’m going to go buy my coffee.” That same thing is going to say, “Oh, this is just like the airport.”
I think in the way that you're cynical about stuff, I am ultra cynical about QR codes. Someone ran around our neighborhood, dropped a flier off on everybody's door that was just a QR code, and saying, “Can you help?” I'm like, “Nope.”
There's a reason why OWASP calls it out—QR jacking or whatever they're calling it. It's inherently odd, because who's going to hover over that and make sense of some URL or whatever?
That said, I think what you can do is have some security. The nice part about that is that you can have security on the back end and enforce it on the device because now, you have a known space. It's not like, “I'm not going to take my laptop and go scan a QR code,” usually. There's sometimes a good camera. Ideally, it's on some device that's locked down and somewhat protected, so I can guide them into better practices like I'm talking about.
The TSA use case. I can take that same experience, “QR code, QR code, OK, you have access.” And I can put heavy cryptographic stuff behind it to secure that. My grandma, if you're going to use grandma here, or my grandfather, I don't have to know anything about it. That's genius because I'm changing user experience. Still dead simple.
I've always thought about doing that. Going to my local restaurant or whatever, or even just putting a QR sticker on any poster because you know someone's going to scan that sucker.
Hey, the next DEFCON, go around slapping QR codes on things.
Yeah, because that's a target audience for that. I'm sure a bunch of them are like, yeah. Besides, it's no one's real phone anyway. It's its own thing. I think there's a place to be concerned, but I'm not in that space to be clear. I'm not the authority. I'm sure you can get lots of responses.
Of course. There will always be someone who has something to say.
That's the fun part. Yeah, we'll all learn something.
With COVID and whatnot, the job market is going to change. It's going to be a different world for everybody. We're going to have to figure out how to interact with people in a different way.
Totally, and we are. HR departments are having to handle that remote work and where are you. It doesn't matter anymore. It depends on the industry, it depends on the employer.
I know some major employers are like, “No, of course not. You can work remotely, but we're going to fly you in. We're going to talk to you in person. You're going to spend two days here with 14 interviews.” But not everyone has that kind of budget, bandwidth, or beautiful campus to alert people with, if you know what I mean.
“I can't afford that sort of thing.” As we wrap up here, because we're running out of time, if people want to find out more about what you do and connect with you, how can they connect with you?
They can find me personally on LinkedIn. I would say they can find me there. There's a website on LinkedIn as well, a personal website where I blog occasionally. You'll see me around a lot talking a bunch, both on behalf of SailPoint and behalf of every person ideally in terms of privacy, security, and those types of things.
Always happy to talk. Always happy to learn new things. Just prove your identity to me, and we'll be off and rolling, apparently.
Awesome. Mike, thank you so much for coming on the podcast today.
Sure. Thanks a lot, Chris. Thanks for having me.