TaggartFeb 27
Okay, obviously Persona is terribad. There is a real problem to address here though: how are organizations supposed to perform reasonable identity verification at a distance? Sophisticated impersonation attacks hit customer support lines every day. We need a reasonable defense against this.
Show threadTindra

@mttaggart so, there’s a couple of different problems that got all smooshed together here.

One is how you verify that it’s the owner of the account that is taking action and not an impersonator. And that’s what MFA (of which Duo is one solution provider) has been trying to do for a while.

There’s what do you do when the MFA is inaccessible for some reason (eg my smartphone died). And that’s where things like verifying with the employee’s manager comes in to play. Or you actually have to come into an office as proof of identity (accepting that your work stops until this happens.)

Then there’s making sure you’re a real human at all - that you’re not a North Korean using a stolen identity. Which is something that should be handled *through the hiring process* by conducting a background check and forcing the employee to present (at an office or a recognized proofing services provider) physically somewhere with identity documents in hand to prove you match the person you say you are.

This latest offering seems to be an attempt to go after the last use case, but (maybe?) outside of the hiring process, which is the weird and concerning bit.

Feb 27 at 5:16pmWeb
Show threadTaggartFeb 27
@TindrasGrove Maybe they're all different problems, but the attack I'm describing combines them into one. And indeed, MFA is a poor defense in this case for exactly the reason you described ("Help! My phone was run over by a car and all my passwords were on it"). For geographically disparate workforces, "just come in" is often not an option. So yeah, I don't think we have a lot of good answers for this, especially not ones we can give to the poor folks fielding these calls.
Show threadTindraFeb 27

@mttaggart as someone who had to do this as part of my hiring process as a remote employee, this is where the trusted third-party proofing vendors come in. I had to go visit a FedEx office that had a designated person to check that I matched my passport and logged some stuff.

And, after that initial proofing of all my electronics go poof and I buy new stuff and need to re-prove who I am, my manager is able to vouch that I look and sound and act correct and have knowledge that only I should know (as protection against GenAI). Or I could be made to do that same proofing on-demand when it is warranted.

And since it’s coming from a different source than the MFA itself, there’s not a conflict of interest or other way for one system to impact the other without human intervention, which is how I like it.

Show threadTaggartFeb 27

@TindrasGrove That sounds solid on paper, but a lot of sticking points remain.

  • Access to manager (if there even is one)
  • What knowledge would that be? Secret words, etc. tend to become generalized and/or guessable, or yet another exfiltrated secret. Specific knowledge gets more complicated quickly and may in fact be misremembered. At any rate, codifying/systematizing highly personal challenge/responses is not simple.

I'm not saying it's impossible, but it is rather complex and takes a massive lift to get this kind of system implemented at scale.

Show threadTindraFeb 27

@mttaggart to the best of my knowledge is saying “hey you’ve been working with this person for a while. Are they really them?” And it’s up to the manager to figure that out.

Which is a deeply imperfect situation, but it’s also one in which it’s easy to prep them to be sceptical, unlike your average phishing attempt.