WEBVTT 1 00:00:00.120 --> 00:00:03.600 Think about your day so far. You've probably logged into 2 00:00:03.640 --> 00:00:05.879 an app, maybe unlocked your phone, perhaps made a quick 3 00:00:05.919 --> 00:00:10.519 online purchase. What links all those things? It's this well complex, 4 00:00:10.839 --> 00:00:16.559 often invisible world working quietly behind the scenes. Authentication. Welcome 5 00:00:16.600 --> 00:00:18.719 to the deep dive. Today we're taking a well a 6 00:00:18.719 --> 00:00:22.160 deep dive into authentication and access control, sort of this 7 00:00:22.280 --> 00:00:25.640 silent guardian of our digital lives. We're pulling our insights 8 00:00:25.640 --> 00:00:28.679 from Syrah Pat boom Wrong's really extensive work authentication and 9 00:00:28.719 --> 00:00:33.000 access control, practical cryptography methods and tools. Our mission today 10 00:00:33.240 --> 00:00:36.600 basically cut through the jargon, understand the fundamental building blocks 11 00:00:36.600 --> 00:00:41.320 of digital trust, explore the frankly ingenious methods protecting your information, 12 00:00:41.600 --> 00:00:43.759 uncover the constant threats, and maybe even peek into the 13 00:00:43.799 --> 00:00:46.320 future of how we'll prove who we are online. Consider 14 00:00:46.359 --> 00:00:49.320 this your shortcut to really understanding the security behind your 15 00:00:49.320 --> 00:00:52.759 every click, every log in. You know, authentication It isn't 16 00:00:52.799 --> 00:00:54.560 just about a simple password anymore, is it. 17 00:00:54.640 --> 00:00:57.759 Oh, it's certainly not. No. And what's truly fascinating here 18 00:00:57.840 --> 00:01:02.320 is how how deeply rooted the concepts we'll discuss are, 19 00:01:02.840 --> 00:01:06.840 from the very definition of digital security itself to the 20 00:01:07.120 --> 00:01:10.519 well the sophisticated methods we now use to establish trust 21 00:01:10.599 --> 00:01:12.959 and what can feel like a pretty unfrusted digital world. 22 00:01:13.079 --> 00:01:15.480 Okay, so let's start right at the beginning. Then, if 23 00:01:15.519 --> 00:01:18.040 I asked you just straight up define security in the 24 00:01:18.079 --> 00:01:21.120 digital realm, what would you say? I think many of 25 00:01:21.200 --> 00:01:23.599 us think of it as like a fixed state, you know, 26 00:01:23.719 --> 00:01:26.560 a locked door. But it's much more dynamic than that, 27 00:01:26.640 --> 00:01:27.480 isn't it exactly? 28 00:01:27.640 --> 00:01:30.000 Yeah? Our source makes is a really crucial point here. 29 00:01:30.319 --> 00:01:33.319 Security is not a goal, It is a process. It's 30 00:01:33.359 --> 00:01:36.799 this continuous effort really to be free from attacks, to 31 00:01:36.799 --> 00:01:41.200 prevent risk because the digital landscape is always shifting, always evolving. 32 00:01:41.359 --> 00:01:43.519 Think of it more like an ongoing defense system, always 33 00:01:43.560 --> 00:01:44.680 adapting to new threats. 34 00:01:44.799 --> 00:01:48.719 Right, a process and guiding that continuous process is a 35 00:01:48.760 --> 00:01:51.959 foundational framework, the CIA model, and no, not that CIA, 36 00:01:52.000 --> 00:01:55.519 but the standard pretty much for information security absolutely. 37 00:01:55.719 --> 00:02:01.239 CIA stands for confidentiality, integrity, and availability, basically the three 38 00:02:01.280 --> 00:02:04.239 pillars any secure digital environment must uphold. 39 00:02:04.280 --> 00:02:09.960 Okay, let's break those down. Confidentiality This seems pretty intuitive, right, 40 00:02:10.039 --> 00:02:11.400 keeping secret secret it is? 41 00:02:11.439 --> 00:02:17.199 Basically Confidentiality means preventing unauthorized eyes, unauthorized exposure of data. 42 00:02:17.599 --> 00:02:22.000 Imagine you're emailing sensitive info. If that email isn't encrypted, well, 43 00:02:22.039 --> 00:02:24.759 anyone sniffing the network could potentially read it. That's a 44 00:02:24.800 --> 00:02:26.240 confidentiality breach right there. 45 00:02:26.319 --> 00:02:29.280 Okay. And then there's integrity. This one's less about secrecy, 46 00:02:29.280 --> 00:02:31.719 more about accuracy, making sure things haven't. 47 00:02:31.520 --> 00:02:35.240 Been messed by excisely. Integrity ensures that data hasn't been changed, modified, 48 00:02:35.319 --> 00:02:38.680 or corrupted, whether that's by accident like electrical interference or 49 00:02:38.719 --> 00:02:42.280 you know, religiously. Think of a financial transaction, need to 50 00:02:42.319 --> 00:02:45.319 be certain the amount transferred is exactly the amount you authorized, 51 00:02:45.599 --> 00:02:48.599 and to detect even the tiniest alteration, we rely on 52 00:02:48.639 --> 00:02:52.120 cryptographic tools like one way hash functions. They create a 53 00:02:52.240 --> 00:02:55.560 unique digital fingerprint for the data. So if you've in 54 00:02:55.599 --> 00:02:59.960 a single bit changes bang, that fingerprint changes completely immediate 55 00:03:00.039 --> 00:03:01.639 at least signals a problem. 56 00:03:01.360 --> 00:03:04.960 Which brings us to the third pillar, availability, making sure 57 00:03:05.039 --> 00:03:08.000 authorized users can actually get to what they need when 58 00:03:08.000 --> 00:03:10.680 they need it. And this is where authentication, you know, 59 00:03:10.800 --> 00:03:12.919 our main topic today, really comes into its own. 60 00:03:13.080 --> 00:03:17.919 Indeed, availability means authorized parties have access to resources while 61 00:03:18.039 --> 00:03:22.960 unauthorized parties are well kept out. Consider your banking app. 62 00:03:23.479 --> 00:03:25.240 You need to be available when you want to check 63 00:03:25.240 --> 00:03:28.280 your balance right, and the bank needs to ensure only 64 00:03:28.360 --> 00:03:32.080 you can access your account. Authentication is the key mechanism 65 00:03:32.199 --> 00:03:35.000 verifying your right to access. It's the gatekeeper. 66 00:03:35.080 --> 00:03:39.520 Okay, so those are the foundational pillars confidentiality, integrity, availability, 67 00:03:39.840 --> 00:03:42.439 But how do we actually build this digital security? This 68 00:03:42.479 --> 00:03:45.400 is where cryptography comes in, right, the language of secrecy, 69 00:03:45.439 --> 00:03:47.199 as our source puts it, it's kind of the engine 70 00:03:47.199 --> 00:03:48.400 behind all these mechanisms. 71 00:03:48.520 --> 00:03:52.039 Cryptography is absolutely the bedrock. It's the art and science 72 00:03:52.080 --> 00:03:55.080 of securing communication, and at its heart is a really 73 00:03:55.120 --> 00:03:58.479 important idea, Kirkhoff's principle. The idea is that the security 74 00:03:58.479 --> 00:04:01.639 of a cryptographic system shouldn't depend on keeping the algorithm 75 00:04:01.680 --> 00:04:05.400 the method itself secret. Only the key needs to be secret. 76 00:04:05.560 --> 00:04:08.120 That's fascinating and kind of counterintuitive for a lot of people. 77 00:04:08.120 --> 00:04:11.000 I think. So the method itself can be public knowledge, 78 00:04:11.039 --> 00:04:14.159 even to attackers, as long as the key stays hidden exactly. 79 00:04:14.199 --> 00:04:18.240 It's a cornerstone of modern crypto. Why because trying to 80 00:04:18.279 --> 00:04:22.439 keep an algorithm secret in the long run it's almost impossible. 81 00:04:22.560 --> 00:04:25.120 If the key is the only secret, the whole system 82 00:04:25.160 --> 00:04:28.199 is much much more robust. Now. We generally use two 83 00:04:28.240 --> 00:04:30.800 main types of cryptography, symmetric and asymmetric. 84 00:04:30.920 --> 00:04:33.680 Okay, symmetric cryptography, it sound like it uses the same 85 00:04:33.800 --> 00:04:35.279 key for everything it does. 86 00:04:35.600 --> 00:04:39.480 Yeah, a single secret key is used for both encrypting 87 00:04:39.519 --> 00:04:43.759 the data and decrypting it. It's incredibly fast computationally speaking, 88 00:04:44.079 --> 00:04:47.399 which makes it ideal for encrypting large amounts of data 89 00:04:47.959 --> 00:04:51.399 ads the Advanced Encryption Standard. That's a very common example 90 00:04:51.439 --> 00:04:54.040 you see everywhere, and we have a message that's longer 91 00:04:54.040 --> 00:04:58.439 than one block. Symmetric ciphers use clever techniques like something 92 00:04:58.480 --> 00:05:02.360 called cipher block chaining or SE. This ensures each part 93 00:05:02.360 --> 00:05:04.839 of the message is uniquely encrypted, and it links it 94 00:05:04.879 --> 00:05:07.759 to the parts that came before it. It adds this dependency, 95 00:05:08.199 --> 00:05:10.199 so if even a tiny bit gets changed somewhere in 96 00:05:10.240 --> 00:05:13.759 the middle, it creates this cascade effect, immediately telling you 97 00:05:13.800 --> 00:05:15.560 that data's integrity has been compromised. 98 00:05:15.639 --> 00:05:18.000 Right, Symmetric cryptos fast. But then how do you share 99 00:05:18.040 --> 00:05:20.560 that single secret key securely with the other person in 100 00:05:20.600 --> 00:05:23.079 the first place. That sounds like the classic chicken and 101 00:05:23.079 --> 00:05:27.839 egg problem, which I guess leads us to asymmetric cryptography precisely. 102 00:05:28.199 --> 00:05:32.800 That's the challenge. Symmetric has asymmetric or public key cryptography 103 00:05:33.240 --> 00:05:37.560 solves that key distribution problem beautifully. Instead of one key, 104 00:05:37.800 --> 00:05:41.279 it uses a pair a public key, which, as the 105 00:05:41.399 --> 00:05:44.360 name suggests, anyone can know, and a private key, which 106 00:05:44.399 --> 00:05:47.519 only the owner keeps secret. It's mathematically linked. So if 107 00:05:47.519 --> 00:05:49.560 you want to send a secret message to me, you'd 108 00:05:49.600 --> 00:05:52.160 encrypt it with my public key, only I, with my 109 00:05:52.240 --> 00:05:57.000 corresponding private key, can decrypt it. It's computationally basically impossible 110 00:05:57.000 --> 00:05:58.399 to reverse without that private key. 111 00:05:58.439 --> 00:06:00.959 And RSA is the big name people I might recognize here, right, 112 00:06:01.040 --> 00:06:03.319 Ravis shmir Adleman, that's the one. 113 00:06:03.519 --> 00:06:07.120 RSA is a very widely used public key cryptosystem. Its 114 00:06:07.120 --> 00:06:11.600 security relies on the mathematical difficulty of factoring very large numbers. Essentially. 115 00:06:11.720 --> 00:06:14.399 Okay, so we have fast symmetric crypto for bulk data 116 00:06:14.680 --> 00:06:18.000 and slower but great for key exchange asymmetric crypto. How 117 00:06:18.000 --> 00:06:21.040 do these two powerful methods actually come together in say, 118 00:06:21.079 --> 00:06:22.439 my online banking session. 119 00:06:22.720 --> 00:06:26.000 They combine their strengths. It's what we call a hybrid cryptosystem. 120 00:06:26.000 --> 00:06:29.920 It's really elegant. Asymmetric cryptography is used for that crucial 121 00:06:29.959 --> 00:06:34.439 first step securely exchanging a temporary, one time symmetric key. 122 00:06:34.920 --> 00:06:37.959 Once that symmetric key is safely established between the two parties. 123 00:06:38.279 --> 00:06:41.160 That key is then used for the faster bulk encryption 124 00:06:41.279 --> 00:06:45.079 and decryption of the actual communication the data itself, so 125 00:06:45.120 --> 00:06:47.920 you get the best of both worlds. Efficient data transfer 126 00:06:48.160 --> 00:06:49.000 and secure. 127 00:06:48.680 --> 00:06:52.519 Key exchange makes sense now beyond encryption, we also touched 128 00:06:52.519 --> 00:06:56.040 on cryptographic hash functions earlier, the digital fingerprint idea. How 129 00:06:56.040 --> 00:06:57.120 do they differ from encryption? 130 00:06:57.240 --> 00:07:01.079 Fundamentally different? Yeah, hash functions are strictly one way streets. 131 00:07:01.480 --> 00:07:04.439 You can easily generate that fixed laying fingerprint the hash 132 00:07:04.600 --> 00:07:07.920 from any input data. But and this is critical, you 133 00:07:08.120 --> 00:07:10.519 absolutely cannot reverse it to get the original data back 134 00:07:10.519 --> 00:07:13.680 from the hash. It's designed to be impossible. This makes 135 00:07:13.680 --> 00:07:16.759 them perfect for verifying data integrity, you know, checking if 136 00:07:16.800 --> 00:07:19.759 a download file is corrupted, but also absolutely vital for 137 00:07:19.759 --> 00:07:20.920 password storage. 138 00:07:20.839 --> 00:07:24.639 Ah right, storing passwords securely, something we all need systems 139 00:07:24.680 --> 00:07:25.439 to do properly. 140 00:07:25.759 --> 00:07:31.199 Absolutely, you should never ever store Plaintex's passwords ever. Instead, 141 00:07:31.600 --> 00:07:35.160 systems store their hash values, so if database gets breached, 142 00:07:35.560 --> 00:07:39.360 attackers only get the jumbled up hashes, not your actual passwords. 143 00:07:39.560 --> 00:07:42.040 It makes it much harder, though not impossible, for them 144 00:07:42.040 --> 00:07:44.519 to figure out the original SHA two thousand and six 145 00:07:44.600 --> 00:07:46.199 is a common hash function you see mentioned. 146 00:07:46.360 --> 00:07:48.759 Okay, and then the last piece of this crypto puzzle 147 00:07:49.319 --> 00:07:53.959 digital signatures. That sounds like signing a physical document, but online. 148 00:07:54.120 --> 00:07:57.879 It is analogous, yes, but with a critical cryptographic advantage. 149 00:07:58.199 --> 00:08:01.279 Digital signatures use your private care ke to sign a message, 150 00:08:01.480 --> 00:08:04.199 usual it signs the hash of the message for efficiency. 151 00:08:04.839 --> 00:08:07.519 Then anyone can use your corresponding public key to verify 152 00:08:07.560 --> 00:08:11.240 two things that the message definitely came from you, authenticity, 153 00:08:11.480 --> 00:08:14.240 and that it hasn't been altered since you signed it integrity. 154 00:08:14.560 --> 00:08:17.360 This leads to a really crucial property called non repudiation. 155 00:08:17.800 --> 00:08:21.480 Non repudiation meaning you can't deny sending something once it's 156 00:08:21.519 --> 00:08:23.439 digitally signed, like you can't say, oh, that wasn't me. 157 00:08:23.759 --> 00:08:27.560 Precisely, if I sign a digital contract with my private key, 158 00:08:28.240 --> 00:08:31.120 I cannot later credibly claim I didn't send it or 159 00:08:31.120 --> 00:08:36.240 didn't agree to it. It provides irrefutable, cryptographically verifiable proof 160 00:08:36.240 --> 00:08:40.240 of origin and integrity, much stronger than a physical signature, really, 161 00:08:40.320 --> 00:08:43.440 because it's mathematically provable by anyone with the public key. 162 00:08:43.639 --> 00:08:46.720 Wow. Okay, so we've covered the deep underlying tech the 163 00:08:46.759 --> 00:08:49.120 crypto foundations. Now let's bring it up a level to 164 00:08:49.279 --> 00:08:53.840 the practical application proving who you are? What exactly is authentication? 165 00:08:54.120 --> 00:08:55.000 In simple terms? 166 00:08:55.240 --> 00:08:58.600 At its core, authentication is the process where you, the 167 00:08:58.679 --> 00:09:02.000 supplicant as the jargon, and goes prove your claimed identity 168 00:09:02.080 --> 00:09:05.159 to a system which we call the authenticator. It's basically 169 00:09:05.159 --> 00:09:07.279 the digital bouncer checking your id at the door of 170 00:09:07.279 --> 00:09:09.320 the club? Are you really who you say you are? 171 00:09:09.600 --> 00:09:11.519 Right? And when we talk about how we prove who 172 00:09:11.519 --> 00:09:14.399 we are, it usually boils down to three core concepts, 173 00:09:14.519 --> 00:09:15.879 the factors of authentication. 174 00:09:16.080 --> 00:09:19.159 That's right, the classic three pillars of authentication. Something you know, 175 00:09:19.480 --> 00:09:21.080 something you have, and something you are. 176 00:09:21.240 --> 00:09:24.200 Okay, let's start with something you know. For most of us, 177 00:09:24.279 --> 00:09:27.120 most of the time that means passwords or pinons. 178 00:09:27.559 --> 00:09:31.200 Right, passwords and pins exactly. They're still the most common 179 00:09:31.240 --> 00:09:35.559 method by far. When you create one, the system processes it, 180 00:09:35.600 --> 00:09:38.799 hopefully hashing and salting it, and stores that processed version. 181 00:09:39.120 --> 00:09:41.039 When you log in later, you enter your password, The 182 00:09:41.039 --> 00:09:43.879 system processes is the same way and compares the result 183 00:09:44.080 --> 00:09:47.639 to the stored version. If they match, you're in. But crucially, 184 00:09:47.720 --> 00:09:51.360 the quality of your password is paramount. Weak common passwords 185 00:09:51.399 --> 00:09:54.559 like one, two, three, four, five, six, or password they're 186 00:09:54.600 --> 00:09:57.960 incredibly easy to gas or crack. Pass phrases like I 187 00:09:58.039 --> 00:10:01.360 eight rainbow trout kite surfing badly becoming i r at TB, 188 00:10:01.600 --> 00:10:03.720 as mentioned in the source, are much much more secure 189 00:10:03.720 --> 00:10:06.200 and often easier for humans to remember than just random 190 00:10:06.200 --> 00:10:07.120 strings of characters. 191 00:10:07.159 --> 00:10:10.000 Absolutely, and how those passwords are stored by the system 192 00:10:10.200 --> 00:10:12.440 is just as important, maybe even more important, than how 193 00:10:12.440 --> 00:10:13.440 strong they are, isn't it? 194 00:10:13.759 --> 00:10:17.399 Oh, absolutely crucial storing passwords and plaintext, that's just a 195 00:10:17.440 --> 00:10:22.360 catastrophic security failure waiting to happen. Unthinkable. Really, encrypted passwords 196 00:10:22.360 --> 00:10:24.840 are a step up, but then managing the encryption key 197 00:10:24.919 --> 00:10:28.559 securely becomes its own challenge. Hash passwords are the standard 198 00:10:28.559 --> 00:10:31.919 good practice, but even just hashing isn't fool proof. If 199 00:10:31.919 --> 00:10:34.440 not done right, they can be vulnerable to something called 200 00:10:34.559 --> 00:10:38.279 rainbow tables. These are basically huge pre computed lists where 201 00:10:38.320 --> 00:10:41.919 attackers have already calculated the hashes for millions of common passwords. 202 00:10:42.080 --> 00:10:44.639 You mentioned an example earlier. Search online for the hash 203 00:10:44.679 --> 00:10:47.440 five F four DCC three P five ass seven sixty 204 00:10:47.480 --> 00:10:49.879 five D six one D eight three two seven two 205 00:10:49.960 --> 00:10:51.360 eight eighty two cf. 206 00:10:51.159 --> 00:10:54.639 Ninety nine, and it pops right up as password scary exactly. 207 00:10:54.360 --> 00:10:57.080 Shows how easily simple half passwords can be reversed if 208 00:10:57.080 --> 00:10:57.919 they're common words. 209 00:10:58.120 --> 00:11:01.039 So how do we make hashed passwords truly secure? That 210 00:11:01.159 --> 00:11:02.799 what's the fix for rainbow tables? 211 00:11:03.080 --> 00:11:07.039 The crucial improvement is using salted passwords. This means adding 212 00:11:07.120 --> 00:11:10.200 a unique random string of data called as salt to 213 00:11:10.279 --> 00:11:13.240 your password before it gets hashed. Each user gets a 214 00:11:13.240 --> 00:11:16.879 different random salt, usually stored alongside their hashed password in 215 00:11:16.919 --> 00:11:20.000 the database. So even if two users somehow choose the 216 00:11:20.039 --> 00:11:23.720 exact same password, say password one, two three, because their 217 00:11:23.720 --> 00:11:26.679 salts are unique, their sword hashes will be completely different. 218 00:11:27.320 --> 00:11:31.399 This makes pre computer rainbow tables practically useless against salted passwords. 219 00:11:31.759 --> 00:11:34.919 It's a massive security improvement, and there are even more 220 00:11:34.919 --> 00:11:38.360 advanced techniques like dynamic salt generation and placement within the hash, 221 00:11:38.679 --> 00:11:40.279 making attacks exponentially harder. 222 00:11:40.279 --> 00:11:43.519 Still, okay, salting is key. What about those grid based 223 00:11:43.519 --> 00:11:46.840 passwords we sometimes see like drawing a pattern on Android phones? 224 00:11:46.840 --> 00:11:48.159 How effective are those really? 225 00:11:48.440 --> 00:11:51.840 Well? They look secure and theoretically there are hundreds of 226 00:11:51.919 --> 00:11:56.200 thousands of possible patterns, right, But the reality, according to research, 227 00:11:56.559 --> 00:11:59.919 is that users tend to choose very simple, predictable patterns, 228 00:12:00.320 --> 00:12:03.440 often shapes based on letters of the alphabet or their initials. 229 00:12:03.919 --> 00:12:08.559 This dramatically reduces the actual security. Plus they're highly susceptible 230 00:12:08.559 --> 00:12:12.120 to shoulder surfing someone just watching you unlock your phone. 231 00:12:12.600 --> 00:12:15.000 Studies mentioned in our source show these patterns can often 232 00:12:15.039 --> 00:12:17.519 be cracked in as few as five attempts with something 233 00:12:17.559 --> 00:12:20.399 like ninety five percent accuracy if the attacker gets a 234 00:12:20.440 --> 00:12:23.360 decent video recording, so not as strong as they might see. 235 00:12:23.440 --> 00:12:26.000 Hmm, okay, good to note. Let's move to the second factor, 236 00:12:26.200 --> 00:12:29.320 something you have. This usually implies a physical object, doesn't 237 00:12:29.320 --> 00:12:30.080 it correct? 238 00:12:30.519 --> 00:12:34.279 This category includes things like smart cards, USB security keys, 239 00:12:34.679 --> 00:12:38.360 or those physical authentication tokens the little key fobs or 240 00:12:38.399 --> 00:12:42.879 devices that display a constantly changing number. These tokens can 241 00:12:42.919 --> 00:12:45.799 be synchronous, meaning the code changes automatically every thirty or 242 00:12:45.840 --> 00:12:50.080 sixty seconds based on time. Rsay secured is a classic example, 243 00:12:50.360 --> 00:12:52.399 or they could be asynchronous where the system gives you 244 00:12:52.480 --> 00:12:55.039 a challenge number, you type it into the token, and 245 00:12:55.120 --> 00:12:57.879 it computes a unique response based on its secret key. 246 00:12:58.159 --> 00:13:00.240 And what about the software versions we often use on 247 00:13:00.279 --> 00:13:03.240 our phones now, like Google Authenticator or off e. 248 00:13:03.720 --> 00:13:07.559 Those are software authentication tokens, often using an algorithm called TOTP, 249 00:13:07.840 --> 00:13:11.120 which stands for time based one time password. The big 250 00:13:11.159 --> 00:13:13.720 advantage there is the code is generated right on your device, 251 00:13:14.039 --> 00:13:16.919 your own, and crucially, it never actually travels over the 252 00:13:16.960 --> 00:13:19.720 network during login, making it safer from interception than some 253 00:13:19.759 --> 00:13:23.679 other methods. Contrast that with SMS based OTPs, where you 254 00:13:23.720 --> 00:13:26.679 get a code send via text message. While very popular 255 00:13:26.679 --> 00:13:28.919 and convenient, Yeah I use this a lot, they are 256 00:13:28.960 --> 00:13:33.679 now generally considered less secure. Why because of vulnerabilities in 257 00:13:33.720 --> 00:13:37.399 the global mobile network like SS seven protocol hijacking, which 258 00:13:37.440 --> 00:13:41.120 can potentially allow determined attackers to intercept your text messages, 259 00:13:41.320 --> 00:13:42.879 including those OTP codes. 260 00:13:43.159 --> 00:13:47.279 Wow, okay, that's concerning, So TOOTP apps are generally better 261 00:13:47.320 --> 00:13:51.879 than SMS. Good tip. Finally, the third pillar something you 262 00:13:51.960 --> 00:13:56.080 are biometrics. This is where our unique biological data comes 263 00:13:56.120 --> 00:13:56.559 into play. 264 00:13:56.639 --> 00:14:01.279 Exactly. Biometrics literally means life measurement. It uses unique human 265 00:14:01.360 --> 00:14:05.440 characteristics to verify identity. We can broadly categorize them into 266 00:14:05.519 --> 00:14:09.159 physiological based on your body parts, like fingerprints, face recognition, 267 00:14:09.240 --> 00:14:13.080 IRIS scans. These generally have high uniqueness and permanence. Think 268 00:14:13.080 --> 00:14:16.600 about Sir Francis Galton's early work on fingerprints, analyzing thousands 269 00:14:16.639 --> 00:14:18.360 and realizing just how individual they are. 270 00:14:18.399 --> 00:14:20.480 And the other category behavioral right. 271 00:14:20.799 --> 00:14:23.679 Behavioral biometrics are based on unique patterns and how you 272 00:14:23.759 --> 00:14:26.799 do things. Your voiceprint, the speed and pressure when you 273 00:14:26.879 --> 00:14:30.080 sign your name, your typing rhythm sometimes called keystroke dynamics, 274 00:14:30.480 --> 00:14:33.440 or even your walking pattern, your gait. These are often 275 00:14:33.440 --> 00:14:37.519 harder to measure precisely, but also potentially harder to spoof perfectly? 276 00:14:37.960 --> 00:14:41.200 How do you fake someone's exact typing rhythm? When you 277 00:14:41.279 --> 00:14:43.879 enroll in a biometric system, say setting up face ID, 278 00:14:44.600 --> 00:14:47.360 your data is captured, key features are extracted, and a 279 00:14:47.480 --> 00:14:51.519 unique digital representation a template, is created and stored securely. 280 00:14:52.000 --> 00:14:55.159 Then for authentication, new data is captured, your face is 281 00:14:55.159 --> 00:14:57.919 scanned again, compared to the stored template and checked against 282 00:14:57.960 --> 00:14:59.840 a pre defined biometric threshold. 283 00:15:00.159 --> 00:15:02.720 Threshold sounds important? What's the trade off there? It's a 284 00:15:02.720 --> 00:15:05.840 critical balancing act. It determines how close the new scan 285 00:15:05.960 --> 00:15:08.320 needs to be to the stored template to be considered 286 00:15:08.320 --> 00:15:12.519 a match. Set the threshold too low, too lenient, and 287 00:15:12.559 --> 00:15:14.840 it's very easy for you to get in, which is convenient, 288 00:15:15.240 --> 00:15:18.919 But an impostor might also get accepted. Sometimes that's a 289 00:15:18.960 --> 00:15:23.600 false acceptance rate or fr high usability lower security. Set 290 00:15:23.600 --> 00:15:26.639 the threshold too high, too strict, and it's super secure, 291 00:15:26.879 --> 00:15:30.240 very unlikely an imposter gets in. But even you might 292 00:15:30.279 --> 00:15:32.519 get rejected. Sometimes the lighting is bad, or you have 293 00:15:32.559 --> 00:15:35.960 a cold that's a false rejection rate or ferr high security, 294 00:15:35.960 --> 00:15:39.840 lower usability, potentially very frustrating. Systems aim for a sweet spot, 295 00:15:39.960 --> 00:15:43.159 often looking at the equal error rate or eer where 296 00:15:43.240 --> 00:15:46.159 far and fr cross to find a reasonable balance. We 297 00:15:46.159 --> 00:15:50.519 see biometrics everywhere now right smartphones, building access control, border 298 00:15:50.519 --> 00:15:53.279 control with e passports, and increasingly in banking for things 299 00:15:53.320 --> 00:15:56.480 like EKYC electronic Know your Customer. 300 00:15:56.159 --> 00:15:58.799 Checks makes sense. It's always a trade off between security 301 00:15:58.840 --> 00:16:01.679 and convenience. We also briefly touched on a few other 302 00:16:01.720 --> 00:16:05.039 factors of authentication beyond the main three. Yes, just quickly, 303 00:16:05.360 --> 00:16:09.360 there's something you process which might involve solving a quick 304 00:16:09.399 --> 00:16:12.919 mental task or a math puzzle. It's cognitively demanding, so 305 00:16:13.039 --> 00:16:16.240 less common for general use. Then there's somewhere you are 306 00:16:17.039 --> 00:16:20.759 using location, like your IP address geolocating you, or your 307 00:16:20.799 --> 00:16:24.399 mobile phone's GPS proximity. This is often used quietly in 308 00:16:24.440 --> 00:16:27.600 the background, especially by banks for fraud detection, you know, 309 00:16:27.799 --> 00:16:30.720 flagging a log in from an unusual location as suspicious, 310 00:16:31.320 --> 00:16:35.120 and finally an interesting one somebody you know. This is 311 00:16:35.159 --> 00:16:38.000 more for social recovery, maybe where a trusted friend or 312 00:16:38.039 --> 00:16:40.279 family member could vouch for you if you get locked out, 313 00:16:40.720 --> 00:16:42.679 less common for primary authentication. 314 00:16:43.080 --> 00:16:45.159 Right, So we have all these ways to prove who 315 00:16:45.240 --> 00:16:47.559 we are, but of course where there's a lock, there's 316 00:16:47.600 --> 00:16:50.159 always someone trying to pick it or smash the door down. 317 00:16:50.440 --> 00:16:52.240 Let's talk about the threats. This is where it gets 318 00:16:52.360 --> 00:16:54.399 really interesting, maybe a bit scary. 319 00:16:54.639 --> 00:16:57.720 It is, and it's vital to be clear on the terms. First, 320 00:16:58.240 --> 00:17:01.320 a vulnerability is a weakness in a SI. A threat 321 00:17:01.519 --> 00:17:04.440 is the potential danger that could exploit that weakness, and 322 00:17:04.519 --> 00:17:07.759 an attack is the actual malicious action that exploits it. 323 00:17:08.200 --> 00:17:10.079 They're related but distinct. 324 00:17:10.400 --> 00:17:12.680 Okay, so what are some of the most common threats 325 00:17:12.720 --> 00:17:14.400 we face when it comes to authentication. 326 00:17:14.960 --> 00:17:18.839 Well, sadly, many still stem from simple oversights like leaving 327 00:17:18.839 --> 00:17:23.680 default passwords ADMIN password unchanged on routers or other devices. 328 00:17:23.720 --> 00:17:27.400 It's amazing how often this happens. Then there's eavesdropping or sniffing. 329 00:17:28.000 --> 00:17:30.799 If you log into a site using unencrypted protocols like 330 00:17:30.839 --> 00:17:34.359 plain old HTTP or FTP, anyone on the same network 331 00:17:34.359 --> 00:17:37.440 could potentially intercept your username and password in plain text. 332 00:17:38.000 --> 00:17:41.519 Replay attacks are another classic. An attacker captures your legitimate 333 00:17:41.519 --> 00:17:44.799 authentication message, maybe your hash password, and just re sends 334 00:17:44.799 --> 00:17:47.799 it later to impersonate you. This is often countered by 335 00:17:47.839 --> 00:17:52.279 using unique one time random numbers called nonss or strict 336 00:17:52.279 --> 00:17:55.559 timestamps in the authentication protocol, and man in the middle 337 00:17:55.640 --> 00:17:59.559 mid M attacks. This is where an attacker secretly positioned 338 00:17:59.599 --> 00:18:01.759 themselves between you and the server that you're trying to 339 00:18:01.799 --> 00:18:05.720 connect to, intercepting and potentially altering communication in both directions. 340 00:18:06.079 --> 00:18:08.480 They impersonate the server to you and you to the server. 341 00:18:08.799 --> 00:18:12.839 Strong encryption like TLS used in HTTPS, is designed. 342 00:18:12.559 --> 00:18:15.279 To prevent this right and the age old problem of 343 00:18:15.400 --> 00:18:17.200 just guessing passwords. 344 00:18:16.839 --> 00:18:22.400 Yep, simple password guessing, brute force attacks trying every possible combination, 345 00:18:23.200 --> 00:18:27.400 or dictionary intax trying common words name states. These are 346 00:18:27.440 --> 00:18:31.119 still surprisingly effective against weak passwords, and a more modern, 347 00:18:31.319 --> 00:18:36.039 very widespread problem is credential stuffing. Attackers get huge lists 348 00:18:36.079 --> 00:18:39.000 of usernames and passwords leaked from one website breach. 349 00:18:39.240 --> 00:18:42.359 Oh yeah, you hear about those breaches all the time, exactly, and. 350 00:18:42.359 --> 00:18:45.000 Then they use automated tool to try those same username 351 00:18:45.039 --> 00:18:49.640 password combinations on hundreds of other popular websites, banks, email providers, 352 00:18:49.680 --> 00:18:52.359 social media. They're banking on the fact that people reuse 353 00:18:52.400 --> 00:18:55.599 the same password everywhere, and sadly many people do. 354 00:18:55.720 --> 00:18:59.160 That's a huge one. Password reuse is just asking for trouble. 355 00:18:59.200 --> 00:19:02.160 But perhaps the most well insidious and often effective attack 356 00:19:02.200 --> 00:19:06.559 factor doesn't rely on technical exploits at all. Social engineering absolutely. 357 00:19:06.920 --> 00:19:11.279 Social engineering is the art of psychological manipulation, tricking users 358 00:19:11.279 --> 00:19:15.519 into revealing confidential information or performing actions they shouldn't, like 359 00:19:15.559 --> 00:19:19.319 clicking a malicious link or installing malware. It preys on 360 00:19:19.400 --> 00:19:23.480 human trust, urgency, or fear. It can happen in person, 361 00:19:23.799 --> 00:19:26.920 think of a con artist building rapport or using subtle 362 00:19:26.920 --> 00:19:30.680 psychological techniques. Can happen over the phone. Maybe someone calls 363 00:19:30.680 --> 00:19:33.240 claiming to be from tech support, creating panic about a 364 00:19:33.319 --> 00:19:36.440 non existent virus to get remote access, or using phishing 365 00:19:36.480 --> 00:19:40.000 automated voice messages asking for credit card details to fix 366 00:19:40.079 --> 00:19:44.599 a supposed problem, and most commonly today, it's digital social engineering. 367 00:19:44.960 --> 00:19:48.000 This includes pretexting, like sending fake emails that look like 368 00:19:48.000 --> 00:19:51.160 they're from your bank or IT department, broad based phishing 369 00:19:51.240 --> 00:19:54.279 emails sent to millions hoping a few will bite, and 370 00:19:54.359 --> 00:19:57.920 highly targeted spear phishing attacks carefully crafted for a specific 371 00:19:57.960 --> 00:20:01.839 individual or organization, often information gleaned from social media to 372 00:20:01.839 --> 00:20:04.440 seem incredibly legitimate, scary. 373 00:20:04.119 --> 00:20:08.119 Stuff, and it really highlights why traditional single factor authentication 374 00:20:08.400 --> 00:20:11.559 like just a password, even a strong one, often isn't 375 00:20:11.640 --> 00:20:15.160 enough anymore given all these threats, especially social engineering and 376 00:20:15.200 --> 00:20:20.160 credential stuffing, which brings us squarely to multi factor authentication MFA. 377 00:20:20.759 --> 00:20:22.640 That's basically the new standard. 378 00:20:22.319 --> 00:20:27.440 Right it really should be wherever possible. Yes, MFA requires 379 00:20:27.480 --> 00:20:30.240 you to provide two or more pieces of evidence or 380 00:20:30.319 --> 00:20:33.519 factors to prove your identity, and critically, these factors must 381 00:20:33.519 --> 00:20:36.720 come from different categories of authentication, so it's not just 382 00:20:36.759 --> 00:20:39.839 two passwords. It's typically password something you know, plus a 383 00:20:39.880 --> 00:20:42.359 code from an authenticator app or hardware tope in something 384 00:20:42.400 --> 00:20:44.599 you app or maybe a password plus a fingerprint scan 385 00:20:44.799 --> 00:20:50.079 something you are. The combination exponentially increases security. Why because 386 00:20:50.119 --> 00:20:52.559 even if an attacker manages to steal or guess your 387 00:20:52.599 --> 00:20:55.160 password one factor, they still need to get hold of 388 00:20:55.160 --> 00:20:58.799 your physical token or bypass your biometric scan the second 389 00:20:58.880 --> 00:21:01.720 different factor to get in. It makes their job much much. 390 00:21:01.559 --> 00:21:04.079 Harder so it's layering different types of proof. 391 00:21:04.400 --> 00:21:08.240 It's exactly. While no security is ever absolutely under percent foolproof, 392 00:21:08.319 --> 00:21:11.240 determined attackers can still try to trick users into giving 393 00:21:11.279 --> 00:21:16.359 up both factors via sophisticated fishing. For example, MFA significantly 394 00:21:16.440 --> 00:21:20.279 raises the barrier to unauthorized access. It's now standard practice 395 00:21:20.279 --> 00:21:24.240 thankfully in sensitive areas like finance, healthcare, and education, and 396 00:21:24.279 --> 00:21:26.880 you see it widely offered often required on major social 397 00:21:26.880 --> 00:21:30.200 media platforms too. If you're not using MFA on important accounts, 398 00:21:30.240 --> 00:21:31.440 you really should enable it. 399 00:21:31.519 --> 00:21:33.960 Definitely good advice. Okay, so if we zoom out a bit, 400 00:21:34.160 --> 00:21:36.440 how does all this authentication stuff work in the background 401 00:21:36.480 --> 00:21:38.599 to actually set up a secure connection, like when my 402 00:21:38.680 --> 00:21:42.319 browser shows that little padlock icon for HTTPS, or when 403 00:21:42.319 --> 00:21:44.160 I log into my company network. 404 00:21:44.279 --> 00:21:48.960 Good question. That involves specific authentication and key establishment protocols. 405 00:21:49.640 --> 00:21:52.480 They handle both proving identity and setting up the secure 406 00:21:52.559 --> 00:21:56.440 channel for communication, often using the crypto concepts we discussed earlier. 407 00:21:57.119 --> 00:22:01.759 Think about ssltls, the protocol that secures HTTPS web traffic. 408 00:22:02.480 --> 00:22:05.480 When you connect to a secure website, like for online shopping, 409 00:22:05.839 --> 00:22:08.559 you're a browser and the server a form a complex handshake. 410 00:22:09.599 --> 00:22:13.640 During this handshake, They use asymmetric cryptography, often involving digital 411 00:22:13.640 --> 00:22:17.319 certificates issued by a Trusted Certificate Authority CIA for the 412 00:22:17.359 --> 00:22:20.680 server to prove its identity to your browser. They also 413 00:22:20.680 --> 00:22:23.519 securely negotiate a symmetric session key that will be used 414 00:22:23.519 --> 00:22:26.480 to encrypt all the subsequent traffic between you, so the 415 00:22:26.480 --> 00:22:29.319 server authenticates itself before you send any sensitive data like 416 00:22:29.319 --> 00:22:32.599 credit card numbers. For internal enterprise networks, you often see 417 00:22:32.599 --> 00:22:36.160 systems like Carbaros. It uses symmetric cryptography and a trusted 418 00:22:36.240 --> 00:22:39.720 central server called a key Distribution Center KDC. When you 419 00:22:39.759 --> 00:22:43.000 log into your work computer, Carberos gives you cryptographic tickets 420 00:22:43.079 --> 00:22:45.759 that prove your identity to various network services like file 421 00:22:45.799 --> 00:22:48.039 servers or printers, without you having to re enter your 422 00:22:48.039 --> 00:22:52.640 password constantly. It enables single sign on sso within the organization. 423 00:22:53.160 --> 00:22:57.240 Right, So different protocols for different scenarios, and how do 424 00:22:57.400 --> 00:23:00.880 organizations decide what level of authentications do security is needed? 425 00:23:01.319 --> 00:23:04.279 Surely logging into a high security government system needs more 426 00:23:04.319 --> 00:23:06.039 proof than logging into a public forum. 427 00:23:06.279 --> 00:23:10.680 Absolutely, not all authentication needs are equal. That's where frameworks 428 00:23:10.759 --> 00:23:13.319 like the one from NIS, the US National Institute of 429 00:23:13.359 --> 00:23:18.440 Standards and Technology come in specifically, there's special publication eight 430 00:23:18.519 --> 00:23:23.079 hundred and sixty three B defines authentication assurance levels or ALS. 431 00:23:23.759 --> 00:23:26.359 It provides guidance on matching the strength of the authentication 432 00:23:26.400 --> 00:23:29.279 process to the level of risk. AL one is the 433 00:23:29.319 --> 00:23:32.920 lowest level, typically requiring just single factor authentication like a 434 00:23:32.960 --> 00:23:36.920 password transmitted over a secure channel. It offers medium insurance, 435 00:23:37.359 --> 00:23:40.960 maybe requires reauthentication every thirty days or so. AL two 436 00:23:41.000 --> 00:23:45.200 steps it up significantly, requiring two distinct factors multi factor authentication. 437 00:23:45.519 --> 00:23:49.119 This provides higher assurance. Examples could be password plus an 438 00:23:49.119 --> 00:23:52.400 OTP from an app, or maybe password plus a biometric. 439 00:23:52.680 --> 00:23:56.279 It usually has stricter rules, like requiring reauthentication every twelve 440 00:23:56.279 --> 00:23:59.680 hours and maybe after just thirty minutes of inactivity. AL 441 00:23:59.680 --> 00:24:02.839 three is the highest level, providing the strongest assurance. Usually 442 00:24:02.880 --> 00:24:06.440 requires MFA using hardware based cryptographic devices like smart cards 443 00:24:06.519 --> 00:24:09.160 or USB keys that are resistant to tampering and protect 444 00:24:09.160 --> 00:24:12.279 the private key. Reauthentication might be required every twelve hours, 445 00:24:12.319 --> 00:24:16.319 regardless of user activity. This AL framework helps organizations choose 446 00:24:16.319 --> 00:24:19.440 the right level of security muscle for the job, balancing risk, 447 00:24:19.759 --> 00:24:20.920 cost and usability. 448 00:24:21.039 --> 00:24:23.160 That makes a lot of sense tailoring the security to 449 00:24:23.200 --> 00:24:26.039 the need. Okay We've covered a lot of ground. Let's 450 00:24:26.079 --> 00:24:29.720 shift gears and look towards the horizon. What does all 451 00:24:29.759 --> 00:24:33.119 this mean for tomorrow? What's coming next? In the world 452 00:24:33.200 --> 00:24:34.200 of proving who you are? 453 00:24:34.559 --> 00:24:36.920 Well, I think the future of authentication is largely about 454 00:24:36.920 --> 00:24:40.519 making it both stronger and more seamless, almost invisible to 455 00:24:40.559 --> 00:24:43.799 the user where possible. A major trend driving this is 456 00:24:43.839 --> 00:24:45.039 continuous authentication. 457 00:24:45.480 --> 00:24:50.039 Continuous authentication that sounds potentially exhausting, like having to constantly 458 00:24:50.039 --> 00:24:52.079 prove who I am every few minutes. That doesn't sound 459 00:24:52.160 --> 00:24:52.960 very user friendly. 460 00:24:53.279 --> 00:24:56.480 That's the core challenge it aims to solve. The idea 461 00:24:56.599 --> 00:24:59.839 isn't to constantly interrupt you. Instead of just authenticating you 462 00:25:00.119 --> 00:25:03.119 once at the initial log in, the system aims to 463 00:25:03.160 --> 00:25:06.880 continuously verify in the background that the person using the 464 00:25:06.920 --> 00:25:10.480 session is still the legitimate user. Think about taking a 465 00:25:10.559 --> 00:25:14.039 long online exam or a sensitive remote work session. The 466 00:25:14.079 --> 00:25:16.920 system needs some way to ensure it's still you sitting 467 00:25:17.000 --> 00:25:19.359 there and not someone else who might have slipped into 468 00:25:19.359 --> 00:25:22.039 your chair while you stepped away. The goal is to 469 00:25:22.079 --> 00:25:26.480 achieve this verification transparently, implicitly, and non intrusively, making the 470 00:25:26.519 --> 00:25:28.680 ongoing authentication almost invisible. 471 00:25:28.720 --> 00:25:31.200 Okay, invisible sounds better, but how would that even work 472 00:25:31.240 --> 00:25:34.200 without constantly popping up prompts or asking for fingerprints. 473 00:25:34.480 --> 00:25:39.119 It primarily relies on analyzing behavioral biometrics passively in the background, 474 00:25:39.480 --> 00:25:42.640 instead of explicitly asking you for a password. Again. The 475 00:25:42.680 --> 00:25:46.319 system might continuously monitor things like your keystroke dynamics, the 476 00:25:46.400 --> 00:25:49.839 unique rhythm, speed and pressure patterns as you type, or 477 00:25:49.920 --> 00:25:53.440 perhaps analyze your gaze patterns using the device's front camera 478 00:25:53.759 --> 00:25:57.279 to track subtle eye movements characteristic to you. Some research 479 00:25:57.319 --> 00:26:00.960 even looks into using walking patterns or gate recognition, leveraging 480 00:26:01.000 --> 00:26:03.799 the motion sensors already in your smartphone or wearable device 481 00:26:04.079 --> 00:26:07.079 to identify you by how you walk. The aspiration here 482 00:26:07.200 --> 00:26:11.160 is really high security combined with high usability, making authentication 483 00:26:11.200 --> 00:26:13.880 feel less like an event and more like a continuous 484 00:26:13.880 --> 00:26:15.559 background state of trust verification. 485 00:26:15.799 --> 00:26:19.359 That's a pretty huge leap from typing passwords or tapping tokens. 486 00:26:19.640 --> 00:26:21.880 And there was one other future looking concept you mentioned 487 00:26:21.880 --> 00:26:27.319 earlier that really intrigued me, cancellable biometric authentication, Because let's 488 00:26:27.359 --> 00:26:31.160 face it, the biggest single problem with traditional biometrics fingerprints, 489 00:26:31.240 --> 00:26:34.960 face scans, iris scans is that if your biometric data 490 00:26:35.079 --> 00:26:38.599 is compromised, stolen from a database, Well, it's compromised forever. 491 00:26:38.720 --> 00:26:40.960 You can't exactly change your fingerprint like you change a 492 00:26:41.000 --> 00:26:42.119 password precisely. 493 00:26:42.599 --> 00:26:45.960 That is the fundamental weakness cancelable biometrics aims to address. 494 00:26:46.799 --> 00:26:49.960 It's a newer approach designed specifically to protect the biometric 495 00:26:49.960 --> 00:26:54.720 templates themselves and crucially make them revocable or cancelable if 496 00:26:54.720 --> 00:26:57.599 they're ever compromised. How does it work? Well, what approach 497 00:26:57.599 --> 00:27:02.200 involves biometric solving Conceptually similar to password salting. Your raw 498 00:27:02.359 --> 00:27:05.839 biometric data, like fingerprint features, is combined with some other 499 00:27:05.920 --> 00:27:08.240 piece of arbitrary data. Maybe it's linked to your password, 500 00:27:08.720 --> 00:27:10.799 or it's just a unique random string assigned to you 501 00:27:10.839 --> 00:27:13.880 for that specific service before the final template is created 502 00:27:13.920 --> 00:27:18.119 and stored. The key idea, though, goes further, often involving 503 00:27:18.160 --> 00:27:22.319 applying a non invertible biometric transformation. This means using a 504 00:27:22.359 --> 00:27:25.960 special mathematical function, a one way function, on the original 505 00:27:26.000 --> 00:27:29.119 biometric data, perhaps combined with the salt or other data, 506 00:27:29.160 --> 00:27:32.359 to create the stored template. The transformation is designed so 507 00:27:32.400 --> 00:27:36.000 that it's computationally impossible to reverse it. You can't reconstruct 508 00:27:36.039 --> 00:27:38.920 the original fingerprint data from the transformed template stored in 509 00:27:38.960 --> 00:27:42.519 the database. Think of it like hashing, but for biometrics. 510 00:27:42.720 --> 00:27:47.359 There are various proposed methods like Cartesian or polar transformations 511 00:27:47.400 --> 00:27:48.359 described in the source. 512 00:27:48.680 --> 00:27:53.079 Okay, so if a database containing these transformed cancelable templates 513 00:27:53.160 --> 00:27:56.960 is breached, the attackers don't get my actual fingerprint data 514 00:27:57.440 --> 00:27:59.480 and I can revoke that template somehow. 515 00:27:59.519 --> 00:28:02.359 That's the goal exactly, Yeah, Because the stored template isn't 516 00:28:02.359 --> 00:28:06.359 your raw biometric it's less sensitive, and if it is compromised, 517 00:28:06.559 --> 00:28:10.079 you can effectively revoke it by changing the associated arbitrary 518 00:28:10.119 --> 00:28:13.200 data the salt or key, or perhaps by applying a 519 00:28:13.200 --> 00:28:17.920 different transformation function. This generates a completely new, unique template 520 00:28:17.960 --> 00:28:22.240 for future authentications, rendering the stolen one useless. This offers 521 00:28:22.279 --> 00:28:26.720 two huge advantages revocability, just like changing a password, and 522 00:28:26.759 --> 00:28:30.640 it also prevents cross matching between different services, since each 523 00:28:30.680 --> 00:28:33.240 service would use a different transformation or different salt. A 524 00:28:33.319 --> 00:28:35.920 template stolen from one service is useless for trying to 525 00:28:35.920 --> 00:28:39.079 impersonate you on another service. The main challenges right now 526 00:28:39.079 --> 00:28:42.960 are ensuring these transformation processes don't significantly decrease the accuracy, 527 00:28:43.359 --> 00:28:46.680 increase sofar or the speed of the biometric matching process. 528 00:28:47.160 --> 00:28:49.880 It's an active area of research, but the potential to 529 00:28:49.880 --> 00:28:52.519 make biometrics truly renewable is immense. 530 00:28:52.920 --> 00:28:57.559 Wow, what an incredible journey we've taken today, seriously, from 531 00:28:57.559 --> 00:29:03.480 the foundational pillars of digital security, confidentiality, integrity, availability, and 532 00:29:03.519 --> 00:29:05.000 that powerful language. 533 00:29:04.720 --> 00:29:10.640 Of cryptography, yeah, symmetric asymmetric hashes, digital signatures, the whole toolkit, 534 00:29:10.799 --> 00:29:11.240 through all. 535 00:29:11.119 --> 00:29:13.960 The different ways we prove who we are, something you 536 00:29:14.359 --> 00:29:17.839 have and are we dug into passwords, salts, tokens, the 537 00:29:17.920 --> 00:29:20.000 nuances of biometrics and the threats. 538 00:29:20.400 --> 00:29:25.359 Can't forget those eavesdropping MIT, nem credential stuffing, and especially 539 00:29:25.400 --> 00:29:27.400 that tricky social engineering. 540 00:29:27.000 --> 00:29:29.640 Absolutely which led us to the crucial importance of multi 541 00:29:29.640 --> 00:29:33.680 factor authentication MFA as really the baseline standard now and 542 00:29:33.720 --> 00:29:37.119 even protocols like TLS and Curbero's working behind the scenes. 543 00:29:36.839 --> 00:29:40.200 And finally peering into that fascinating future of continuous, almost 544 00:29:40.240 --> 00:29:46.359 invisible authentication and the potential for cancelable, renewable biometrics, We've truly. 545 00:29:46.079 --> 00:29:48.480 Seen how far we've come from just relying on simple, 546 00:29:48.599 --> 00:29:52.119 easily guessable passwords, and hopefully understanding all these layers of 547 00:29:52.160 --> 00:29:55.200 protection helps you, our listener, make more informed decisions about 548 00:29:55.200 --> 00:29:56.480 your own digital security. 549 00:29:56.759 --> 00:30:00.920 Definitely, you are now hopefully better equipped understand the digital 550 00:30:00.920 --> 00:30:04.200 locks and keys, both simple and complex, that protect your information, 551 00:30:04.279 --> 00:30:07.839 your identity, your world every single day online. 552 00:30:08.119 --> 00:30:10.880 So here's a final thought to leave you with. As 553 00:30:10.920 --> 00:30:13.960 our digital lives become ever more deeply intertwined with our 554 00:30:13.960 --> 00:30:18.279 physical reality, will those lines between who you are, what 555 00:30:18.319 --> 00:30:21.920 you know, and what you have eventually just blur completely? 556 00:30:22.359 --> 00:30:26.319 Could we reach a point where authentication is this seamless, continuous, 557 00:30:26.480 --> 00:30:30.640 maybe even cancelable background process, making the very act of 558 00:30:30.799 --> 00:30:34.279 consciously logging in feel like a quaint relic of the past. 559 00:30:34.480 --> 00:30:37.039 Hmmm. That's a fascinating question for the future. 560 00:30:37.160 --> 00:30:39.279 In the meantime, we definitely encourage you to think about 561 00:30:39.279 --> 00:30:41.880 the authentication methods you use daily. Take a look at 562 00:30:41.920 --> 00:30:46.400 your important accounts, email, banking, social media, and please enable 563 00:30:46.480 --> 00:30:49.599 multi factor options wherever they're available. It really does make 564 00:30:49.640 --> 00:30:50.079 a difference. 565 00:30:50.119 --> 00:30:51.079 Stay safe out there. 566 00:30:51.359 --> 00:30:54.279 Until next time on the deep dives, Stay digitally safe.