Joe Burton, CEO of digital identity authentication company Telesign, spoke with TechRepublic about how the “fuzzy” realm between statistical analysis and artificial intelligence can fuel global, fast and accurate identity management.
Telesign may have been instrumental in the development of two-factor authentication, but it has a marginal share of a market dominated by companies like Persona, OpenID, Okta, Duo Security and LastPass.
Burton said the company is looking forward, with big plans to use new technologies and services powered by AI to set itself apart from competitors. A key approach since 2019 has been evolving its Communications Platform-as-a-Service leadership, dispensing with passwords and focusing on mobile numbers for identity verification, data modeling and customized communications.
SEE: 1Password’s Steve Won: Passwords will soon be past tense.
Burton, who became Telesign’s CEO in 2021, spoke about the company’s use of machine learning and how to provide security without increasing consumer friction.
Burton: Because we are seeing about 5 billion unique phone numbers flow through our systems on a monthly basis in 195 countries on behalf of some 3,000 enterprises, I have a really good idea of what a person traveling looks like versus that person’s identity having been stolen . We are looking at 2,200 different attributes on your phone usage patterns, and are using all of that to train a machine-learning model that is extraordinarily fast and accurate. I can respond to whether this looks like it is or is not someone’s legitimate phone number with a set of explainable AI analyses.
TR: How important is the explainability part of this result?
Burton: I think this is going to be a cornerstone for AI for anything material going forward. Much as is an [Advanced Placement] test in high school; if someone wrote down an answer and didn’t show their work we wouldn’t give them much credit. I don’t think we should give credit to an AI that can’t explain why it did what it did.
THIS: Authentication over 5G networks requires secure networks.
TR: Do your customers, the websites and apps, need to know the provenance of the decision?
Burton: I go back to the real world again; a good teacher might give a student a bad grade for giving an incomplete answer, a better teacher will ask them to explain how they reached it. We should hold AI to the same standard.
TR: How do you generate analyzes from data models?
Burton: We built our AI system to be very focused on using global, fast, accurate intelligence around how likely a person is to be the person they say they are: the person who is, say, creating an account on system X.
TR: Don’t you have to keep a lot of personal data on hand to do this?
Burton: We don’t have a huge corpus of data on any given person. Instead, when we send a notification to a phone number, perhaps every time I see this phone number it has changed locations, [or] perhaps the user is roaming on the Vodaphone network around the world. I feed that into the AI and create a new statistical model based on a movement event on this phone number in Europe. Then we throw away the data. But what we have is this interesting statistical model.
TR: So the data model you develop, not the actual data, functions as a proxy for the user?
Burton: When there’s a new event, we aren’t doing a database lookup, we are playing twenty questions: this person just tried to sign up for, say, three women’s clothing sites in a row, and let’s say that this is atypical behavior for that number, and it’s not Valentine’s Day or Christmas. We would send back a set of reason codes revealing we have seen new habits involving new vendors of a different type than the person has done business with in the past — in a different location.
TR: Why is AI required for this kind of user view? Can’t this be done with statistical analyzes without AI?
Burton: There are a couple of answers. First, there are many different AI’s, if you will. For example, we are involving logarithmic regressions: fancy statistical analysis with a little AI “fuzziness” around the edges. I’m able to say, “How much does this look statistically like normal behavior? Is the activity around this phone number getting further from normal statistical behavior for this user, and maybe more like that of a different cohort: say, a botfarm?” And you wouldn’t get this from a purely statistical model unless you just did a binary search over its every node. Without AI, unless you are really good, you have to keep everyone’s personal and identifiable data. I’m just training the model, throwing away the data, training the model, throwing away the data.
TR: And how does this application of “fuzzy” AI improve the protection cycle?
Burton: It’s life changing. If you hacked us — not that I’d want that — you’d get a set of statistical models. There is no data to speak of. You really don’t want me to have a history of everything you have done over the last twenty years. I don’t. I have a statistical number, a model attached to a phone number, so if you pass me a new event I can say how like or not like typical behavior it is with a set of reason codes.
TR: What are the biggest challenges in authentication and digital identity?
Burton: Well, identity is an arms race: give me a name, give me a name and password, now make the password longer, now answer three security questions, make it seven security questions. So, it’s a mess. At Telesign, this idea of modeling based on use cases — someone’s trying to create an account, or sign into an account, or pay for digital goods on a gaming site, [or] hail a taxi — to be able to build models that are global, fast and accurate is a lot of our magic. We have these models across almost all of the mobile phone numbers in 192 countries, so if you travel to Pakistan and try to log into your normal systems we will already have a strong notion of whether this looks like you in Pakistan or a hacker. This is really important.
THIS: While passwords still exist, avoid these.
TR: What are you most excited about in terms of Telesign’s advances?
Burton: I’m excited about combining a zero-trust posture on one side with creating a superior customer experience, because, typically, those things are held in contrast to each other: if you want to be safe as soon as you show up to a website, we’re going to make you do 500 things in order to prove it’s you. I hate that idea. As we move to the digital context, security with high friction is not the answer. Zero friction is not the answer either. The answer is matching the friction to the web site. The right amount of friction at the right time — that is our mission, and frankly, it only really works with a very clever use of AI.