What ‘human authentication’ really means
Bob Eckel, President and CEO, Aware, Inc.
Over the last several months of the ongoing Twitter/Elon Musk lawsuit, Musk and his lawyers continually interrogated Twitter on its process for analyzing spam or ‘bot’ accounts. Now that Musk’s acquisition is complete, we can expect major shifts at the social media platform, including changes to the process of “authenticating all real humans” as Musk suggests, in order to combat the rise of bots which has been a bane of Twitter’s existence for years.
This line, “authenticating all real humans,” strikes a nerve with those who want users to continue to be able to use Twitter anonymously. These privacy-minded individuals highlight many valid reasons to continue permitting anonymous users, particularly when revealing a user’s true identity may threaten that person’s life or well-being. Musk has certainly raised some important questions that warrant further pondering. What does his stated desire for “human authentication” in today’s digital world really mean? Is it possible to achieve it without compromising privacy? And what options exist for Twitter and other social networks to enable it?
What is meant by “human authentication” exactly?
The term ‘authentication’ frequently gets conflated with other, similar sounding words like ‘identification’ and ‘verification.’ But while these may sound the same to many, there are key differences between them.
Identification is the process by which a user’s identity is determined. By providing a username, for example, a system assigns an identity to the user based on the input provided. Verification is the step where the system validates the user’s identity as being authentic. For example, a fraudster could attempt to access a system using a stolen username from an existing user. While the system would identify the fraudster as the user in this instance, it could only verify the user as authentic with an accompanying password or other prompt.
Authentication is then the process by which a user is granted access to the platform. Once a system has identified and verified the user, it will then permit access to that user. Authentication can therefore be thought of as the process that ties the real person to their identity. When passwords are used as the prompt, systems can be vulnerable to a high degree of fraud since things like usernames and passwords can be stolen. Newer types of biometric-based prompts – like facial scans, iris scans or fingerprints, for example — cannot be stolen and are therefore more reliable.
Whether Musk is calling for this more reliable form of authentication (tying identities to people) by incorporating human attributes like biometrics, or using authentication in the more literal sense — simply making sure Twitter users are real, living people (without necessarily tying them to an identity) as a means of eliminating bots – remains unclear.
Is it possible to achieve human authentication without compromising privacy?
The short answer is yes. Let’s assume for a moment that Musk is calling for the use of biometrics in the authentication process (tying people to identities). People would still be able to use an alias as an identity; biometrics would simply be the way that identity was verified. In this way, privacy on Twitter through the use of aliases would be maintained.
But even for people who don’t use aliases, there may be some privacy concerns around Twitter collecting and holding their sensitive biometric data. What if this huge database were to be compromised? The good news is there are storage techniques available that can help prevent this — for instance, storing identification data separately from biometric data. In this case, even if a hacker were able to access the biometric data without the accompanying identification details, it would be rendered completely useless.
What options exist for Twitter and other social networks to enable it?
As discussed above, biometrics can be a great way to ensure human authentication in the sense of tying people to identities (whether these are fake alias identities or not). But let’s assume for another moment that Musk is simply trying to make sure that Twitter users are real, living, breathing humans and not bots.
Twitter’s initiative to eliminate bots is a very noble effort, since bots are often associated with misinformation; can undermine and disrupt public conversation and threaten the integrity of the entire platform. Indeed, Twitter recently reported they remove over one million bot accounts each day. What options exist for Twitter and others to continue to advance this worthwhile endeavor?
More rigorous enrollment and verification requirements: This is one way that Twitter could better ensure its users are real, living people — for example, requiring photos and full bios and at least one Tweet in order to enroll; and/or requiring the entering of personal information (as Instagram has done with users’ birthdays) in order to access. The challenge with this approach is that it involves real people on Twitter’s side checking, which is a very long and arduous process – so much so in fact that when Twitter announced a more rigorous verification process last year, it pulled back only a week later due to the team being so swamped. This approach also entails potential privacy encroachments — for example, requiring someone to share a photo when they may not wish to do so.
Biometrics with liveness detection: Today’s biometric technologies are highly mobile, using the cameras and microphones found in smartphones and mobile devices to authenticate users. Biometrics can be a great way to ensure users are real, living people, but there are challenges here as well. While the great majority of smartphones in use today have sufficient cameras and microphones, there will always be exceptions, as not all users are equipped with the most advanced biometric sensors. A good approach would be using those biometric modalities that are most ubiquitous, such as voice. “Spoofing” presents another challenge, and for this reason liveness detection must also be applied with any biometrics modality that is used — making sure a voice is a real live voice (not a recording) and a face is a real face (not a photo).
Machine learning: Machine learning algorithms can analyze Tweets based on hundreds of different characteristics (for example, unusually high Tweeting frequency or “spammy” handles) in order to assess the likelihood of Tweets coming from a bot and screening these accounts out. Several machine learning-based bot screening tools are available, such as Botometer.
So far, however, we have seen several challenges with this approach. For instance, when someone enrolls for a Twitter account, if their chosen handle (usually incorporating a name) is already taken, Twitter will automatically generate an alternative handle that usually incorporates random numbers, and more often than not the user will simply accept this proposed spammy-looking handle. Also, it is not uncommon for extreme Twitter enthusiasts to Tweet frequently. All of this results in an increased likelihood of legitimate Twitter accounts being erroneously identified as bots.
Also, machine learning may not take into account the existence of “good bots” — those that spread positive information such as coronavirus vaccination information. Twitter recently announced a program to designate “good bots” with a clear label, and while this is definitely a step in the right direction toward better identification and removal of malicious bots, it doesn’t take into account that many developers – even those of “good bots” — may be reluctant to be identified as bots at all.
Whatever exactly Elon Musk means by his phrase “human authentication,” we don’t need to be scared of it and we shouldn’t over-analyze it. Human authentication (in terms of tying people to their identities) doesn’t have to compromise privacy. Similarly, human authentication (in the form of simply distinguishing between real humans and bots) can play a key role in the worthwhile and necessary effort of ensuring the integrity of the Twitter platform. In both scenarios, biometrics can be a very helpful technique, although more education will likely be needed to enhance the public’s acceptance.
About the author
Bob Eckel is president and CEO of Aware, Inc.
DISCLAIMER: Biometric Update’s Industry Insights are submitted content. The views expressed in this post are that of the author, and don’t necessarily reflect the views of Biometric Update.