CylancePERSONA: The First AI Solution to the Password Problem

TREND ANALYSIS: Why AI may be the ultimate replacement for password security.

BlackBerry.Cylance2

I was at BlackBerry’s analyst conference this week, and there were a number of things that kind of set me back on my heels. For instance, Bain & Co. indicated it manages its entire fleet of smartphones using BlackBerry’s technology and part of one technician--not a full tech, not a department of techs, just a part-timer.

Bain isn’t small, and it is one of the leading consultancies in the space, which means its users not only live on their smartphones, they likely will migrate to this solution as well. Another item I learned was that it is developing an Amazon Echo solution to better alert people about school shootings. Schools don’t have much money, kids need to be safe, and this effectively checks both boxes.

But the most interesting thing for me was something that came from Bain’s recent Cylance acquisition called CylancePERSONA, which uses artificial intelligence to effectively make password problems obsolete.

I hate passwords with a passion. I was part of a study done by IBM in the 1980s that concluded passwords were where the greatest security threats resided and that we needed to eliminate them to be truly secure. More than 30 years later, those now-retired researchers are likely going to their graves saying “I told you so,” because passwords remain one of the biggest security problems in the industry.

The issue at the time passwords and IDs were created was that, before tech, people were at the core of security. You had security guards at the entrance to the plant--or even many of the higher-rent buildings where you lived--who pretty much knew who you were, so you were physically identified. If you, as a man, walked up and tried to pretend you were a different race or sex, you’d get flagged almost immediately and, in many cases, the guard knew who you were trying to impersonate and would be less than kind in his response. That doesn’t work digitally or at scale, but what if it could? What if you could use AI to do that rather than a password to use your PC?

Alternatives

Now I use Microsoft Hello a lot, and that is similar to what I’m talking about. However, that requires a special camera and, at least on my desktop computer, the Logitech camera I’m using often doesn’t work. In addition, even on my laptop, it has to be at just the right angle or I’m back to using a PIN which, in many ways, is easier but not safer than a password. Fingerprint recognition can work, and print readers have gotten much better, but both take a very limited amount of data and can be spoofed. (Facial recognition in general has become problematic, and there is that issue of having to have the camera on all the time, which does open up privacy concerns). I like both, and use both, instead of passwords, but alone they aren’t ideal, because they don’t know me. (Tokens, like RSA hardware or software tokens, are also more secure but tend to be a different kind of pain in the butt).

By the way, I think both could benefit from AI and should be part of a layered defense (I’m a fan of layered defenses) for a more secure solution.

CylancePERSONA

What fascinated me about CylancePERSONA is that the tool learns over a period of days how you work. Basically, it monitors everything you do and creates a model of who you are. It knows what you regularly do when you first come in to work, it knows how you go through email, it knows what apps you use and don’t use. It basically builds a virtual model of who you are based on how you work with your PC.

It then takes that model and compares it to the person who is using your PC and, if the two don’t match, it will log that person out and, depending on the policies set, alert security, freeze your access to remote resources and trigger any of a number of events to prevent that false user from doing harm. It also keeps track of where you are so if someone tries to log in from someplace you aren’t, they never make it through security. Kind of like that security guard who knows you are on vacation, so that the person showing up that looks like you isn’t allowed in.

I do think it becomes more powerful when layered or linked with tools such as Microsoft Hello, but the end result should allow you to virtually eliminate passwords. As we move to ever-more-capable AIs with voice recognition (something I just added to my investment accounts) and cell phone proximity (often used as a second factor), you could create a security solution that is both easier and vastly more secure than passwords are today.

Wrapping Up: I’ve seen the future …

I’m convinced the future for security is AI. On our phones it could immediately (and it increasingly does) identify scam and phishing attacks and could even keep your kids from messing with your devices when you are out of the office. I still recall the story of the CEO who showed up to his firm’s annual meeting not knowing that his kid had changed the names and location of the Power Point presentation he was to use. I figure that kid’s butt still glows red in the dark. Though, I also have to admit, it makes me chuckle every time I recall it. It wasn’t my kid …

But I’m a fan of anything that is more secure and easier to use than passwords, because ever since they were created, passwords have sucked.

Rob Enderle is a principal at Enderle Group. He is an award-winning analyst and a longtime contributor to QuinStreet publications and Pund-IT.