AI Deepfakes: The New Frontier of Identity Theft

00:00:07 Mark Smith
Welcome to AI Unfiltered, the show that cuts through the hype and brings you the authentic side of artificial intelligence. I'm your host, Mark Smith, and in each episode, I sit down one-on-one with AI innovators and industry leaders from around the world. Together, we explore real-world AI applications, share practical insights, and discuss how businesses are implementing responsible, ethical, and trustworthy AI. Let's dive into the conversation and see how AI can transform your business today. Hey everyone, welcome back to AI Unfiltered. Today, we're heading up the coast to Seattle, where our guest is tackling one of the most urgent threats in tech today, AI-powered identity theft. Aaron is the CEO of Nametag, where he's leading the charge to protect digital trust in a world where deepfakes are getting disturbingly good. Before founding Nametab, he helped scale secure systems globally at Microsoft. That's where I first met him. Full links are in the show notes for this episode. Welcome, Aaron.

00:01:12 Aaron Painter
Thanks, Mark. I'm really excited to be with you today.

00:01:15 Mark Smith
Interesting that, you know, deep fakes there. I don't know if you've read the book called AI21 by Kai-Fu Lee, where he gives 10 visions of the future, right? And he says deep fakes are going to be coming deep mask. And the only way to compete against it is we're going to need software that identifies the fakes because they're so good. And it will be back to the antivirus days of where did you get the latest build overnight to intercept because everything is going to look so real, right? People's avatars, everything now digital. You can't tell the difference pretty much to the human eye. And of course, when we move that to identity theft and the scale of how big identity theft is growing in a AI digital world, I think it's an interesting topic for today. But before we go there, food, family, and fun, what do they mean to you?

00:02:06 Aaron Painter
I'm gluten-free. And so I found that is a slightly restrictive thing. So anywhere I go and fun, actually, I would jump to that one, which is travel. And I just love traveling to new people and cultures and exploring new ways of doing business. But often one of the first things when I go somewhere new is finding the gluten-free establishments. And that used to be a really healthy thing because it'd keep you away from sweets and baked goods. And unfortunately now there are so many amazing gluten-free things. You just find better and more creative bakeries and pasta and pizza joints and the like. So I love doing that. My family's spread out mainly all across the US. So I feel like I'm constantly traveling to see them and be at family events and just show up for the people I care about.

00:02:47 Mark Smith
Amazing, amazing. Gluten-free must be difficult. It just, it's permeated our diet so completely, right? Anything with wheat or I don't always think it was a thing.

00:02:56 Aaron Painter
I actually think somehow the food supplies have just gotten worse. And so as a result, I mean, gluten free, I don't think it was a challenge 100.

00:03:05 Mark Smith
Years ago, because I don't think the food supply... GMOs, right? They reckon a 13th chromosome or something came into the wheat strand that was never there as a GMO byproduct, which is why we all get fat as well. In modern day eating, where, you know, that wasn't around in the 1950s and before type thing. the obesity and stuff. So interesting. Now, just to wind back time, 2016 was a time that comes to mind for me. I was in Toronto, Canada, for a Microsoft Partner Conference. And at that event, I won Global Partner of the Year for Crime, Safety, and Justice for a big project I did in Australia with Border Force. That same night, I was awarded Reseller Partner of the Year for Greater China. And this is for work we're doing in Hong Kong at the time. And at that point, you were leading that kind of charge across China for Microsoft, if I remember right, in that business application space.

00:04:05 Aaron Painter
Yeah, that's right. That's right. I was at Microsoft 14 years, the last five and a half of which were in Greater China. I spent two years in Hong Kong and then three and a half in Beijing. And yes, I remember that fondly. I remember that partner conference in Toronto. It was a ton of fun. But you super deserved. I mean, that was a huge win. We were all incredibly proud of it. And gosh, the transformation we had of that partner ecosystem, particularly in Hong Kong. In Hong Kong alone, we had something like 2,000 partners. So your winning was not a small feat. It wasn't like there were a few partners in that little territory. It was a big deal. So congrats again on that.

00:04:38 Mark Smith
Did you spend much time at the Hong Kong Jockey Club?

00:04:40 Aaron Painter
Some. I think particularly, there's seasons of the year when the events there are bigger and more popular. And obviously, the Jockey Club is actually a very big Microsoft customer. So we did a lot of fun stuff with them.

00:04:51 Mark Smith
Yeah, as in they hosted us, like they were brilliant. As in, I don't know, coming up from Australia, because I was working in Australia at the time, just they treated you unbelievably good, the clients. And I mean, the big awarded contract I got there was Mitsui Ocean Liners, one of the largest, top 10 largest shipping companies in the world, where we built a full dynamics shipping management logistics system, which is what that award came off. And then But Hong Kong's an amazing city, right? I know it's changed a lot, I understand now, and that was 2016 was the, I went there nine times that year, I think, for work.

00:05:27 Mark Smith
But mate, what an awesome city.

00:05:28 Aaron Painter
Incredible city, incredible people. And one of the things I love about living there was, people associate it as this real mix of the East and the West, and it is, but the tech ecosystem in particular was incredibly local. In the finance central districts of Hong Kong, you have a lot of expats from parts of Europe and the US who worked in finance. But tech was local, and the partners' ecosystem was local, the customers and the buyers were mostly local. But that actually case study you had was an incredible one. You're doing some really impressive things in transit, thinking about Azure, or you're thinking about the CRM and the business applications components. We talked about that case study with so many other customers, they really wanted to learn about it. So it was a big deal.

00:06:04 Mark Smith
It was cool. Were you there as an ongoing, when Mooncake came into China, were you involved in any of that?

00:06:11 Aaron Painter
The code word for Azure and Azure in mainland China? Absolutely, very integral in it. And trying to bring other aspects of that suite, you know, building public cloud was the general theme in mainland China. And it was a difficult challenge, partly from data ownership rules, actually the cybersecurity rules and data sovereignty in China evolved even post us creating that. But we actually found this really unique way to position to Chinese companies who previously might have used Microsoft products, but they didn't always see the value in paying for them, shall we say. And anti-piracy was kind of the main sales motion. Public cloud changed that, right? And companies suddenly, the position that we found was sort of go global with Microsoft. And this was a period in time when many Chinese companies were interested in doing business outside China. And so working with Microsoft as a multinational cloud provider meant that they could very easily expand what they built in a local onshore version of, let's say, Azure and take that outside mainland China. And vice versa, foreign companies that were trying to do business in China could have that same sort of interoperability. And so that became a very valuable position, and frankly, is one that Microsoft still benefits from a lot.

00:07:14 Mark Smith
Yeah. Microsoft flew me there to do some training of staff. I was living in London at the time when that happened, so that was years later. Basically to pitch, because Dynamics had come on platform, power platform, some elements. It was still cool, like we were still using the code word, as you can see back then, but it was the Azure equivalent. But I couldn't believe it, the building that we were in, there were 10,000 Microsoft employees in it in Beijing. It's not small, the presence that Microsoft has there.

00:07:47 Aaron Painter
Yeah, give or take. It was a large number, shall we say, and partly it was not only sales and marketing, but it was also R&D. And Microsoft's largest R&D site at the time outside of the US was in China. And part of that was, as Microsoft's strategy often has been around the world, there are companies that can benefit from the software. Japan was kind of Microsoft's first subsidiary when it's been global. I spent a lot of time on helping take Microsoft into new countries around the world. Actually, ultimately, we opened up in 31 new countries, think Sri Lanka and Bangladesh and Brunei, or same in Central Asian Europe or Southeast Asia, the Caribbean countries or parts of Africa. But going to new markets, meant a lot of things in how you would adjust and be present there and work with local partners and work with the government. And in China in particular, that was a really big effort, but China had R&D and moving was not only into a country was not only to access customers and bring them product, but it was also to access talent. And I think Gates and others in the team very early saw that the computer science talent would be sort of in high demand around the world. And Microsoft wanted to be closer to where that talent was so they could live and work and contribute. And China still has an enormous quantity of engineers. And Microsoft wanted to have access to that engineering talent.

00:09:03 Mark Smith
Yeah, yeah, makes sense. Tell me about what you're doing now and particularly How big is this problem of identity theft and how much is it growing now that AI tools probably enable a level of sophistication never been seen, like never seen before? And like the last kind of touch point that I have in this space was in Microsoft bought a company called Nuance, which had a whole bunch of biometric audio fingerprinting, right? So you called into your bank, You would, through the conversation, they would give you a green light would come on the screen and go, hey, that is Mark calling in, or that is Aaron calling in. And Microsoft has switched it all off and walked away from it. And the reason is, because AI can outsmart voice fingerprints now.

00:09:53 Aaron Painter
Yes.

00:09:53 Mark Smith
No problem. So tell me, how big is the problem? And then let's talk about name tag.

00:09:58 Aaron Painter
Yeah, the other problem I think is become significant. You were challenging me a little bit, I think when we were doing the prep call for this, comparing the cyber crime market, I think to the size of Germany's GDP. And by some accounts, the cyber crime market now, 10 to $12 trillion would be sort of the third largest economy in the world after China and the US. And so it's significant, but even more so the growth rates are 10 to 15%. So in dollar terms, cybercrime itself has obviously become massive. But this world of generative AI, I often say, has given superpowers to bad actors. And it essentially made it incredibly easy for bad actors to go and impersonate someone else. And in the world of security and the world of account security and digital accounts that we all live by and that are so critical to certainly our work, but also our personal lives, this concept that you can simply pretend to be someone else has simply gotten too easy. So your Nuance example is a classic one. In fact, their product marketing lead is our product marketing lead. He joined us sort of at the time of the Microsoft acquisition and knew the space well and educated us on it really well. But the challenge, even let's say that if that technology worked perfectly and never encountered audio deepfakes, the challenge around those things often was that moment of provisioning or enrollment.

00:11:13 Aaron Painter
And so let's say that you had an existing account and you called your bank and they said, hey, would you like to sign up for our voice authentication service? Great idea. But you're relying on them having asked, let's say, security questions to verify you before they pass you over to the voice authentication servers to sign yourself up. And so at that point, you run into this provisioning risk. Had you gone into a physical branch, perhaps, had you shown your government ID, answered questions and other things, and then enrolled, let's say, in the branch in that voice activation service, you wouldn't have the provisioning risk. But the fact that most people do it in a remote context, means that the risk is simply present. And that's the case with enrolling, let's say, a new employee today in multi-factor authentication or a customer in a new account. Too often, we don't necessarily know who we're provisioning, let alone who might call to say that they are locked out of that voice activation, that voice service or MFA.

00:12:02 Mark Smith
So what are you seeing kind of in the market of, I'd assume when you go and talk about your service, like all good selling, we start with Let's talk about the problem, right? And we uncover, I know the recent two cases that I was closest to in Australia was a big medical company that they got ransomware into their environment and they didn't take it seriously. And that resulted in massive damage, like a massive amount of Australian people's passports, bank accounts, all sorts, all leaked online. They had to go and issue new passports. The ramification was massive. And then one of their telcos got the same deal. Massive implications of identity theft at a large scale. So what stories are you seeing in the market in this space?

00:12:58 Aaron Painter
I think in the US in particular, one of the things that most puts on people's radar was this bad actor group known as Scattered Spider. And Scattered Spider got most active in the last two to three years through using social engineering techniques. And increasingly, Scattered Spider is teaming up with various different groups over the last few years that once they get in using social engineering techniques, they then team up with others who might do ransomware or extract other valuable information and go out and try and sell that data or hold the company sort of a hostage by locking down or encrypting the data. MGM, in this case, was a US casino hospitality in Las Vegas, and they have many, many big hospitality brands. And essentially, someone called the employee IT help desk, and in about 8 minutes, was able to answer the security questions that the person asked. They called the help desk and said, I am an employee and I'm locked out of my account. Very standard thing. Turns out, half of calls to employee IT support desks are people that are locked out of their account or having some sort of account access issues.

00:13:57 Aaron Painter
Typically, that means they got a new phone, they upgraded their phone, something changed, their authenticator app isn't working. Common scenario. So then you have this help desk worker who is theoretically the business because they like helping people, but they instead have to become identity interrogators. And they have very limited tools typically to interrogate or interview this caller to say, are you the rightful account owner? In MGM's case, they had limited tools. Eight minutes later, they answered the necessary questions. reset access, and then they were sort of on their way and they were able to immediately go into the account and access, eventually deposit ransomware, but essentially shut down MGM and hold it hostage for a matter of weeks. And that was sort of this wake up call for many folks to say, this doesn't work. The methods of recovery, the methods of account access are simply too fragile and they need to be more resilient. In the US, 60 Minutes, the big public news show went and did a series on this. And from there, the bad actors in Scattered Spider in particular just continued sort of on a rampage across the Fortune 500, across companies of all size. And they waned a little bit. They had some arrests. They got back active again. And then it was really only a couple of months ago in the UK when Marks and Spencer sort of became the next very public victim of the very same kind of attack that brought back to the UK. And now we're seeing this just happen sort of around the world. So Scattered Spider kind of brought notoriety into one of these first, most obvious methods of attack, which was this, we call social engineering at the help desk. Someone calling, impersonating, let's say a rightful employee, ideally one who has privileged access accounts, and being able to then reset their MFA and access the accounts from there and sort of cause damage.

00:15:34 Mark Smith
Yeah, that MGM one was a big one because I was going to Vegas at the time for a Microsoft conference. And even their booking sites, the hotel, you couldn't book properly, you couldn't. Put your credentials in, find out what rumor, because they destroyed just so much of the infrastructure or contaminated it that it had to be switched off until it had been security cleared to go back into the public domain and stuff. So I do remember that time and just how much impact it would have had on the MGM's business for that kind of disconnect with their customer base.

00:16:11 Aaron Painter
Yes, that was significant. And so to your question, I mean, that's one of the biggest threat vectors that we've seen. The other one that's really taken off, particularly almost in the last 12 months, has been this rise of remote workers, particularly actually North Koreans. And it started when some of our existing customers called us and said, hey, this sounds odd, but I might have hired a North Korean. Is that what you mean? There's a trade embargo with the US. And it turned out actually to be North Koreans, increasingly other actors, but particularly North Koreans who were applying for remote jobs, often in IT or engineering roles. And they were getting these jobs. And their goal was simply to be on paper. role as long as they could. They would interview on Zoom. They'd often be running live deepfake emulating software, so they might look or sound like someone else. They might be using sort of Gen.

00:16:54 Aaron Painter
AI tools to assist them in the interview process. And they were getting hired in pretty high numbers, which is not that surprising when you think about the way that a hiring process works today for a remote employee. The interviews are conducted on Zoom. In the US, for example, you might have an I-9, which is an immigration check to see if you have the right to work. In some industries, you have a background check, which is typically running someone's social security number. But the social security number matches someone else, or it's a very, it's organized around compliance, regulatory compliance, checking the box. It's not as a process for security. So once HR goes through these things and they say, okay, you're hired, they then sort of issue a work order, typically for an IT worker, and someone in IT has to create and provision credentials for an account. And then they e-mail that person's Gmail or Hotmail account, welcome to the company. Let's go set up your password. Let's go set up your MFA.

00:17:46 Aaron Painter
And if you have the wrong worker, or you have a worker who hasn't been properly verified at that moment, you are essentially inviting that bad actor or that impersonator into your corporate systems. And so the whole infrastructure of how we've done this is based on a trust model that simply doesn't apply in this world of Gen. AI.

00:18:04 Mark Smith
Yeah, it's interesting you talk about onboarding, because recently I was onboarded to a Fortune 100 company's infrastructure as an external contractor. And part of the process is I had to, one, On my iPhone, I had to download the VPN software to start with, and then I had to download an app off their kind of corporate app store that opened up a video session with my hiring manager in the business, and they had to answer at the same time. And they had instructions on screen about how I had to move my head, a whole bunch of things to absolutely identify that This is the person that you are hiring right now before it activated my e-mail, my login credentials, and access onto their corporate environment. So I mean, and that was the first time I'd seen that level of rigor being that I'd worked for this company for the last 10 years at different times and never gone through that type of rigorous process. What's Nametag doing in this space?

00:19:11 Aaron Painter
If you think about it, that response is sort of the recommended response from Microsoft, from companies like Okta and others. In fact, Okta, who's fortunate their systems were used at MGM, their CISO in the wake of MGM came out and said, hey, we recommend you do what they call visual verification, which was get on a Teams or get in a Zoom call and have some sort of conversation to verify who the person is, maybe ask them to hold up some form of identification in the process. And that was considered sort of and is sort of the gold standard for everything but being in person. The challenge with that is that it's incredibly time consuming. You're right, the manager had to answer on the spot at that moment. A whole bunch of factors had to line up. And even if they did, then you enter the scenario that we saw, coincidentally also in Hong Kong, to our conversation earlier, of the sort of the CFO scam that became very common about a year after MGM, where you had a finance controller who was based in Hong Kong, and you had a CFO who was presumably based in London. And there was sort of essentially a scam. We can go into the details of it. But the CFO said, hey, I need you to do some wire transfers. The controller was rightly skeptical. And the scammer said, hey, a bunch of the leadership team were on a video call. Here's the link. Why don't you join? The controller joined the link, saw faces on the screen and voices that sounded like other members of the leadership team, and then approved what eventually became a series of up to $25 million in wire transfers. Wow. And the takeaway though, which is so fascinating and actually mind boggling because it's so hard for all of us to sort of accept where I don't think we want to, but the camera that we have on our laptops that we rely on for the integrity of those video calls is physically not connected to the TPM with the trusted platform module chip in those, let's say a laptop, like the fingerprint reader might be. And so we think of it as a secure capture channel, but unfortunately it's not. It is susceptible to manipulation. And so if you were a bad actor, you would simply modify the BIOS on the computer and say, pretend it's coming from this computer's webcam, but really, I'm going to have an external piece of software that's giving you a real-time deepfake. And so the idea that we can actually not trust anymore what is coming from those cameras in a video call like that is just mind-blowing because our whole digital environment of working remotely implies a degree of trust, being able to see and hear people to the degree that we're used to in person. So this breakthrough, this sort of insight to your point, was sort of what led us to think about things differently at name tag. And what we realized is that for many years, people had been able to do a remote identity verification flow. Typically involved show a passport, show a government ID, and take a selfie. The challenge was that had always been 100% in a web browser, on a desktop, or on a mobile device using sort of insecure methods. So our big insight was, what if we recreated that experience, but did it exclusively on mobile? and exclusively on mobile in such a way that we could benefit from the cryptographic, we call it attestation, that happens on mobile devices, which allows us to have a degree of confidence that the device itself, the cryptography on, let's say, an Apple iPhone, has not been broken, that the app that we're deploying, we have some novel ways to deploy that app that don't require much effort, but the app that we're speaking to is speaking to the cryptographic secure enclave in the device. So therefore, the evidence that we're collecting through those cameras and other sensors can be trusted. And if we can trust the evidence collection, then we can suddenly open up this identity verification flow that had traditionally been for regulatory compliance. We could suddenly extend it to these security and high assurance use cases. That was our big insight. We said, let's find a way to do identity verification in a secure way. And then candidly, we didn't really know where to apply it. We said, gosh, everyone's going to need this. Dating sites, the fact that you sign up with your Facebook or email and you hope to build trust with someone, you meet them in person. You don't really know who you're meeting. Wow, what a perfect use case. These companies all loved the trust and safety angle, but they weren't ready to buy. And so it was one of our earliest customers, which was the CRM and marketing platform in the US called HubSpot. And the CISO at HubSpot had a different angle. He said, we've been rolling out MFA on our customer accounts and an effort to keep our accounts more protected, but people get locked out, as we know. And so they call our help desk, help desk doesn't know who it is.

00:23:21 Aaron Painter
 So our first product began a solution for help desk to be able to send a verification link to someone who called and get back the sort of high assurance outcome. It worked really well. Then they said, hey, well, can we automate this? And so what had always been sort of a forgot my password button had to go away in the world of MFA, and Housepot was able to bring it back. So now there's a button on their website, can access my account. Two choices, contact support, takes 48 to 72 hours, or use name tag and get right back in. Nice. And that just sort of expanded from there into more things. And HubSpot actually was pre-MGM, they were very wise. And they said, hey, we're worried about protecting our internal, our employees too, our IT help desk. And that's when we did the same thing for their help desk. And then we realized together that over half of their help desk tickets were people who were locked out. It was expensive, employees were frustrated having to call for IT help, and it was not secure to begin with. So we said, let's wrap around Okta, let's wrap around Cisco Duo, let's wrap around Microsoft Entra. And let's simply close a gap that exists, which is that the recovery process for those things, if you're locked out of MFA, is insecure. And we could bring a level of high assurance to security to complement your existing enter deployment, but fix this issue first of recovery, and then what also became help desks, and then more recently became also this idea of credential provisioning for new hires. That's what we're up to at Nametag.

00:24:42 Mark Smith
Incredible. And just that speed, 48 hours opposed to let's do it instantly is amazing. No one wants to be locked out for 48 hours when you've got urgently something to do. And HubSpot's a big, big brand, right? As in they really, in the last, I suppose, 10, 15 years grew massively and became a well-known brand and market. You mentioned Entra ID. SAP two years ago moved all their authentication model across to Entra. I assume, and this is me being so deep in Microsoft and not other ecosystems, but I assume Google and AWS have their own identity platforms as well, or tooling, equivalent to intro.

00:25:24 Aaron Painter
To slightly different effects, particularly Google, I think, in the workspace domain because of their email services and the document access and things like that, particularly them, yes. But often with a different demographic, different size businesses, typically less larger enterprises and still more small and medium sized businesses.

00:25:40 Mark Smith
And so that Okta, I hadn't come across that before. Is that owned by any of the big providers or is that just an independent company that specializes in that space?

00:25:49 Aaron Painter
They're an independent and very large and very popular company. I would say that they have, they might have other views, but one of the things that I think really accelerated their success early was in Office 365 and in Salesforce. And they said, hey, your users need to access multiple web-based systems. You need to think about how to make that access easier. They, in a way, started with a wraparound strategy as well. And then they grew into really being incredibly dominant and mainstream identity provider today. They're publicly traded. And I'd say many, many, many of the largest and kind of most forward-thinking companies that you might run into are often using Okta, but potentially also Entra in different parts. Many people run multiple directories. In fact, another surprise for us. But Okta has become a very successful company.

00:26:35 Mark Smith
Yeah, so let's take Intro ID with Microsoft. Let's say an organization is running that at their authentication layer. How hard is it or how easy is it to onboard with name tag, get this level of secure? Is it like a six-month project? And I suppose the other little element which I'm always interested in is what's the change management process that you need to take people on to this new way of doing things?

00:27:05 Aaron Painter
It's like your memories of the CRM days and rolling out CRM systems. That's right. One of the biggest things is change management. Technically, you're able to go in and sync your onto directory, and then it's this question of how large directories and how long that takes, hours to maybe a day. The directory is synced. We innovated with some really... clever methods of data storage, giving companies enormous choice, whether they hold the data, let's say that's collected from an employee called the PII, the government ID or the selfie, let's say in their own Azure storage blob or not. A lot of selectivity choices there. And even ways for them to, for enterprises to hold the credentials and the actual admin keys so that, let's say, name tag isn't holding those. But you seek your directory, and then you're able to immediately roll out a self-service microsite. And so you then have a tool in place for your help desk team to use instantly. And you also have a tool, a way you can guide your employees to go into a self-service microsite. They type in their email address, and then they're greeted with an identity verification flow. And then we basically surface the Entra or the Okta or the Duo or the multiple Entra, however many directories you might have, the options for them to reset their password, or more importantly, to reset their MFA. which is really where Microsoft's default options on these was often SMS-based. Increasingly, there are some other options they've considered and that they've deployed. But the challenge is that the recovery key lives in your 365 instance. So if you are unable to access 365, you can't pull that recovery key back down from the cloud, which is why you have to lock out. Yeah. And so having a new way to do that, that allows us to meet the security requirements you have, and frankly, just coexist, is an incredibly quick rollout. And it's one that the biggest focus then becomes on how do you explain this to employees? How do you answer questions they might have around data governance or data privacy and how thoughtful that is? But it's become an incredibly efficient rollout. And we're seeing many of Microsoft's own subsidiary companies using us to complement Entra and some of Microsoft's largest global Entra customers using us today.

00:29:03 Mark Smith
Yeah, awesome. You've mentioned MFA a few times then. What about Passkey? How does that play into it?

00:29:11 Aaron Painter
Passkeys are a great advance, but I think there's a little bit of a misnomer often that we think of passkeys as, we say passwordless, and people jump to mean, I don't have a password anymore. The crude reality with passkeys is that you still have a password assigned to your account. You often provision one in setup, and you often use it in case you are locked out of your passkey. So passkey can make it easier to sign in on a given device without having to type in that password, but your account still has a password. And she run into the same challenge where, yes, you might get locked out of a passkey and you go through recovery flow, but also someone else could be impersonating you and call and say that they are locked out, or they got a new device, and therefore that passkey isn't working, and therefore they need to reset their password or reset MFA. And so, you know, passkeys are an incredible advance for many things, but they are not, unfortunately, a full replacement for passwords, and they have not solved this either provisioning challenge of a remote person knowing who is enrolling that passkey. or the recovery challenge when someone is or claiming to be locked out.

00:30:13 Mark Smith
I wasn't meaning that is this an alternative. I was meaning does your tool work with Passkey as well? Yes, very much so. In fact, there are other new players like Beyond Identity, who we've done some really interesting partnerships we've recently announced, and they're a very innovative player in what was initially the Passkey space, and they've taken that to new heights. But Beyond Identity, for example, is now using us fully and exclusively for provisioning and recovery of their Passkey infrastructure. Yeah, nice. Before I let you go, what are your thoughts and what are the impacts in what you're seeing outside of identity theft, AI-powered, empowered identity theft? How much do you think AI is going to change the game in your space outside of the bad actor sector? As in the way or the way we interface for business, from what you're seeing, out the field market, that type of thing, what are you seeing and what are your, what's hype, what's under hype, what do you think?

00:31:14 Aaron Painter
Yeah, I think AI has many wonderful benefits and it's a broad concept, but it's given rise to bad actors being able to use that technology. We see it most relevant in this ability to create deep fakes. but also to use the power of LLMs in really new ways. And there was this recent Claude AI-powered cyberattack that got some news about a week ago, where it was fascinating. I won't even fully do it justice, but the bad actor used Claude for many aspects of the attack. They used it to identify companies that would be good targets. They used it to identify their attack methods. They used it to extract the data that was eventually taken from the company. I mean, all aspects. And you see the same thing with Gen AI tools in social engineering attacks. because suddenly I'm able to write really good scripts. I'm able to use my intelligence from previously leaked information and know, I can call your help desk as an employee, but I can get this service often as a subscription from other bad actors. But I can call out of the box, I can use the buzzwords, the acronyms, the language of you, the teams of how you're structured as a company. I can reference the company values. I can use all, it makes it so easy. In fact, one thing is, surprisingly, it's almost easier for the bad actors because they know exactly the game they're playing, they actually get faster and more efficient, easier help desk support than maybe the employee who can't remember this or it's a challenging question for them. And so I think we're underestimating how significant it is, the LLM power technologies that we're giving bad actors and the ability to use deep fakes in these flows. And it is a fundamental gap and challenge in this world of AI that we don't necessarily know the human behind the screen. Are they human and let alone which human are they?

00:32:53 Mark Smith
Yeah. Aaron, it's been great talking to you. Thanks for coming on.

00:32:56 Aaron Painter
Really enjoyed the conversation. Thanks for having me, Mark.

00:32:59 Mark Smith
You've been listening to AI Unfiltered with me, Mark Smith. If you enjoyed this episode and want to share a little kindness, please leave a review. To learn more or connect with today's guest, check out the show notes. Thank you for tuning in. I'll see you next time where we'll continue to uncover AI's true potential one conversation at a time.