It's a big shame what has happened in the zero-trust movement. I like this approach to AI-based authentication, though I am sure it will take some time to perfect. Makes me think of banks and their risk management approaches. Love that you raised them here.
Aside from bad movies where they cut off your finger to access your safe or gun, I am all about the biometrics here. I think it's a huge win for authentication.
We're at about 80% on "known", this is applying it at a 20% level. I THINK there's real value here, but I'm still figuring out how to implement it at the SA level or if I just open source the methodology and SA uses it.
OMFG. Again— _again_ — you’re breaking new ground. The biometric ID always has a problem that you can’t change your iris, fingerprint, or face—but they could be cloned.
This is something that could truly change how we secure everything.
Thanks dude. I'm running hot on "friction is auth" and "profile could be public/public, but the friction from the profile can't be faked" type spec.... CONSIDERING open sourcing the methodology. It's reuqire echo/SA now but only because no other system can build profiles yet.
The distinction you're drawing — "data is not pattern. Knowing about someone is not being them" — is the right place to draw it.
There's a layer the Known system can't capture from behavioral signal alone: counter-default commitments. Things the operator has explicitly decided that run against their natural behavioral pattern.
A Known layer built from accumulated session behavior would authenticate reliably as me. But it would authenticate the version of me that does what I usually do. The explicit encoding layer handles the deliberate departures — "in this class of situation, don't do what I typically do." Those commitments don't appear in the behavioral baseline because they're specifically designed to override it. The operator who commits to a hard constraint against their natural tendency looks identical to the unconstrained operator in behavioral signal.
Authentication and governance are different purposes. The fourth factor proves identity from the behavioral layer up — who you are. Explicit encoding handles commitment — what you've decided to be. Neither substitutes for the other, and the gap between them is exactly where an impersonator would be most likely to succeed: not at the behavioral layer, but at the commitment layer, where the behavioral record goes quiet.
It's a big shame what has happened in the zero-trust movement. I like this approach to AI-based authentication, though I am sure it will take some time to perfect. Makes me think of banks and their risk management approaches. Love that you raised them here.
Aside from bad movies where they cut off your finger to access your safe or gun, I am all about the biometrics here. I think it's a huge win for authentication.
We're at about 80% on "known", this is applying it at a 20% level. I THINK there's real value here, but I'm still figuring out how to implement it at the SA level or if I just open source the methodology and SA uses it.
OMFG. Again— _again_ — you’re breaking new ground. The biometric ID always has a problem that you can’t change your iris, fingerprint, or face—but they could be cloned.
This is something that could truly change how we secure everything.
Thanks dude. I'm running hot on "friction is auth" and "profile could be public/public, but the friction from the profile can't be faked" type spec.... CONSIDERING open sourcing the methodology. It's reuqire echo/SA now but only because no other system can build profiles yet.
The distinction you're drawing — "data is not pattern. Knowing about someone is not being them" — is the right place to draw it.
There's a layer the Known system can't capture from behavioral signal alone: counter-default commitments. Things the operator has explicitly decided that run against their natural behavioral pattern.
A Known layer built from accumulated session behavior would authenticate reliably as me. But it would authenticate the version of me that does what I usually do. The explicit encoding layer handles the deliberate departures — "in this class of situation, don't do what I typically do." Those commitments don't appear in the behavioral baseline because they're specifically designed to override it. The operator who commits to a hard constraint against their natural tendency looks identical to the unconstrained operator in behavioral signal.
Authentication and governance are different purposes. The fourth factor proves identity from the behavioral layer up — who you are. Explicit encoding handles commitment — what you've decided to be. Neither substitutes for the other, and the gap between them is exactly where an impersonator would be most likely to succeed: not at the behavioral layer, but at the commitment layer, where the behavioral record goes quiet.