#383 - Navigating Identity and AI with IDPro at Authenticate 2025

This is identity at the center. Welcome to the Identity at the Center podcast. I'm Jeff, and that's Jim. Hey, Jim. Hey, Jeff, how are you? Oh. Not so bad yourself, I'm. Doing great. We're here at Authenticate 2025.

You know, the vendor halls, like it's a smaller vendor hall, but it gives you more time and more ability to focus. And one of the coolest things I saw was the Fido booth, right? And they have on the Fido booth these fingerprints on like pieces of gum and stuff like that. And they also have like this face mask. Wait, wait, wait, wait. Fingerprints on gum? That does not sound. So it doesn't. Sound healthy? And it's not modern, right? But the idea is like 3 years ago.

These are the the hacks you were looking to prevent. Right. And they're. Like put a mask on and pretend you're somebody else. Or you could do some kind of wamboozle with fingerprints and gum, yeah. Walk up here. Can you put your thumb in here please? Yeah. And with AI the deep face are whole new world. So really I think that's kind of at the heart of where this conference is right now. It's like those masks kind of like brought you back three years, like that's where we were.

Where we are today is AI just does that. And if you're not on technology that can prevent that, well, you're not in a good place. I don't think we can prevent it. I think the best you can do is to hope to mitigate it to some degree. But there will be. Yeah, it's it's getting easier to do AI stuff. I thought for sure you're going to bring up Phyto Feud, the

rematch. This is the first time we're actually, like, talking about it. That was a real highlight. A tie. Well, do we want to give it away or we're going to release? The episode, it'll be an it'll be an episode, Yeah. It'll get out there at some point. And it is a tie. Yeah, it ended as a tie, which I thought was there was some. Questionable judging, I'm not sure who is behind the scenes like pushing all the buttons but

whatever. Yeah. So how do you feel about like the match because you were down and then you got up and then it came down to the last question and literally ended up with a tie for points I. Was happy with the way it went. I thought one of the cool moments was that someone had answered something and the judges like gave that person credit and the audience booed. And that told me like, oh, people really care. People are actually booing what's going on?

Like you have to care. It's not just polite clapping. Yeah, I know There were boos, there were cheers. It was those interesting. I think it sets up, you know, Fido feud, the rematch of the rematch 2026, Yeah. So, you know, a year from now, maybe we'll have settled it. From now, though, Megan gets to keep the you know, the necklace with the. The tiniest trophy ever. Yeah, I could have fought over it. But, you know, I mean, I probably would have lost it and

then felt like a real jerk. So you know, it's better staying with her. Yeah, no, it was a good time. Happy we were able to come back and do it and hopefully get invited to do it again next year. But I just figured, like, this is the first time we've had a chance to like, sit and talk about it. Great moment, great conference, having a great time, Yeah. So let's see, we're at Authenticate 2025 and we have

guests today. Let me get my notes here. Tina Srivastava, she's a PHDID Pro board member and the Co founder of Badge Inc Hope I got all that correct. Welcome back, Tina. Hey, great to be back. So I always enjoy our conversations. We actually met, I actually met Tina for the first time here two years ago, three years ago. It was like the food truck year, I think, or one of the food truck years not doing anything

this year. And so we were sitting down at a table and she's kind of tell me what you worked on and now you're part of ID pro. But let's talk about

authenticate 2025 S you hear at the conference, like what do you think about the conference? How's it going for you? Any highlights that you want to bring up? Yeah, it's a it's great to be back and we're back here in Carlsbad. I started coming to authenticate back when it was in Seattle, but now I think we've really filled into this location. People have a a regular routine

and flow. And yeah, I think there's a lot of great sessions really checking in on what is the regulatory environment like, how are things getting accepted, how are we getting adoption, What are the challenges that we're facing on the privacy front. So all the real topics. And of course, just what you were talking about, how are these attacks evolving? How is AI supercharging these attacks? And it's even more critical in this world of Gen. AI to ensure authenticity.

And I feel like it's a practitioners conference. It's not like just all technology vendors kind of looking at each other's technology. Like there are actual practitioners here looking for solutions to real world problems. Oh yeah, absolutely. In fact, on my session later today, we're going to have Bill, right.

So bringing such a depth of experience from USAA Bank and talking about having to overcome the challenges of implementing consumer facing authentication authorization for members that in that case of course there are a lot of service members. So how to deal with the challenges of not necessarily being connected, moving across different devices, being a submariner and being completely out of content for for nine

months, right. How is that, how's your fraud risk profile going to really characterize that? And then of course, the work side where the workforce and we're seeing more and more challenges with again with the just supercharging of AI attacks on these individuals and trying to get gain access, elevate privilege. And so absolutely, seeing the practitioners out there dealing with the onslaught of threats. So is that spoiling it?

Because by the time people listen to this episode, it'll be 3-4 weeks in the future probably. Is that the talk you're giving? Is there more you want to share? Like for people who maybe for people who aren't able to be here and authenticate, right? Either it's on site or on a stream like. What is the gist of the conversation that you're having there?

Well, the reason that we came up with, we as an industry came up with synced pass keys was because. We were sort of between a rock and a hard place with how do we overcome account recovery? How do we overcome people switching between devices? And the idea that your your private key was bound to your phone was simply too restrictive to meet what most users needed. And so synced passkeys were

supposed to be the way forward. But the security questions that it opened up data provenance where, you know, key provenance and if I could just AirDrop my key to you, then we where you know, how can we really rely on this passkey for security? And NIST brought up a lot of questions around if we don't have user verification at the time that we're using the passkey, then how do we know, you know, is it Jim or Jeff

that's using this pass key? And So what we are unfolding on stage with Bill as well as Pedro Martinez from Tallis, also a depth of experience in the financial regulatory banking area is how are regulators seeing this? And in fact, what we're seeing is that the payment providers are just going backwards and they're saying, OK, if we're using a pass key, we're going to have device binding, which is sort. Of like the opposite of why did they even go to passkeys in the first place?

And so it really brings to focus how important resolving account recovery, moving across devices, how that all is, because if you have your passkey on your phone and then you don't have that phone, now all of a sudden you're falling back to insecure methods. So if we can really close that gap and make it possible to recover your account on a new device, get a passkey when you cross, you know, Google, Microsoft, Apple, that's really going to be critical.

And so that's the path forward that that we discuss. So, right, you mentioned regulators and you know, my mind, regulators are notoriously slow at keeping up and catching up to where things are at. How do we talk to regulators? And I know you've got experience talking in front of Congress, and I just wanted to say that, right? But how do we talk to regulators to say, look, this is where we need to be and This is why it's secure and sort of, you know,

make them comfortable with it? How do we make that case to those types of folks? Yeah, that's a great question. And yeah, thank you for bringing it up. It was great speaking to the bipartisan Congressional AI Caucus. And what we've seen is that policymakers are receptive to understanding what are the threats and the challenges coming about today.

And unfortunately, we don't really have a choice but to, you know, we don't have the choice to stick with legacy methods because they're not sufficient to protect us from the next generation of threats. I mean, let's just take phishing

as an example. Phishing has evolved from something that you could train people to be able to detect, right? You know, misspellings in emails, awkward phrasing, not really expecting that e-mail. And so you could train people not to click on certain types of links. And even if you did have a very effective phishing campaign, it took a lot for those attackers to tailor it, to really customize it into something that might be successful. Well, what about AI, right?

So now you can add a mass scale, tailor, customize, improve your phishing emails and make it that much easier for people to click on these links. We've made QR code, something that even AQR code. I mean, look on this water can behind you, Jim. There's AQR code, right? People scan them anywhere, everywhere and. And it's the same thing as clicking on links and so we've

really seen. Mean that phishing in the world of AI has just become supercharged and so getting towards phishing resistant authentication is absolutely critical. Well, it's, it's, it's, it's inherently convenient to have AQR code, right? And then, but it's also makes it really convenient to drive by malware. You don't know what you're

scanning. I remember, you know, originally when we were seven, several years ago when we were doing the podcast, you know, we did like a TinyURL and we got a lot of blowback from the information security group is like, don't use tiny URLs, don't use URL shorteners because people want to know what they're clicking, which, sure, OK, Yeah, totally makes sense. Yeah, yeah, yeah. But we're doing the same thing with QR codes. You don't know what you're scanning, right?

And they're all over the place. And how do you trust something like that? I always point back to the Nigerian Prince who used to be, you know, very, very poorly educated from like an English trans, you know, perspective to send those emails to people. But now there's no

differentiation. It's super easy to create something that is targeted in the right language, the right tone, phonetics, audio, visual, all that stuff is out there and, and understanding the Providence of where does that piece of information come from? Can we trust it? Like obviously I know you're here, right? But if someone's watching this, like could easily, you know, be a digital fake of you, right? I don't know how we get past

that other than education. And do we need regulators to talk through like, OK, is it like a watermark on digital? How are you going to explain that to, you know, Jim, your dad, we always put, you know, point to is like someone who's not up on the technology side. Well, you got to look for the watermark. Now you got things like Sore 2, which is going absolutely nuts stuff. So it's a very interesting time that we're living in right now.

Yeah, And I think the watermark analogy is very apartment, because really, that's what a digital signature is, right? It's a watermark. And if every person had their own cryptographic key, then you could assert that at least this content, this message, this post is really coming from me. And no one else could pretend to be me or impersonate me. And that's really what's necessary in this world of Gen. AI. How can we have authenticity?

How can we really know that you are you in this world where it's increasingly a big question mark?

And I think the other thing with QR codes, I I would be remiss not to point out because in fact the Fido community is what brought badge to some of the understanding around accessibility issues. So we care a lot about making sure that the product, the technology is accessible to everyone. And Fido has a real emphasis on that. And working with that team helped us understand that, you know, QR codes are actually very difficult for people that have visual impairment.

I mean, it's just, it's just impossible even for us to line up the the QR code, let alone if there's any challenge in doing that. And so being able to offer alternatives, not rely on these sort of clunky methods.

And I think overall there needs to be this, this call we were just talking about this, this call to the community because. We're in our 6th. Year of the Fido conference and yet we just saw this breach of 16 billion passwords, right. Why are we still living in this world where there's so much reliance on passwords when there has been obviously so much progress towards phishing resistant authentication that moves away from passwords. And it's really what is what is

missing there? And is it this usability, this accessibility? How do we make it easy? You know, for for our grandparents. To be able to comfortably and easily authenticate in a secure way. So I don't think it's a

technology problem. Why does it take so long Budgets Like that's the number one reason I see with, you know, clients that I talk to in our day job and stuff like that, is it takes time to get that out here as as much as the work that fight alliance has done, which has been incredible, right, to get large companies like Microsoft, Google, Apple just on the same page, right. Talking is heroic in and of itself. But this is still a what I see is like a bleeding edge conference, right?

We're talking about the authentication that's going to be in place in three to five years. Two to three years ago it was, hey, we finally have a standard around pass keys. Awesome. And guess what, two to three years later, you know, now I think Andrew Shakira mentioned like billions of passkeys are out there. And so for me, I just look at it as this is a normal adoption cycle for any, any number of

corporations out there. They can't just say, OK, passkey sound great, sign me up and implement it tomorrow. They've got to go through their governance processes, their budgeting processes and cycles. And if you don't catch it at the right spot, that means you got to wait another year to get part of that right. Unless somehow, man, money magically frees up. I'm sure economy plays a part of that. But I, I don't think, I don't

think we're behind. I think we're right where we should be given sort of that budget process that every organization has to go through. Yeah. And I agree about sort of the bleeding edge and it's, it's not just here, it's at Identiverse, right. We feel in these communities, at IIW in the room, the concepts are so clear, OK, verifiable credentials. Everybody's going to have a wallet. Everybody's going to have this zero knowledge.

Way of proving who they are to all of these relying parties. And you just have to Step 1 foot outside that community for people to have no idea what you're talking about. What is an issuer? What is a relying party? What is a ZKPI mean? And the idea that we're going to have the whole world adopt this when we have such foreign terminology, I think, you know, it's it's.

A little bit eye opening when you're in the in the world, when you're right among among the people that speak that language and then when you step out to see how how different we are and I think. That again, it comes back to, we can talk in our language in the identity community, but once we build something that an everyday person needs to use, it needs to be something that doesn't require anybody to know cryptography. It needs to be something where people don't even know what a key is.

It needs to be that you don't have things like catastrophic failure if you lose a device. I mean, we even see pretty regularly this concept of an emergency kit, right? You have to keep a 12 word phrase somewhere that you can't ever lose. And these things are actually pretty foreign to an average consumer that they would drive to the bank to. Put a paper in a safe deposit box just so that they can access their accounts. And so really bringing the bar down to normal experiences is

critical. Absolutely go. To the bank, that's crazy. But I also heard your points that you're making about budgets, but the bad guys aren't going to wait until you get the budget. And that's just, I think one of the positives is you're at this conference, you're seeing a lot of the big tech representation, you're seeing a lot of big tech representation.

You're seeing a lot of folks from mostly from large organizations, tech first organizations that are looking at either adopting pass keys or have adopted it, but not only adopting pass keys, but it's this intersection between identity verification and authentication that that's the real ticket, right? I'm, I'm sold on it. I mean, that is where it becomes pretty hard to hack.

Having said that, you keep and maybe this just comes down to the password is stupid, but you keep seeing these major breaches happen because of social engineering and phishing. You're just like, how are we still falling prey to the same level of attack and we were falling prey to 2025 years ago? Well, I don't. I don't think it's a scenario where because it's the right thing to do isn't good enough.

There has to be something to drive behavior, regulation, a breach, something like that I hate. Catastrophic event, exactly like like we asked Ian yesterday. Do we need another? Do we need another Enron? Yeah, to do something. Should it be like that? No. But those are the things that drive behavior. It's catastrophe.

Nobody just looks at it and says, well, yeah, that's great, let's go ahead and do it. There's very few companies that can afford to sit there and say, yeah, let's let's be on the bleeding edge or even the leading edge of this. It's like they're they're having to make choices. Hey, I I am a personal testament to the fact that a breach can be

motivation, right? The whole reason I got into the identity space in the 1st place was because working in national security, my fingerprints were stored in the Office of Personnel Management, the OPM database. And when OPM got breached, I was one of the six million people who had my fingerprints compromised. And so that was actually the whole reason I'm even part of the identity community, the reason we founded Badge.

I'm just very much a believer in what you said, Jim, that a breach can be a motivating factor. And in fact, we see that a lot. We see people joining the identity community after a breach. We've seen members of ID Pro join because they had experienced A breach and now there was a double down in effort around doing this. And these breaches will continue to happen as long as people continue to use passwords, stored credentials. These are just ripe.

Honeypots for breaches and I do actually think regulation has moved forward quite a bit. I mean, even in the last six years since we're reflecting on it, the, the biometric information Privacy Act has gone from sort of being non existent to having the first trial cases with BNSF railroad going to trial talking about, OK, hey, these employees and workers were storing their biometrics in a in a database and, and what are the

privacy implications of that? What were the, the rights of the users and seeing these very large settlements come out of that, that OK, this is actually something we really need to pay attention to. We've personally seen that really making a difference with people questioning that hey do. We. Need to store biometrics? Is that in compliance with the Biometric Information Privacy Act? Texas now has a very similar

legislation. Kubi CUBI Eye and it follows some very similar aspects of Bippa from Illinois. And you can see for for instance, Facebook at the time now Meta getting a massive lawsuit from Bippa and now we see the Kuby legislation coming after the same thing. And so this legislation and regulation it is it is causing change. It is causing people to question are they following appropriate privacy practices? And in that sense, I actually think that's a good thing.

It's. It's important, it's important that we think about that. It's important that global companies think about, hey, if I build this solution, will it only work in the US or can I also do it in Europe? And I think it's actually something that helps everyone to have. Those privacy legislations and regulations, yeah. Regulate, regulation, audit, those things are going to drive it forward, but it might be at

like a glacier space. I feel like the identity practitioners, we need to go back into our organizations. We need to beat the drum. Our organization, the way I look at it is ID Pro. You're a board member of ID Pro Am I speaking the right language? Is that where we should be? And where is ID Pro at right now? Yeah, One of the best resources

of ID Pro is this ability to bring practitioners together. And in the Slack community, we actually have some real legends in the identity space that are there that have been practicing in this community at the forefront that have been some of the founders of these conferences and events and standards that we're using today. And then we also have people that have been out in the field implementing this and what's nice about the. Community is the culture is very supportive.

People can ask, you know, so-called dumb questions. Hey, I tried to implement this, you know, OIDC the, the tokens not working. Oh, hey, did you check the login hint? And people really coming together to help each other out. And there isn't really a financial motivation. There's just helping people out. We're all in this together. We all become safer if we work on this together and helping people understand, hey, there's this, this new technology, there's this new approach.

Have you heard of it? Oh, yeah, we're, we're implementing that now and having people be able to discuss that. Hey, we ran into this question or how did you share with your stakeholders the importance of this or even hiring that? Hey, we, we are looking for someone in this space with this particular skill set. And so it's been. Really a focal point for identity practitioners to say, hey, there's a community for you.

There's a place where you can join and talk to other people that are facing the same challenge as you are. So let me ask you some questions around ID Pro, because it's no secret, right? We're big fans of it. We're the official podcast, right for ID Pro. Lots of people who are members of ID Pro had been on the show.

If you're not a member, go out, get your membership because the Slack channel alone I feel like is worth it, whatever it is, $150.00 a year, whatever it is. So I like to bring up the Slack channel a lot as sort of like one of the key benefits and it is that community where you experience everything essentially, right? There is technical conversations. I think there's a dogs or cats of ID Pro channel as well, right? So you can kind of, you know, be amongst your own people.

As a member of the board, how often are you looking at things like the Slack channel? I'm saying, OK, yeah, this is like one of our key things. Or are you hearing it? Or are there other part? And there's other things that ID Pro does as well, right? We've got the blog, we've got body of knowledge, right, the certification, things like that.

But like, how much does like the board look at things like the Slack committee and say, oh, this is what people are talking about And how does that influence the direction of the organization? So we don't moderate the Slack channel in in a sense of kind of directing anything, but in terms of encouraging, we do that a lot. So coming up to conferences and events, it is a place where people, for instance, for this event said, hey, I want to dry

run my talk. Can anyone do that? Same with identifiers. Similarly for submitting proposals. Hey, I'm, I'm working on a topic around this. Can someone help me crystallize it? And you'd be shocked with how many people respond Yeah, hey, I can, I can dry run that with you, you know, hey, let's meet up. And so it's it's a focal point that really just helps support people and advance them on their journey and getting into ID pro. There's also an introductions channel where people when they

first joined say hey. I'm new or hey, I've, I've been involved for a long time, but I just joined and it's great to see the reception of, hey, if you're interested in this, you should join that. There's a podcast channel where of course, identity at the center. We discuss episodes coming up on that. And it's a place where podcast leaders can get feedback too, that, hey, I'm thinking about a topic around this or here's a survey. What are you interested in?

Or of course, for identity squabble and other things. Hey, give us some feedback. 1 surveyed 100 people. Where do you get the 100 people ID pro exactly exactly and so?

I think that where we see the the thought leadership, the emerging trends actually just comes from the membership. So many members of ID Pro are actually speaking at this event here at Authenticate that speak at EIC, at Identiverse, attend the identity and Internet and identity workshop, IOW. And, and it just turns out that people that are passionate about identity are in ID Pro and we lead, you know, webinars, talks, we share what we're up to and people also use that community

to share resources. Hey, here are my slides from this or here's a talk I just did on this. And people are very open about sharing that content with each other, enabling each other. So it's a, it's actually, I think a core backbone of what makes the community great. It's also allowed just a, a common communication point for

people to do other things. So when people want to host a, an identity beer or a get together anywhere in the world, whether you're talking about Australia or San Francisco or London, they use that as a place to say, hey, come on out, let's let's meet up. And so we found that ID Pro is a great way to bring people together to meet other people, whether locally or around the world, that are interested in

similar topics. Yeah, if you're not a member of ID Pro, do it. Where do you see ID Pro as an

organization going in the next few years? So I want to kind of give, you know, the membership a sense of like what's where do where's this thing go? Because we have to evolve right with the space. Like where do you see this, this where we're going?

Let's put that here. Well, some of the core tenants of ID Pro are going to remain the same, being very member driven, having a kind of a grassroots, informal way where people can network and talk about other topics with each other, help each other out in a supportive way. Some of the things we're evolving as an organization just to become a more mature organization over time. Well, one is, you know, we have our regular board elections.

We welcome some more board members to the board, which is great. It's always great to get that new energy on the board, you know, re discuss what are our strategic priorities? What are we focused on? We're very focused on delivering value both to our members. So what? What do they see as valuable? And we asked them that a lot. What is the most valuable thing we see the Slack community come up as #1 but we also listen for what else is helpful? What could we do differently?

And then also to. Our corporate members, so we have corporate members as well, which is a big boost to ID Pro and finding out, you know, what's most valuable to them, what topics do they want to see, what do they want to be involved in and engaged in. And one of the things that we're

that I would like to announce on this show that we're doing at ID Pro is we are announcing the creation of committees. And this is a new thing. So used to be that you had to be, you know, an elected board member to serve on the board to sort of make any decisions about ID Pro.

We want to include more of the membership into the operations of ID Pro. So the board has created some committees that members who want to volunteer just like the board members to participate and get engaged can get involved. So we have, we're going to have a committee that's focused on the internal operations of ID Pro and governance, as well as on the external side and how ID Pro engages outside of ID Pro with other organizations with conferences, social media and

things like that. So I would like to specifically make a call. If you're, if you're watching this and you want to get engaged, there's an opportunity for you to do that. So please raise your hand. This is a great way to get involved. What's the timing for that? When? What are these committees going to start hitting the hitting the road? Yeah. Well, we're actually creating the kind of draft charter and purpose right now, which we hope to be formalized by the

committees themselves. So you'll be seeing those coming out just in a few months. So I'm real interested in the

topics that we've been discussing. What's really hot here at the conference with identity verification and obviously pass keys and authentication, most tie in with Identity Pro. Like it feels like that's the community that's got to take this thing forward. Is that the context that the way we should look at it? Oh, yeah, absolutely. And I think that, you know, we were discussing sort of the evolution of how different parts of the identity life cycle are really critical and need to be

brought in together. You were just talking, Jim, about sort of the identity verification and the authentication side. And we've seen that a lot how doing sort of that selfie driver's license document authentication to initially check, hey, are you the person that should create the account and how that's merging into, OK, now have your ongoing authentication credential.

I think what we were just discussing is that also when you fall off of that journey that you've lost your credential, you've lost your password or device. And now you're starting over and ways that you can actually extend your identity to remain on that identity life cycle to persist through things like account recovery.

Because frequently even if we have fishing resistant authentication, we fall back to very fishable identity recovery, account recovery methods that tend to go back to KBA knowledge base authentication. You're back to a very fishable thing, which is, you know, we talked about The MGM casino hack in Las Vegas, right? That was taking advantage of the

account recovery flow. So even if you have super robust authentication, you can have MFA set up, you can have all this great stuff, as long as you can call in as an attacker, pretend to be the user and say, oh, I, I don't have my device anymore. I forgot my password. Now you can, you know, get credentials. And so the fact that that back

door is still open is a problem. And I think as an identity community, we got to look at that whole identity life cycle and make sure that we're not, you know, just giving up on certain entry points for fraud. Because I think ultimately one of the big things we're trying to thwart with this identity world is, is the fraud side of things. I. Want to bring up like a big topic because I, I think everybody thinks about this in

some way. So I talked about like that face mask and the thumbprints and gum. It almost sounds comical, right? It's like, who would have ever been concerned about that? I was like 2 years ago, you know, we were talking about that like that was the deep fake of the moment. Now deep fake is AI. And it's like we think about how much geography we've covered in just two years. What's it going to be like 2 years from now, three years from now?

I had a colleague the other day saying like, well, should people move forward with like an IGA platform or should they just wait two years up? You know, chat GPG is going to do the whole thing. How do you look at that technology? Because I'll be more than happy to share my answer, which is that you fall too far behind. Good luck catching out. You can't just not invest and then say, hey, we're just going to wait until the next whiz bag thing comes and then we're all in.

It's like it's going to be too late. And that's not also the way it works, right? You have to keep. So that's my opinion, but I'm wondering what yours is. Yeah, absolutely. And I think I think the point is that we're seeing AI really transform the market from a lot of different dimensions. And when we started off, we were really talking about the onslaught of threats. And I think that's the reason

that you can't wait. You can't just sit around and and wait for technology to evolve because you're even more vulnerable today. And if you might have been a little bit vulnerable to like a phishing attack before, with AI, it's going to be every attack, it's going to be so easy to tailor and target phishing attacks. And so the, the age of AI really is here from an attacker and,

you know, adversary perspective. So the existing technologies that are not phishing resistant are, are not able to, to keep up. I think what you were seeing what you're talking about with the, with the masks and things that's in this category of presentation attacks. Well, here is a place where actually AI helps with AI. And so you can actually see that machine learning is very effective detecting is this a mask, a photograph, a screen versus a real human person sitting in front of me.

And so we see AI being used on that presentation attack defense side as well. And then finally, of course, on the injection attack defense, making sure that you can't be injecting an AI stream of some Gen. AI version of Jim as opposed to the real person sitting there. And all of these things have to come together in a holistic solution because for for good or for bad, the world has really embraced biometrics. Biometrics are are here to stay.

We found that for users, they just find it intuitively easy. And also on the security practitioner side, knowing that you are you, that you are the person that performed that action, that you can't deny that it was you, that somebody can't be pretending that it's you. That is really critical piece as well. So bringing all of these things together is going to be critical. And I agree with you completely that. Just assuming that you're going to wait and see how things

evolve won't. Keep you protected. Yeah, the term I keep hearing is AI arms race. And I think that's kind of a real thing, bring you back to ID Pro and like the speed at which this is going. I think the answer you're going to say is that how does ID pro keep up with this? Well, that's the members, right? We provide the forum as the members have to bring this to how, how do the members keep up with this? This is moving so quickly. Yeah.

And it's exactly that. And it's also through sharing with each other. Look, I came from the world of cybersecurity. Cybersecurity was very fragmented in the sense that, you know, large, large banks, large institutions, they didn't share when there was a cyber attack. And there was a huge effort by CISA and by others to say we got to share because you're probably actually facing the same attack that I'm facing. But as long as we keep bit to ourselves, we don't know.

And facilitating that information sharing was was really critical. I worked in that intersection of of cybersecurity kind of right when that concept of information sharing became to the forefront. And I really think that that's what you need in order to stay ahead. We have to be telling each other what we're seeing, what's going on out there, one from the adversary and the tax service, but also from the user perspective.

You know, what is what is usable, what is seamless, what is frictionless for people versus what is too cumbersome, what is too difficult or inaccessible to certain types of users. You know how passionate I am about making sure that different categories of users don't get

left behind? Well, part of the way that comes to the forefront is through a community like ID Pro where we can share and talk about women, talk about people that don't have dedicated computers, talk about people that have to share their workstations or for their devices. You know, talk about all of the communities of users and what their needs are and how we've made strides in addressing them. So we can share that with others.

Because I do think we're also in a very fortunately, a positive community that wants to provide identity for everyone, right? Identity is how we access the economy, it's how we access education, it's how we access our financial resources, our healthcare. Identity is really critical in making that in inclusive for everyone. I, I have found to be something that the community has been

really embracing. And so, yes, absolutely, that dialogue, that discussion, and that sharing is how we're all going to stay ahead. You talked about those internal committees. I think for an external committee like AI agents, I am for AI and AI for I am like. Those are topics that I think will be great external committees. Absolutely, yeah, we're, we're tackling that right now with agentic AI. How do you make sure that your agent is able to check in with

you? How do you make sure that it's authorized to do what you want it to do? How do you know whether it's acting sort of rogue, whether it hallucinated or whether whether in fact, you know, was, was that really Jeff's intention when when this AI agent was was kind of commissioned by him to go do something? And so all of these. Questions come back to identity authorization authentication, Absolutely. Identity's at the center. How do you stay sharp on stuff

like this? So, you know, like, this is a gym question I'll go out there with is there's so much to keep up with? Like what are your sources of knowledge that you go to? Are there specific websites or people that you follow? Like for people listening to this is like, OK, this is how Tina stays up to date on things. Well, I would be remiss if I didn't point to ID Pro.

I think that in the ID Pro community, we bring up topics, the latest things that are out there, the latest advancements, the standards that are coming out and the latest breaches. How is this impacting people? We also have people speaking at conferences, which I think is a great place, as you mentioned, that can be sort of the bleeding edge of what's coming forward.

And then of course, just talking to people in the community, being working with folks, we are, you know, constantly working with some of the largest and smallest companies in the community and seeing what do they have on the horizon. What's next? I'm believe I am a strong believer in learning and education. As you know, I am a lecturer at MIT and I continue to teach and I continue to learn. So being, being aware that there's always something to learn is absolutely critical.

You know, if you have not tried some of these AI tools that are out there, played with them yourself, you have to do that. You have to get your hands dirty.

Even if you're not a, you know, a programmer or a developer, start using these tools, seeing the the advantages and seeing the disadvantages, experiencing the risks yourself, seeing that, oh, you know, if I enter this information is that now being trained in a global way, you know, being careful of your company proprietary information and where it's going, but still embracing and experiencing these new tools.

Because I guarantee you the tools that we have today, even in one year, are completely changing and will be a whole new set. This is the worst it will ever be, I should say the least capable it will ever be. It just keeps getting, you know, stronger from a capability standpoint. Could be more evil. Right. Well, yeah, that's what I say. I changed my word. Not worst. It's the it's the least capable. It will be right now like it just continues to get more capable over time.

And I we usually closeout our episodes on a lighter note, but I want to ask you, how do you see AI affecting your karaoke career? Because you're, you've been on the highlight reel here at Authenticate. I think last year for that at ideniverse earlier this year for our Dennis Global game, you did an 8 mile. I think it was eight mile right from Eminem, you know, on stage with us as part of the end of it. You're like, I didn't get to do it. I'm like, OK, well, go ahead and do it.

No, you wanted that bad. So how do you say AI impacting sort of that sphere of your life, you know, from like a music standpoint? Oh, that's great. I think, I think that my my band teacher would get a kick out of that knowing that I had, in his eyes, a very poor musical progress or, or potential. But yes, I had a blast at the identity squabble. Thank you for running that. You have a certain talent with these, with these fun shows and

bringing out the best in people. And yeah, it was great. I am I am a fan of Eminem and so I had to work in an MFA rap. That was pretty fun, I think getting getting people engaged in the importance of authentication in a secure way, but also, you know, bringing in the in the fun side. So I actually did try to use ChatGPT to see if it could help me with some of the the lyrics, but it didn't it didn't really grasp what I was trying to communicate.

So I ended up going back to the pen and paper for that one. So I think the the real question is, can it can it improve? Can it help me get some better lyrics for next time? I mean, that was like 3 or 4 months ago. So it's, you know, since then we've had Chachi PT-5, Gemini 2.5, Claude just came off a new version and just keeps getting crazier and crazier. Yeah. And as soon as we get model context protocol, we won't be so

siloed. So have you played around with any of the music AIS like Suno or I think other ones like Udio? Anything. I have some MIT friends of mine that are actually musicians that have been using the AI to help inspire, help give them feedback and even use that when you sort of play an an instrument in it coming back with giving you personalized feedback. At this point it is wrong too

many times. So you have to have at least some knowledge otherwise you won't know that it's giving you kind of blatantly incorrect feedback. So think there's a a little bit of of a journey, but as we just discussed, hate that that evolution could happen quickly and we might see the usefulness of these tools turning around pretty fast. So what is it that drives you to get up in front of, you know, the hundreds of people of here at Authenticate or the thousands at Identoverse to do karaoke?

Because that sounds frightening to me. And I say this knowing it sounds on the Internet, right? Right. And billions on the Internet. I say that as a podcaster who, you know, we've got a million downloads at this point. There's no way you would catch me singing in front of me. No, first of all, nobody wants that. But I just, I don't have that guts. So take me into your mindset. It's just like, and you're you're, you're a very good singer. So that probably helps as well.

But like, you look like you're having such a good time with it. How do you let go like that? I didn't always do public

speaking, but one time when I was undergraduate at MIT and I'm in aerospace engineering, I was asked to speak at an Amelia Earhart event. And this was one of the first times I was on stage. But it was for a bunch of middle school girls and it was to inspire kids and aviation and just talking to these kids afterwards, they, they, it, it worked. They wanted to become pilots. They wanted to become skydivers, aerospace engineers.

And seeing that something that I said could make a difference really motivated me to kind of get over it and be excited because being excited about what I was passionate about made an impact on others. And that's how I got into teaching. I'm in my 10th year of teaching the MIT class 16687 on aerodynamics. And yeah, as you mentioned, we now have three and a half million views on YouTube of that course.

And I don't think I ever even imagined that I was just speaking to to my class of students in the classroom and not really thinking about the the reach that it would have. And it's something that when I hear students come tell me, hey, I've become a pilot, I flew a plane, I got my commercial license. And then sharing that feedback with me, it really makes me happy that it, that it made a

difference. So even this afternoon when I'm going to be going on stage and, and talking about pass keys in the financial industry, how to overcome account recovery, I'm thinking about how maybe this could make an impact to others. And I try to put the the whatever the nervousness is and the stage lights that you see when you get up on stage, try and put that to the back of my head and focus on why I'm excited to share what I'm there to share.

When you're up on stage, you can't see anything, especially the mainstage here, like the lights are very bright, you can really only see the first row and that's it. So I think that helps a little bit, but I still find it nerve racking getting up there in front of anybody. You make it look so easy. Lighter notes for you Sweating is what is the first public speaking experience that you can remember. I think this is the one that you ditched me for. So this would have been I think

it was authenticate. Authenticated. Seat It was in Seattle and. You ditched me there. You made us out. So I was sick. It was, like in the middle of COVID. Yeah. Yeah. Could you imagine getting on a plane just, like, packing up a line? Yeah. That would not be in public. Everyone was like is what's going on there? But that I think, I think that was probably the first one that I can recall at like that level, like where there was, you know, more than maybe 10 people in the

room, that kind of thing. But yeah, I remember that I was getting ready to fly from Chicago to Seattle and you called me, said you're sick. And I didn't even want to go to this lake. I was going just to support you. You're like, hey, I'm going to go speak. I'm like, all right, I'll go and I'll help you with like the presentation, right. But I don't want to like get up there and then you call me. Is that all right?

And I guess I'm getting on a plane and did the presentation and that was it. I remember it being very out of place for the other content because this would have been. It was like how to run an IM program, yeah. And it was like in the middle of an authenticate conference, like, OK, like one of these things is not like the other. And it was definitely the the oddball out. But yeah, that was it. But that's that's my first one.

What about you? So my first one was I was an undergrad and I was helping with the new art. Let's see, like the perspective student orientation. So people show for a Saturday. They get to walk around the campus with people like me. And I was sitting up at the front and the person who's doing the speaking was a guy named Doc Rock. He was one of the, yeah, that was his name because he ran the radio station. I forgot what his real last name was.

But he started taking questions from the parents that were there, parents and potential students. And they're asking things like, what are the dorms like? What is the the food in the in the cafeteria like? And then he's like, girl asked me like, how is the food in the cafeteria? And so I answered. And then it was like, do you ever see that new commercial? It's like the Capital One commercial. There's the Capital One bank guy, and there's Derek Jeter,

and there's an astronaut. And people all want to ask questions of the bank guy. Well, I was the bank guy. So Doc Rock just gave me the microphone and walked away. And then I was talking to like hundreds of people. That's pretty cool. It was good because I don't have time to be nervous. It's just it's happened. Yeah, I just got thrown into it. Thrown into it. That's kind of how I felt too, when when you ditched me, I'll say it again was I didn't have time to think about it.

So I guess I'm getting. On a plane. Get my COVID on, you know. Yeah, that's true. But I think you did put a question into the chat. It was like, what is IA or something like that, which is an internal joke for like Jim and I've been working there for like a decade now and whenever we have like an internal meeting, it's like, you know, we're all identity people consulting, etcetera. And I'll, I'll generally will throw in a question like I keep hearing about this thing.

I am. What is that? What does society? Just you're just being an idiot. So sorry. I think that's a good spot to end is me being an idiot. So we'll go ahead and leave it

there for this week. Thank you so much for being part of this, Tina. Great to be here again. Looking forward to that to hearing you maybe later tonight at the at the at the party ID pro.org. So people check that out. Hands down the best community I will say, and I will die on that hill. So feel free to come at me, but ID pro.org, be a member, join the slack, you know, just be part of the community. And with that, we'll go and leave it for this week.

IDC, podcast.com, idcpodcast.tv for the YouTube channel, like subscribe and do all that fun stuff, you know, share, share the gospel of I am with others. So thanks everyone for watching and or listening and we'll talk with y'all in the next one. You've been listening to Identity at the Center. We hope you've enjoyed the show. Make sure to like, rate and review, and we'll be back soon. But in the meantime, hit the website at identity@thecenter.com.

See you next time on Identity at the Center.