When I attended the Identity Week conference in Washington, D.C. last year, I noted a heavy focus on biometrics, especially focused on employee onboarding and background checks. While this is an important topic, I was disappointed that there wasn’t more focus on identity security and non-human identities. This year at Identity Week, that changed significantly.
The conference floor was filled with a lot of vendors focusing on exactly that – identity security, non-human identities, and how to handle agentic AI in its hybrid service account/almost-a-human identity role. The vendors delivered some very innovative solutions.
One of the more compelling discussions I had with these vendors focused on not just role-based access, but attribute-based access. In the brief demo provided to me, the vendor showed a traditional usage of a common access card for identity verification for initial logon. However, the vendor, ZKX Solutions, then showed me something I was not expecting. They gained access a sensitive application using a bag of Cheetos. While this sounds like something out of a terrible 90s hacker film, it was a very real and innovative authentication process. But then, can you really “hack the planet” with your fingers covered in orange Cheetos dust? Probably only in the movies.
So how did the Cheetos-based multifactor authentication work? Upon trying to launch the sensitive application, the user was prompted to verify their identity through two additional steps – using a proximity tag, which would assumedly be at their desk, and scanning the barcode on a bag of Cheetos to prove their identity. While I’m not quite sure if the world is ready to adopt Cheetos-based authentication yet, it’s quite an intriguing concept – require the user to scan the barcode of their favorite snack food or soft drink in order to gain access, as the “secret item” would likely be something only known to them, and probably their cubicle mates. I guess the Cheetos bag would, in fact, count as “something you have” as well as “something you know.”
Of course, this creates new and interesting challenges, such as what happens if the manufacturer changes the barcodes to a new product number, or what happens if your local grocery store runs out of your favorite potato chips? Would this then also make a person’s favorite snack food part of their personally identifiable information required to be protected? If I post a photo of myself with said snack food on social media, would that mean I accidentally revealed my password? I am somewhat joking with these questions, but I applaud ZKX for their out of the box (bag?) thinking – reduce user friction while increasing security.
The rest of the conference was filled with conversations that were just as appetizing, although not covered in orange Cheetos crumbs. From discussions on non-human identities to backup and restore of identity provider directories, Identity Week is quickly becoming a critical, trusted conference in the identity space. If you didn’t get to attend this year, I highly recommend it for future consideration.
