<![CDATA[Sujoy Gupta]]>https://www.sujoyg.comhttps://substackcdn.com/image/fetch/$s_!FBbD!,w_256,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F3b726cdd-474b-4f92-a755-e61ca66efa97_857x857.jpegSujoy Guptahttps://www.sujoyg.comSubstackMon, 18 May 2026 04:54:12 GMT<![CDATA[Move over MFA, come in UHA]]>https://www.sujoyg.com/p/move-over-mfa-come-in-uhahttps://www.sujoyg.com/p/move-over-mfa-come-in-uhaFri, 19 Dec 2025 21:17:58 GMT

We need to stop pretending that standard Multi-Factor Authentication (MFA) is still “secure” in the age of AI.

For the last decade, security architects have relied on the “Holy Trinity” of authentication:

  1. Something you know (passwords)

  2. Something you have (phones/keys)

  3. Something you are (biometrics)

In 2025, this model is fundamentally broken.

The Pillars Are Crumbling

To understand why we need a new standard, we have to look at how the current pillars are failing under the weight of AI agents and deepfakes:

Knowledge Factor (Passwords): Dead on arrival. Most passwords are reused across sites and apps. While browsers now offer inbuilt mechanisms to alert users on compromised passwords, the friction of changing them is so daunting that most people simply don’t do it.

Possession Factor (Device/SMS): SMS is the most common type of MFA today, yet it is susceptible to SIM swaps and phishing. Hardware keys (like YubiKeys) offer phishing resistance by requiring a human presence, but they are physically stealable.

Inherence Factor (Biometrics): A person’s unique biometrics (fingerprints, face) are authenticated against a known fingerprint or face. Therein lies the problem. It requires someone keeping a central database of biometrics to match an authenticating individual. It is a privacy nightmare for users, organizations and regulators.

The root of trust for most consumer biometrics like FaceID isn’t your face - it’s your passcode. If I have your device (”possession factor”) and your passcode (”knowledge factor”), I can delete your face and enroll my own. The system will then accept my face as yours.

UHA: The Final Boss of MFA

Unique Human Authentication (UHA) changes the game. It is person-bound, non-forgeable, and self-custodial.

UHA can be a deterministic anchor for the entire identity stack, potentially replacing the need for multiple weak factors with one gold-standard signal.

Non-Transferable Binding

Standard biometrics match a face to a device. UHA binds the identity to the unique biological entity using high-entropy iris patterns and hardware attestation. You can reset a password, you can overwrite a local FaceID enrollment, you can even update a biometric database, but you cannot “reset” or “transfer” your biological singularity.

Self-Custodial Privacy

Biometric verification creates centralized “honeypots” of sensitive data. UHA leverages Zero-Knowledge Proofs (ZKP). Users can prove their identity without ever revealing their raw biometric data to the relying party.

The Epitome of Trust

By verifying the unique human rather than just existence, UHA is the ultimate security layer for the age of AGI. It is the only signal that AI cannot forge, and it is the necessary evolution for a digital world that wants to remain human-centric.

The future of trust isn’t about having a key. It’s about being the key with no one else keeping a copy in their lockbox.

Thanks for reading. Please subscribe to receive new posts.

]]>