In 1993, there was a famous New Yorker cartoon that showed a dog telling another, “On the Internet, nobody knows you’re a dog.” While the artist Peter Steiner didn’t give the quote much thought when he wrote it, he unwittingly focused on the key strength and weakness of the Internet. Privacy and anonymity may allow for social and business well-being, yet authentication is essential in a digital world.

Authentication is about the continuity of relationships. It helps us to determine who to trust and who not to trust. In fact, in our everyday lives, people authenticate dozens of times a day in the same way animals, plants and even viruses (the virus has a specially-shaped “key” that will fit only into a particular “lock” – the receptor) have been doing it for millions of years, using sight, smell, sound and touch. By the time we wake up in the morning and are on our way to work, we have probably “authenticated” several times. Whether its smelling the carton of milk before we drink it (authenticating to see that its still milk or soured milk), getting the phone call from your sister (authenticating her voice to distinguish it is her and not your mother-in-law) and opening the door to receive a UPS delivery (authenticating that it’s really the UPS driver and not a sales person).

Unfortunately, to translate these everyday actions into something that is as transparent and automatic is incredibly hard to replicate in the digital world. To authenticate in today’s world, there are four major authentication types:

Characteristics Credentials Significance
Something you know Password, PIN Shared, compromised or forgotten
Something you have Key, ID card, Token Lost or forgotten
Somewhere you are GPS, Phone Confirms credentials by location
Something you are or do Biometrics Unique identifier but not secret

Unfortunately, the method we are most familiar with is based on something we know. In this case, we often use passwords and PINs to conduct many of our daily modern authentication needs. To make things worse, many systems rely on user-generated/remembered secrets, which inevitably leads to people using the same passwords/PINs for multiple sites, since human memory thrives on redundancy. Why don’t passwords work so well? Humans cannot remember good secrets where short-term capacity is around 7 ± 2 letters. With today’s computing technology, something that size can be broken into in a few seconds.

To briefly outline some of the problems with passwords, I’ve summarized 11 of the most common issues with this method:

  1. Forgetfulness from time, length or quantity
  2. Access to user passwords by system administrators
  3. Risk of undetected theft
  4. Risk of observation
  5. Risk of undetected duplication/sharing
  6. Risk of weakest link (depends on neighbor)
  7. Risk of guessing
  8. Risk of dictionary/brute force attack
  9. Risk of password replay
  10. Risk of server spoofing
  11. Risk of reuse
So what are our alternatives? Or more importantly, what should we be looking for when we want to have better security? First of all, to be used for authentication, the password should be unique and personal and not one that can be forgeable or copiable. While it can be stolen (meaning, the system shouldn’t fail just because something is stolen, because invariably it will be), most importantly, the owner should know when it is stolen (preferably as soon as possible). Finally, it needs the ability to invalidate/revoke the old one.
Some alternative authentication methods available today include:
  • Biometrics – both physiological (i.e., fingerprint) and behavioral (i.e., signature) based
  • Cards – including contactless and smart cards
  • Tokens – including one time pads
  • PKI – including digital certificates in combination with smart cards above

For designers of products, whether they are websites, software applications or even consumer electronics, the authentication needs in the digital world also have certain unique requirements not found in their analogue counterparts. These include:

  • Strength – An authentication scheme that is weak will serve little purpose. Mother’s maiden names and birthdays are examples which are increasingly risky in the age of Google.
  • Usability – People should be able to use it, and not write it down like passwords.
  • Manageability – Some authentication methods may involve more work to support, setup and provide training. Revocation is also becoming an issue. While it’s easier to change a digital key than a stolen master key, managing the whole assortment of issued keys may become confusing.
  • Scalability – A large system should scale well. It’s one thing to control access to a server, but completely different where a server serves millions of people who have different access requirements.
  • Capabilities – In a distributed environment, authentication schemes need to support delegation and impersonation. In corporate environments, this is especially true when you have secretaries, assistants and team members.

Your comments are always welcome.