Authentication is about the continuity of relationships. It helps us to determine who to trust and who not to trust. In fact, in our everyday lives, people authenticate dozens of times a day in the same way animals, plants and even viruses (the virus has a specially-shaped “key” that will fit only into a particular “lock” – the receptor) have been doing it for millions of years, using sight, smell, sound and touch. By the time we wake up in the morning and are on our way to work, we have probably “authenticated” several times. Whether its smelling the carton of milk before we drink it (authenticating to see that its still milk or soured milk), getting the phone call from your sister (authenticating her voice to distinguish it is her and not your mother-in-law) and opening the door to receive a UPS delivery (authenticating that it’s really the UPS driver and not a sales person).
Unfortunately, to translate these everyday actions into something that is as transparent and automatic is incredibly hard to replicate in the digital world. To authenticate in today’s world, there are four major authentication types:
|Something you know||Password, PIN||Shared, compromised or forgotten|
|Something you have||Key, ID card, Token||Lost or forgotten|
|Somewhere you are||GPS, Phone||Confirms credentials by location|
|Something you are or do||Biometrics||Unique identifier but not secret|
Unfortunately, the method we are most familiar with is based on something we know. In this case, we often use passwords and PINs to conduct many of our daily modern authentication needs. To make things worse, many systems rely on user-generated/remembered secrets, which inevitably leads to people using the same passwords/PINs for multiple sites, since human memory thrives on redundancy. Why don’t passwords work so well? Humans cannot remember good secrets where short-term capacity is around 7 ± 2 letters. With today’s computing technology, something that size can be broken into in a few seconds.
To briefly outline some of the problems with passwords, I’ve summarized 11 of the most common issues with this method:
- Forgetfulness from time, length or quantity
- Access to user passwords by system administrators
- Risk of undetected theft
- Risk of observation
- Risk of undetected duplication/sharing
- Risk of weakest link (depends on neighbor)
- Risk of guessing
- Risk of dictionary/brute force attack
- Risk of password replay
- Risk of server spoofing
- Risk of reuse
- Biometrics – both physiological (i.e., fingerprint) and behavioral (i.e., signature) based
- Cards – including contactless and smart cards
- Tokens – including one time pads
- PKI – including digital certificates in combination with smart cards above
For designers of products, whether they are websites, software applications or even consumer electronics, the authentication needs in the digital world also have certain unique requirements not found in their analogue counterparts. These include:
- Strength – An authentication scheme that is weak will serve little purpose. Mother’s maiden names and birthdays are examples which are increasingly risky in the age of Google.
- Usability – People should be able to use it, and not write it down like passwords.
- Manageability – Some authentication methods may involve more work to support, setup and provide training. Revocation is also becoming an issue. While it’s easier to change a digital key than a stolen master key, managing the whole assortment of issued keys may become confusing.
- Scalability – A large system should scale well. It’s one thing to control access to a server, but completely different where a server serves millions of people who have different access requirements.
- Capabilities – In a distributed environment, authentication schemes need to support delegation and impersonation. In corporate environments, this is especially true when you have secretaries, assistants and team members.
Your comments are always welcome.