something the person knows

something the person knows is known as the authentication code.

something the person has

The something might be:

• a cryptographic key such as:
  • private key
  • or a shared key
• an application on the mobile phone (https://tiqr.org/)
• a physical key,
• a membership card,
• or a cellphone SIM card.

Like the something the person knows method, anyone can give this to anyone else.

This is a group identification because something can be copied (a key for instance).

something the person is

Something the person has that’s a physical part of their body. This is what we normally think of as identification.

When we recognize people, we recognize their physical features.

• On the telephone, we recognize someone’s voice.
• cats spray to mark their territory,
• dogs sniff each others butts
• whales have individual songs.

More modern versions of this mechanism, called “biometrics,” include:

• fingerprinting,
• voice printing,
• hand geometry,
• iris and retina scans,
• and handwritten signatures.

Biometrics has advantages over passwords and tokens in that they:

• can’t be forgotten, although they can be lost. (People can lose fingers in an accident, or temporarily lose their voices due to illness.)
• can’t be changed. If someone loses a key or an access code, it’s easy to change the lock or combination and regain security. But if someone steals your biometric—perhaps by surreptitiously recording your voice or copying the database with your electronic iris scan—you’re stuck. Your iris is your iris, period.

The problem is, while a biometric might be a unique identifier, it is not a secret. You leave a fingerprint on everything you touch, and someone can easily photograph your eye.