Authentication Ways - something the person knows, has or is


Basically, there are three ways to authenticate an individual:

  • by something the person knows,
  • by something the person has,
  • and by something the person is.

All these ways have been used from prehistory until the present day, and they all have different security properties and trade-offs.


Authentication Identification Type Why
something the person knows Group identification because knowledge can be shared
something the person has Group identification because something can be copied (a key for instance)
something the person is Person Identification

something the person knows

During World War II, American soldiers in Europe would ask strangers cultural questions like “Who won the 1940 World Series?” on the assumption that German soldiers wouldn’t know the answer, but every American would.

The biggest vulnerability is that the secret can be transmitted, learned, or stolen.

This is a group identification because knowledge can be shared.

something the person has

The something might be:

Like the “something the person knows” method, anyone can give this to anyone else.

This is a group identification because something can be copied (a key for instance).

something the person is

Something the person has that’s a physical part of their body. This is what we normally think of as identification.

When we recognize people, we recognize their physical features.

  • On the telephone, we recognize someone’s voice.
  • cats spray to mark their territory,
  • dogs sniff each others butts
  • whales have individual songs.

More modern versions of this mechanism, called “biometrics,” include:

  • fingerprinting,
  • voice printing,
  • hand geometry,
  • iris and retina scans,
  • and handwritten signatures.

Biometrics has advantages over passwords and tokens in that they:

  • can’t be forgotten, although they can be lost. (People can lose fingers in an accident, or temporarily lose their voices due to illness.)
  • can’t be changed. If someone loses a key or an access code, it’s easy to change the lock or combination and regain security. But if someone steals your biometric—perhaps by surreptitiously recording your voice or copying the database with your electronic iris scan—you’re stuck. Your iris is your iris, period.

The problem is, while a biometric might be a unique identifier, it is not a secret. You leave a fingerprint on everything you touch, and someone can easily photograph your eye.

Powered by ComboStrap