About
Basically, there are three ways to authenticate an individual:
- by something the person knows,
- by something the person has,
- and by something the person is.
All these ways have been used from prehistory until the present day, and they all have different security properties and trade-offs.
Ways
Authentication | Identification Type | Why |
---|---|---|
something_the_person_knows | Group identification | because knowledge can be shared |
something_the_person_has | Group identification | because something can be copied (a key for instance) |
something_the_person_is | Person Identification |
something the person knows
something the person knows is known as the authentication code.
something the person has
The something might be:
- a cryptographic key such as:
- or a shared key
- an application on the mobile phone (https://tiqr.org/)
- a physical key,
- a membership card,
- or a cellphone SIM card.
Like the something the person knows method, anyone can give this to anyone else.
This is a group identification because something can be copied (a key for instance).
something the person is
Something the person has that’s a physical part of their body. This is what we normally think of as identification.
When we recognize people, we recognize their physical features.
- On the telephone, we recognize someone’s voice.
- cats spray to mark their territory,
- dogs sniff each others butts
- whales have individual songs.
More modern versions of this mechanism, called “biometrics,” include:
- fingerprinting,
- voice printing,
- hand geometry,
- iris and retina scans,
- and handwritten signatures.
Biometrics has advantages over passwords and tokens in that they:
- can’t be forgotten, although they can be lost. (People can lose fingers in an accident, or temporarily lose their voices due to illness.)
- can’t be changed. If someone loses a key or an access code, it’s easy to change the lock or combination and regain security. But if someone steals your biometric—perhaps by surreptitiously recording your voice or copying the database with your electronic iris scan—you’re stuck. Your iris is your iris, period.
The problem is, while a biometric might be a unique identifier, it is not a secret. You leave a fingerprint on everything you touch, and someone can easily photograph your eye.