Elements of identity
by CarbonNYC at flickr.com
The term ‘identity’ means multiple things in multiple contexts. My intention here is to refer specifically to the term identity as the collection of all information objects that identifies a person. Specifically, identify the person to someone or something outside of the person. Authentication of a person, if you will.
If authentication is the domain at which this identity is relevant, we can use the classic authentication domains to break down these information objects: Something you have, Something you know, Something you are. Let’s look closer at each of these:
Something you know
Something you know is a crucial piece of information that you have which can be used by an authenticator to identify you. A password comes to mind – the authenticator (say, a computer program) verifies that you have the right password to grant you some kind of access, or a person verifies you have the right password to open the door to the secret society club. The password has to be short enough that you can memorize it, lest it is written down to become “something you have” – see post-it with password on screen. It is not necessarily something random that you memorize – it can be something you have previously memorized, such as your mother’s maiden name or the name of your pet.
If you’re smart about it, and can do a little math in your head, it can be a simple algorithm that will be part of a challenge-response system… unfortunately for practical reasons these are rather limited, but have their use. I’ve personally seen a system where you have to take the hour part of the time and perform simple math on it before you key it in.
The obvious weakness with this method is also its strength – something you know cannot be lost or taken from you because it is in your memory, but this memory is sometimes fickle and limited in the scope of what you can remember. Good luck with your 1024 bit RSA private key.
Attempts to take something you know by force (the gun-to-your-head scenario) can be partially mitigated by the use of a secondary set of credentials which behaves exactly like the primary ones but triggers the silent alarm or leads the attacker to a honeypot. Fishing is one sort of attack on these credentials, a rather serious one.
Something you have
Something you have is some piece of real world object that is used to authenticate you to some authenticator. A key is an example. It authenticates a person to the lock. Once inserted into the lock, the information in the key is transmitted to the lock by various methods – a mechanical method which is still commonly in use with mechanical locks or secure communication with smart card chips – the principle is the same. Another such object is a seal ring – it identifies the owners to people who read their mail. The information in the ring is its unique intricate design.
In all those cases, the object itself is not the part that participates in the authentication – it is the information embedded within that is the crucial part. In fact, the information in a physical mechanical key can be conveyed as a string of numbers indicating the dips and peaks in the key structure. These numbers can be used by a skilled locksmith to recreate the key. This is a clone attack on the authenticator if done maliciously. If the information on the key can be memorized by a person, and is sufficient to identify the person to the lock as a valid opener of the lock – it has become “something you know”.
Something you are
Here we delve into the world of biometrics – the information object used to identify you is a part of you that naturally holds information. A fingerprint, a DNA sample, your picture and your voice are such parts. In theory this is the ultimate method of identifying a person, provided that the information in that part of you is sufficient to do so uniquely.
In practice such identification fails because of details in the practical implementation of the technology (for example, a fingerprint reader that can be fooled by gelatin or a voice identification system that can be fooled by a recording) or non-technological means (like makeup to look like the picture in someone else’s passport and fool the immigration official). Most of today’s real world systems that use biometrics count on other methods of identifying the person.
In the real world
Identity in the real world is ubiquitously checked by photo IDs. A photo ID, based on the classification above, is “something you have” (the ID itself) + “something you are” (the photo). The weaknesses of those identity checks fall into two categories:
1. Forging what you have – forging the ID to have your picture but fake information. Some IDs are better at implementing tamper-resistant security methods to prevent that such as holograms, RFID chips etc.
2. Forging what you are – as silly as it sounds, it is actually one of the greater weaknesses, because the image comparison between the bearer of the ID and the picture on the ID is done by a fallible human being, who may or may not pay attention. Your picture may or may not be recent. People can be made to look like other people by some application of makeup etc. Embedding another form of biometric data in the ID that is machine verifiable is one way to mitigate this problem, even though it is far from perfect (there are ways to fool those machines).
Authenticating to a computer is a different matter. Because of the specific limitations of the interface, usually the only authentication method is “something you know” – a password.
Passwords suffer from the main weakness of “something you know” listed above, which is the limits of our ability to memorize. Another weakness is that the authentication token is created by the user if it is to be memorized (random strings are harder to memorize) and hence limited even more by the creativity of the user. Attempts to curb this limit by enforcing strict password rules tend to produce the opposite result – writing the password down, which is a very weak form of “something you have”, especially when taped on the monitor.
A few institutions started giving customers and employees hardware tokens of various sorts, which add a formidable “something you have” to the password authentication. Even combined though, these methods still lack the “something you are” which is the only way to tie the identity to an actual person.
The future
There is no perfect authentication method, just stronger and weaker methods. I predict that applications that need stronger authentication will eventually use all three domains. One such possible solution is a token generation device (“something you have”) that only generates a token when provided the right password (“something you know”) and the right fingerprint (“something you are”).