In the previous part of this series, we discussed the many shortcoming of passwords as a means of authentication—the process of verifying that a given person is someone you want to be able to do something, such as use a piece of software, log in to an online account or access an area of a building. In this part, a range of authentication alternatives to passwords will be presented, along with their pros and cons.
So, think for moment—if requesting that a secret string be presented from memory was no longer an option, how else might you authenticate a user?
Ultimately, the possibilities are primarily limited by one’s imagination. In their book The New Digital Age, former Executive Chairman of Google Eric Schmidt and co-writer Jared Cohen define a method of authentication as being ‘something you know’, ‘something you are’ or ‘something you have’. For example, a password is a (bad) example of something you know, whilst a fingerprint is something you are and a key fob is something you have.
As you might expect, all three types of authentication requirement encompass means both good and bad. ‘Something you know’, for example, may be a 10-digit PIN that is mathematically unguessable by a brute force attack within any reasonable timeframe, but it may also be your name—obviously something you know, but rather less uniquely. ‘Something you have’ could be an advanced cryptographic USB key unique to you, or it could be a distinctive that you always wear and which the security guard recognises, but which can be purchased anywhere by someone else.
The three types of authentication requirement also have their own pros and cons. ‘Something you know’ has the advantage of going with you wherever you go—you are unlikely to forget your brain at home—and of being impossible to physically steal, but the obvious disadvantages of being forgettable and its complexity being limited to the abilities of your fallible human brain.
‘Something you are’, by contrast, also goes with you wherever you go, but in some cases is stealable (e.g. a voice sample can be recorded and replayed). It requires no memorisation and so cannot be forgotten, but may be more subject to physical destruction or temporary impairment—a hoarse voice locking you out of your office, or the loss of a hand in an accident along with all your fingerprints. Additionally, ‘something you are’s are generally not replaceable in the event that they are compromised. If someone gets ahold of scans of both your irises, having your eyeballs replaced is an awful lot of effort, and getting a replacement face would be even more of a pain.
Finally, ‘something you have’ can be easily replaced in the event of loss or damage and doesn’t require you to remember anything, but key cards, fobs and the like can be easily lost, left at home or stolen.
How frustrating—there doesn’t seem to be a silver bullet to the problem of authentication. However can you keep your restricted areas restricted? In the next part in this series, we’ll cover just this.