CS 5430: Authentication of humans

# Authentication of humans People aren't computers. They don't have the computational or storage capacity. So the mechanisms to authenticate humans are considerably different from the mechanisms to authenticate machines. (Though they both have in common the notion of secrets.) - **Something you know:** you demonstrate knowledge of secret, e.g., password - **Something you have:** you demonstrate possession of object, e.g., prox card - **Something you are:** you demonstrate some feature of yourself, e.g., fingerprint These aren't always clear-cut categories. A sheet of passwords, each valid only once, could be "know" or "have." A finger could be "have" or "are." Frequently these are combined. Use independent methods from each of two categories, and you have *two-factor authentication*, e.g., using an ATM card requires "have" (card) and "know" (PIN). The general case is called *multi-factor authentication*. ### Identity What is an identity? A name? A netid? An email? A URL? An IP address? Other attributes, like your citizenship, your credit score, your political party? We'll say that an *identity* is a set of attributes; each *attribute* is a statement about or property of a principal. You have many identities that you present to those around you. Some of them might uniquely identify you, others might not. An *identifier* is an attribute that is associated with exactly one principal, perhaps within a given population. *Enrollment* is the process of establishing an identity. We go through enrollment protocols all the time, e.g., - creating an account on a website, - getting passports and visas, - registering a machine on a wireless network, and - establishing a signing key with (e.g.) Verisign. The amount of work that the principal enrolling us does varies widely. Websites rarely verify many of our attributes, but governments issuing travel documents usually do. And we can pay to get various levels of verification from companies like Verisign. Enrollment is tricky to design. It's where the digital world interfaces with the real world, so there's no fully technical solution. ### Biometrics "Something you are" is authentication based on biometrics. *Biometrics* are a measurement of your physical or behavioral traits, e.g., your fingerprint, face, iris, retina, hands, or DNA. To be usable for authentication, a biometric must be (i) an identifier; (ii) invariant over time; (iii) difficult to spoof; (iv) easy to measure; and (v) acceptable to users. Biometric measurement suffers from the problem of errors: it is based on physical characteristics and measurements that vary, so biometric authentication mechanisms can incorrectly accept or incorrectly reject an authentication request. Which is better depends on context. Another problem with biometrics is updating of identities. If a fingerprint is disclosed, how do you issue the human a new finger? What about a new retina? But despite these problems, biometrics are attractive. You can't lose them, forget them, or share them. ### Privacy When authenticating humans, privacy is an important concern: - When enrolling a human, a system learns about their attributes, which might include personal information, e.g., SSN. - When requesting authentication from a human, the human might believe that establishing their identity is detrimental, e.g., concerns about having a photograph captured. - When binding an action to an identity, the action might involve information the human doesn't want to share, e.g., what medicine they purchased. - When auditing, an identity might be stored and later abused, e.g., the storer uses it for data mining or hackers commit identity theft. So authentication of humans must be handled carefully. Here are some guidelines for privacy in human authentication: - **Seek consent.** Authenticate only once you have consent, and inform humans whether their identity will be stored. - **Select minimal identity.** Authenticate against smallest set of attributes necessary. - **Limit storage.** Don't save information about authenticated identities without a clear need. When the need expires, delete the information. - **Avoid linking.** Don't reuse the same identifier across multiple systems. This is commonly violated for the sake of convenience.