# Authentication of humans
People aren't computers. They don't have the computational or storage
capacity. So the mechanisms to authenticate humans are considerably
different from the mechanisms to authenticate machines. (Though they
both have in common the notion of secrets.)
- **Something you know:** you demonstrate knowledge of secret, e.g.,
- **Something you have:** you demonstrate possession of object, e.g.,
- **Something you are:** you demonstrate some feature of yourself,
These aren't always clear-cut categories. A sheet of passwords, each
valid only once, could be "know" or "have." A finger could be "have" or
Frequently these are combined. Use independent methods from each of two
categories, and you have *two-factor authentication*, e.g., using an ATM
card requires "have" (card) and "know" (PIN). The general case is called
What is an identity? A name? A netid? An email? A URL? An IP address?
Other attributes, like your citizenship, your credit score, your
We'll say that an *identity* is a set of attributes;
each *attribute* is a statement about or property of a principal. You
have many identities that you present to those around you. Some of them
might uniquely identify you, others might not. An *identifier* is an
attribute that is associated with exactly one principal, perhaps within
a given population.
*Enrollment* is the process of establishing an identity. We go through
enrollment protocols all the time, e.g.,
- creating an account on a website,
- getting passports and visas,
- registering a machine on a wireless network, and
- establishing a signing key with (e.g.) Verisign.
The amount of work that the principal enrolling us does varies widely.
Websites rarely verify many of our attributes, but governments issuing
travel documents usually do. And we can pay to get various levels of
verification from companies like Verisign.
Enrollment is tricky to design. It's where the digital world interfaces
with the real world, so there's no fully technical solution.
"Something you are" is authentication based on biometrics. *Biometrics*
are a measurement of your physical or behavioral traits, e.g., your
fingerprint, face, iris, retina, hands, or DNA. To be usable for
authentication, a biometric must be (i) an identifier; (ii) invariant
over time; (iii) difficult to spoof; (iv) easy to measure; and (v)
acceptable to users.
Biometric measurement suffers from the problem of errors: it is based on
physical characteristics and measurements that vary, so biometric
authentication mechanisms can incorrectly accept or incorrectly reject
an authentication request. Which is better depends on context. Another
problem with biometrics is updating of identities. If a fingerprint is
disclosed, how do you issue the human a new finger? What about a new
But despite these problems, biometrics are attractive. You can't lose
them, forget them, or share them.
When authenticating humans, privacy is an important concern:
- When enrolling a human, a system learns about their attributes,
which might include personal information, e.g., SSN.
- When requesting authentication from a human, the human might believe
that establishing their identity is detrimental, e.g., concerns
about having a photograph captured.
- When binding an action to an identity, the action might involve
information the human doesn't want to share, e.g., what medicine
- When auditing, an identity might be stored and later abused, e.g.,
the storer uses it for data mining or hackers commit identity theft.
So authentication of humans must be handled carefully.
Here are some guidelines for privacy in human authentication:
- **Seek consent.** Authenticate only once you have consent, and
inform humans whether their identity will be stored.
- **Select minimal identity.** Authenticate against smallest set of
- **Limit storage.** Don't save information about authenticated
identities without a clear need. When the need expires, delete the
- **Avoid linking.** Don't reuse the same identifier across multiple
systems. This is commonly violated for the sake of convenience.