# Authentication of humans People aren't computers. They don't have the computational or storage capacity. So the mechanisms to authenticate humans are considerably different from the mechanisms to authenticate machines. (Though they both have in common the notion of secrets.) - **Something you know:** you demonstrate knowledge of secret, e.g., password - **Something you have:** you demonstrate possession of object, e.g., prox card - **Something you are:** you demonstrate some feature of yourself, e.g., fingerprint These aren't always clear-cut categories. A sheet of passwords, each valid only once, could be "know" or "have." A finger could be "have" or "are." Frequently these are combined. Use independent methods from each of two categories, and you have *two-factor authentication*, e.g., using an ATM card requires "have" (card) and "know" (PIN). The general case is called *multi-factor authentication*. ## Identity What is an identity? A name? A netid? An email? A URL? An IP address? Other attributes, like your citizenship, your credit score, your political party? We'll say that an *identity* is a set of attributes; each *attribute* is a statement about or property of a principal. You have many identities that you present to those around you. Some of them might uniquely identify you, others might not. An *identifier* is an attribute that is associated with exactly one principal, perhaps within a given population. *Enrollment* is the process of establishing an identity. We go through enrollment protocols all the time, e.g., - creating an account on a website, - getting passports and visas, - registering a machine on a wireless network, and - establishing a signing key with (e.g.) Verisign. The amount of work that the principal enrolling us does varies widely. Websites rarely verify many of our attributes, but governments issuing travel documents usually do. And we can pay to get various levels of verification from companies like Verisign. Enrollment is tricky to design. It's where the digital world interfaces with the real world, so there's no fully technical solution. ## Biometrics "Something you are" is authentication based on biometrics. *Biometrics* are a measurement of your physical or behavioral traits, e.g., your fingerprint, face, iris, retina, hands, or DNA. To be usable for authentication, a biometric must be (i) an identifier; (ii) invariant over time; (iii) difficult to spoof; (iv) easy to measure; and (v) acceptable to users. Biometric measurement suffers from the problem of errors: it is based on physical characteristics and measurements that vary, so biometric authentication mechanisms can incorrectly accept or incorrectly reject an authentication request. Which is better depends on context. Another problem with biometrics is updating of identities. If a fingerprint is disclosed, how do you issue the human a new finger? What about a new retina? But despite these problems, biometrics are attractive. You can't lose them, forget them, or share them. ## Privacy When authenticating humans, privacy is an important concern: - When enrolling a human, a system learns about their attributes, which might include personal information, e.g., SSN. - When requesting authentication from a human, the human might believe that establishing their identity is detrimental, e.g., concerns about having a photograph captured. - When binding an action to an identity, the action might involve information the human doesn't want to share, e.g., what medicine they purchased. - When auditing, an identity might be stored and later abused, e.g., the storer uses it for data mining or hackers commit identity theft. So authentication of humans must be handled carefully. Here are some guidelines for privacy in human authentication: - **Seek consent.** Authenticate only once you have consent, and inform humans whether their identity will be stored. - **Select minimal identity.** Authenticate against smallest set of attributes necessary. - **Limit storage.** Don't save information about authenticated identities without a clear need. When the need expires, delete the information. - **Avoid linking.** Don't reuse the same identifier across multiple systems. This is commonly violated for the sake of convenience. ## Exercises 1. Consider using biometrics to implement authentication at an airport terminal security gate. The biometric mechanism attempts to answer the question: "is this human who they claim to be?" What might be the consequences of a false accept rate of 1%? And of the same false reject rate? For sake of concrete numbers, consider a Boeing 777 with capacity of about 365 passengers. 2. Construct a plausible scenario (not one we discussed in lecture) in which false accepts would be far more problematic than false rejects. Then do the same for a scenario in which false rejects would be far more problematic than false accepts. 4. The Cornell CS department implemented an authentication system in Gates Hall. At night, many doors are closed and locked. To unlock a door, a Cornell ID card is required. These cards have passive RFID chips as well as magnetic stripes. Both can be used to communicate the card’s unique ID number to a reader at the door. Assume that the reader can always correctly determine whether a particular ID number represents a valid Cornell identity. * One of the privacy guidelines is "Seek Consent." To what extent would that guideline be satisfied if the reader uses only magnetic stripes? To what extent would it be satisfied if the reader uses RFID configured at a range of 1 foot? At a range of 10 feet? What are the tradeoffs in convenience for each of these choices? * Another privacy guideline is "Select Minimal Identity." To what extent is that guideline satisfied here?