# Authentication of humans
People aren't computers. They don't have the computational or storage
capacity. So the mechanisms to authenticate humans are considerably
different from the mechanisms to authenticate machines. (Though they
both have in common the notion of secrets.)
- **Something you know:** you demonstrate knowledge of secret, e.g.,
- **Something you have:** you demonstrate possession of object, e.g.,
- **Something you are:** you demonstrate some feature of yourself,
These aren't always clear-cut categories. A sheet of passwords, each
valid only once, could be "know" or "have." A finger could be "have" or
Frequently these are combined. Use independent methods from each of two
categories, and you have *two-factor authentication*, e.g., using an ATM
card requires "have" (card) and "know" (PIN). The general case is called
What is an identity? A name? A netid? An email? A URL? An IP address?
Other attributes, like your citizenship, your credit score, your
We'll say that an *identity* is a set of attributes;
each *attribute* is a statement about or property of a principal. You
have many identities that you present to those around you. Some of them
might uniquely identify you, others might not. An *identifier* is an
attribute that is associated with exactly one principal, perhaps within
a given population.
*Enrollment* is the process of establishing an identity. We go through
enrollment protocols all the time, e.g.,
- creating an account on a website,
- getting passports and visas,
- registering a machine on a wireless network, and
- establishing a signing key with (e.g.) Verisign.
The amount of work that the principal enrolling us does varies widely.
Websites rarely verify many of our attributes, but governments issuing
travel documents usually do. And we can pay to get various levels of
verification from companies like Verisign.
Enrollment is tricky to design. It's where the digital world interfaces
with the real world, so there's no fully technical solution.
"Something you are" is authentication based on biometrics. *Biometrics*
are a measurement of your physical or behavioral traits, e.g., your
fingerprint, face, iris, retina, hands, or DNA. To be usable for
authentication, a biometric must be (i) an identifier; (ii) invariant
over time; (iii) difficult to spoof; (iv) easy to measure; and (v)
acceptable to users.
Biometric measurement suffers from the problem of errors: it is based on
physical characteristics and measurements that vary, so biometric
authentication mechanisms can incorrectly accept or incorrectly reject
an authentication request. Which is better depends on context. Another
problem with biometrics is updating of identities. If a fingerprint is
disclosed, how do you issue the human a new finger? What about a new
But despite these problems, biometrics are attractive. You can't lose
them, forget them, or share them.
When authenticating humans, privacy is an important concern:
- When enrolling a human, a system learns about their attributes,
which might include personal information, e.g., SSN.
- When requesting authentication from a human, the human might believe
that establishing their identity is detrimental, e.g., concerns
about having a photograph captured.
- When binding an action to an identity, the action might involve
information the human doesn't want to share, e.g., what medicine
- When auditing, an identity might be stored and later abused, e.g.,
the storer uses it for data mining or hackers commit identity theft.
So authentication of humans must be handled carefully.
Here are some guidelines for privacy in human authentication:
- **Seek consent.** Authenticate only once you have consent, and
inform humans whether their identity will be stored.
- **Select minimal identity.** Authenticate against smallest set of
- **Limit storage.** Don't save information about authenticated
identities without a clear need. When the need expires, delete the
- **Avoid linking.** Don't reuse the same identifier across multiple
systems. This is commonly violated for the sake of convenience.
1. Consider using biometrics to implement authentication at an
airport terminal security gate. The biometric mechanism attempts to
answer the question: "is this human who they claim to be?" What might
be the consequences of a false accept rate of 1%? And of the same false
reject rate? For sake of concrete numbers, consider a Boeing 777 with
capacity of about 365 passengers.
2. Construct a plausible scenario (not one we discussed in lecture)
in which false accepts would be far more problematic than false rejects.
Then do the same for a scenario in which false rejects would
be far more problematic than false accepts.
4. The Cornell CS department implemented an authentication system in
Gates Hall. At night, many doors are closed and locked. To unlock a
door, a Cornell ID card is required. These cards have passive RFID
chips as well as magnetic stripes. Both can be used to communicate the
card’s unique ID number to a reader at the door. Assume that the reader
can always correctly determine whether a particular ID number represents
a valid Cornell identity.
* One of the privacy guidelines is "Seek Consent." To what extent
would that guideline be satisfied if the reader uses only magnetic
stripes? To what extent would it be satisfied if the reader uses RFID
configured at a range of 1 foot? At a range of 10 feet? What are the
tradeoffs in convenience for each of these choices?
* Another privacy guideline is "Select Minimal Identity." To what
extent is that guideline satisfied here?