What is identity?

This episode describes identity and authentication. Authentication is the process you go through to prove your identity and there are several ways you can do this. It’s often confused with authorization but they’re different things and should not be used as if they are the same. Authorization controls what a person is allowed to do while authentication proves who a person is. If you’re not worried about authorization and have a completely open system where everybody has full access, then you don’t need to worry about who’s who.

The episode describes four separate ways to authenticate and then describes how this can be combined for even greater security. After I recorded the episode, I realized that I left out another form of authentication. It’s not very common so should not cause any major problems especially when most articles online only discuss three forms anyway. Here are the forms of authentication from least secure to most secure:

  1. Where you are. With this form of authentication, just showing up is prove enough. Sometimes sites will have unadvertised URLs that the hosts only provide to certain people. It’s assumed that if you visit one of these URLs, then you must be who you say you are.
  2. Who knows you. This is the mode that I left out of the podcast. It’s most often used in real life when another person vouches for you. Maybe you forgot your identity card but a friend steps in and says, “It’s alright, I know this person.”
  3. What you know. This is the most common form of online authentication and usually involves knowing a name and password. If another person obtains this information, then they can effectively steal your identity.
  4. What you have. This is probably the most common form of authentication in the real world. Every key that you have is a form of this type of authentication. As long as you have the key, then you’re good. This can also be a movie ticket or a sports ticket or even cash. Now, don’t get me wrong, cash doesn’t usually prove your identity unless you have your own country and it’s your picture on the bills. But just having the cash does prove ownership.
  5. What you are. This involves aspects that are unique to you such as fingerprints, voice recognition, and retinal scans. I should have mentioned DNA but just thought about that.

You can really improve security by combining these. If you haven’t yet enabled two-factor authentication for your email and other online sites, then do that right now. It’s really important. With two-factor or sometimes it’s called multi-factor authentication, a system usually starts by asking for what you know such as your password, then it will send some extra information to a device you have such as your mobile phone. Now, in order for an attacker to steal your identity, the attacker needs to both know your password as well as have your phone. This is much more difficult and secure. Listen to the full episode or you can also read the full transcript below.

Transcript

Okay on to the question this week. Seems simple, right? But have you really thought about what makes up a person’s identity? How do you prove that you are who you say you are? There’s actually different types or levels of proof and we use them all the time. Everybody who’s used a computer knows about a name and password. But there’s a lot more to identity than just this. Ready for an explanation?

In computer terms, this process is usually called authentication and is used for access control. This is the first step to being able to do something. You have to have a reliable identity that’s been authenticated.

A related and often confused term is authorization which controls what you’re allowed to do. Authorization first needs valid and secure authentication because if the system doesn’t know who you are, then it can’t very well determine what you can and cannot do.

Of course, if there’s no authorization, then there’s not much use for authentication and identities either. In other words, if you don’t care what people can do, then does it really matter who does it?

If you do care about security and only letting certain people have access and controlling what can be done, then you need to identify visitors and authenticate them.

There’s actually different ways you can do this. Three common types of authentication are called “what you know”, “what you have”, and “what you are”. But there’s another type as well. I’ll explain them from the most basic and vulnerable to the most advanced and secure.

The simplest type of authentication is something called “where you are.” Imagine arranging to meet somebody that you’ve never met before at a certain time and place. How will you identify the other person? You have no choice but to make sure that you’re present at the specified time and place and then look around for anybody who also looks like they’re looking for another person. Maybe you can make this process easier by holding a sign with the other person’s name on it. Have you ever arrived at an airport and noticed limo drivers holding signs with a person’s name? Imagine what would happen if you pretended to be that person. It probably wouldn’t take much to get a free ride somewhere. Of course, you wouldn’t be able to choose your destination. All it takes to pass this type of authentication is just being in the right place at the right time.

The most common form of computer authentication is called “what you know.” This is usually a name and password. It’s easy to implement and easy to use. Sometimes, too easy. People choose user names and passwords that are predictable and easy to guess. I just searched for popular passwords and found an article that listed the top 25 most common passwords. Amazing!

◦ Many easy number combinations such as 1234, 12345, all the way up to 1234567890.

◦ Other easy number and letter combinations such as 0000, 1111, and abc123.

◦ Sports such as football and baseball.

◦ Keyboard arrangement combinations such as qwerty or 1qaz2wsx.

◦ And popular movie references such as StarWars.

Even if you think you’re being different by selecting a password that’s a random word such as “trouble”, all I can say is that’s exactly what you’re going to get.

There are some really good benefits to a “what you know” authentication. As long as you don’t forget your password, you’ll be able to use it from almost anywhere. This is where most people go wrong by thinking that they’ll forget a hard password. They make it easy for an attacker to guess.

And of course, this situation is made even worse when a person uses the same password at multiple locations. All it takes now is for an attacker to guess one and the attacker has access to them all.

I’ll continue this explanation right after this message from our sponsor.

( Message from Sponsor )

What about the next mode, “what you have?” While I don’t have any solid evidence, I’d guess that this is probably the most common form of authentication when you consider how we authenticate in real life in addition to online.

Let me ask you this. How to you authenticate to your car that you’re the owner? With your keys. You have to have your keys in order to get in your car. How do you open the door to your house? With your keys. Sure, there are some cars and some houses that have keyless entry systems that use a keypad to enter a password. This is just another form of the less secure “what you know.”

Imagine a thief wanted to break into a house and was trying to decide which of two houses to target. One uses keys and one uses a keypad. Which is easier to break into? Keyed locks can be picked so this is an option but it takes time. Keys can be stolen but this is difficult to do without the owner noticing unless it’s an opportunistic theft. A friend of mine had his car stolen not long after his wife dropped her keys and didn’t notice. Assuming nothing like this happens though, the keypad entry is still the easiest. All a thief needs to do is watch closely from a safe distance with binoculars to see which keys are pressed. and if you think you cover your entry, then it’s still super easy for a thief to use an infrared camera to take a picture of your keypad within minutes of you entering your house and closing the door. Not only will the pressed digits light up but the order will also be clearly visible. This is why when I use my debit card in a store, I always make sure to lightly touch some of the other keys after I’m done. Am I a bit paranoid? Yeah. You might want to consider doing the same thing.

Let’s move on to the next type of authentication, “what you are.” This is the most secure and usually what villains in Hollywood movies have to struggle with the most. This form of authentication includes fingerprints and retina scans and voice recognition. But is could be more elaborate. I remember an article once that described how a car security system could tell when its owner approached and automatically unlock the doors just by the pattern of the footsteps. I don’t know about that one. It seems a little unreliable to me.

This form of authentication can be the most secure but it’s also stubborn to get around if it malfunctions. Got a cold? That voice recognition may not work so well. Finger print scanner? Just hope you don’t need to do a lot of scrubbing and wear away your fingerprints. Otherwise, you may not have access for a few days until your fingers recover.

You don’t have to go all out with retinal scanning systems to get better authentication though. One really good approach is to combine methods. If you haven’t yet enabled two-factor authentication for your email and any other online accounts that support it, then do that today. Really, just a single option selection can turn your easily hackable password into a much more secure system where an attacker not only needs to know your password but also needs access to your mobile phone.

I’ve even heard of systems that incorporate “where you are”, “what you know” and “what you have” all in one. Imagine this scenario. You log into a system and enter your user name and password. It then sends a text message to your phone with a one-time password. You type this password into the system and it immediately disconnects. Then the system calls your home phone number with further instructions. In order to login to this type of system, you have to know your basic information, have your mobile phone with you, and be present in your home. That’s quite secure.