Have you ever heard of the list of most needed inventions?
These are the sorts of inventions that, if realized, would overcome technological hurdles that are preventing mankind from reaching our most cherished dreams. Room temperature super conductors, advanced nanotechnology and practical fusion power are just a few. There are a number of inventions like this that are needed to make information security a reliable, efficient and low cost process. And chief among them is the Holy Grail of information security: an un-spoofable identity authentication mechanism.
Just think of it! A way for people and machines to know with a certainty that it is you and only you that they are communicating with. No more worries that someone will steal your identity and empty your bank accounts. No problems with cyber criminals impersonating IT personnel and stealing information or crashing systems. Think of the money and time you could save on complex intrusion detection and prevention systems and complicated processes. It is fun to contemplate. But, unfortunately, it is all just wishful thinking. Despite years of concentrated thought and effort, nobody has a clue how to make it work!
There are just three ways known to authenticate identity:
- Using something you know
- Using something you have or
- Using something you are
When talking about authenticating yourself to a computer system, something you know is typically a user name, a password or an encryption key. I think all of us know that despite all efforts to keep these mechanisms secret and secure, it doesn’t prevent intruders from getting them. The problem is that people have to know them, they need to store them and they need to use them, and that makes them vulnerable. So something you know isn’t the answer.
Let’s go to the second mechanism: something you have. In the computer world this is usually a smart card, token or the like. Combined with a user name and password, this mechanism provides another layer of security that can be very effective. But it is far from perfect. Smart cards and tokens can be stolen or misplaced. Perhaps a certificate authority or token provider’s servers are compromised. Some mechanisms can be reverse engineered. So, the upshot is, you can add something you have, to something you know and get better, albeit far from perfect, identity authentication. But the cost you pay in dollars and personnel hours has just gone way up.
So let’s go to the final possible authentication mechanism: something you are. For computer systems this is presently typically finger prints or retinal scans, although other possible mechanisms include facial recognition, voice recognition, heuristics (behavior matching) and DNA matching. This mechanism, once again, provides added security to the identity authentication process, but still is not perfect. For one thing, this kind of authentication mechanism works best in person. If a fingerprint, for example, is transmitted it really travels as a series of electromagnetic signals and these can be spoofed. But even in person, this type of mechanism can possibly be spoofed. So adding something you are to something you have and something you know once again makes it much more difficult to spoof identity, but still doesn’t render it impossible. And imagine the added burden in money and inconvenience using all three mechanisms would mean to your organization! Seems like way too much just to protect some financial data or health information, huh?
So, please, let’s all of us spend some thought trying to find the perfect identity authentication mechanism. It may be like trying to come up with perpetual motion, but if you do manage it, I guarantee you the rewards will keep you and yours in clover for the rest of your lives!
Pingback: Authentication: The Holy Grail of Information Security « Near Field Communications