20140628 Holy trinity of authentication

Here is the holy trinity of authentication: 1/ something you know, 2/ something you have, and 3/ something you are. This is the traditional order in which the factors are listed because it is the order of least to most difficult to verify. It is also the order of least to most secure; inevitably, only factor 3 will survive.

1. Something you know, the password/phrase, is being rendered obsolete. Passwords are easy to steal at the point of entry; most people re-use similar or guessable passwords across services or across time; most services have flaws in how they transport or store the passwords. Something you know can also be facts in your family, financial, and residence history. A rapid-fire series of questions based on your unique history should not be easy to quickly answer except by you. However, all such information is being collected, processed, and becoming available to those who wish to acquire it. Something you know will become something anyone can know for the right price.

2. Something you have is a physical or virtual token. A metal house key is a simple example of physical token. It has a weak connection to your identity because copies can easily be shared with others, intentionally or not. A token with a strong connection to your identity is typically a gov or biz-issued ID card, badge, fob, or phone. For additional security it may generate or receive an answer to respond to a challenge. Another type of virtual token is a private key/certificate. It is difficult to keep a private key completely private and yet not lose it. Something you have is subject to some combination of loss, theft, damage, malfunction, and forgery.

3. Something you are is a signature of your body and mind at rest or in motion. Something you are is convenient because no matter where you go, there you are. Examples are your voice, finger print, hand shape, retinal image, DNA, facial image and expression, brain wave activity, blinking pattern, walking gait, and typing rhythm. Some biometric signatures are subject to a combination of theft, injury, emotion, or interpretation causing both false negatives and false positives--but the accuracy will quickly improve as this factor becomes the most important.

Multi-factor authentication—using two or three of the above factors—is, of course, better than just one. Two factor authentication usually means something you know plus something you have.

Outside of high security biz or gov operations something you know will pass, leaving the general public with only something you have and something you are. To maximize availability and minimize fraud, the something you have token must be issued by a regional or global authority—a partnership of biz/gov—and used in combination with something you are to access, operate, buy, or sell anything significant. Biz and gov will eventually insist on it because they are so keen to tie all activity to "real" individuals; only thereby can they accurately track and assess the risks (loss, threat) and opportunities (profit, influence) associated with each individual.

Yet... something you have will gradually be phased out as well. Tokens must be created with a secret process or key, and secrets cannot be kept. As more tokens are generated with a given secret—i.e., issued by a given authority—the bigger target that secret will be and the faster it will be compromised; then the tokens must be reprogrammed or reissued. Gov and biz will tire of that arms race as the cost of risk mitigation approaches the cost of realized risk.

Eventually all that will be left to establish your identity is, literally, you: your body and mind encoded into a matrix of variables. Expect your form and behavior to be scrutinized ever more closely by algorithms for this purpose.

Hey, at least you can look forward to a future free of illegible capchas, forgotten passwords, and lost IDs?