Friday, February 6, 2015

Come as you are

Any authorization (and to some extent authentication) is based on one or more of three elephants (and a turtle): "what you know", "what you have" and "what you are".

All those three components were used since prehistoric times. Passwords, keys on the keyring, secret signs or labels on the skin (including tattoos) - these are the widely used examples of those three types of authentication.

"What you know" in the digital age is something that is extremely easy to disclose. Passwords are hard to remember and easy to steal. While still being used, they are now complemented by other factors to form multifactor authentication.

The article on CIO has an excellent overview of methods and technologies to authenticate you based on what you are and to some extent on what you have. Not only body parts themselves are expected, but also the way they function. Heartbeat and brain waves - they seem to be the most advanced authentication sources for today.

Yet it remains unclear, how the freshness of the data can be ensured. A computer system receives authentication data from the person by digitizing them and comparing them to the stored patterns. Potentially the data can be intercepted while in transit and then replayed later for false authentication.

And even worse, fingerprints and iris pictures can be captured distantly by using powerful photo cameras and then misused.

The only way I can think about right now is a challenge-response mechanism that measures how the person reacts to certain stimuli such as certain light flash pattern (when inspecting iris) or math problem that the user has to solve (when capturing brain waves).