Authentication of humans

People aren't computers. They don't have the computational or storage capacity. So the mechanisms to authenticate humans are considerably different from the mechanisms to authenticate machines. (Though they both have in common the notion of secrets.)

These aren't always clear-cut categories. A sheet of passwords, each valid only once, could be "know" or "have." A finger could be "have" or "are."

Frequently these are combined. Use independent methods from each of two categories, and you have two-factor authentication, e.g., using an ATM card requires "have" (card) and "know" (PIN). The general case is called multi-factor authentication.

Identity

What is an identity? A name? A netid? An email? A URL? An IP address? Other attributes, like your citizenship, your credit score, your political party?

We'll say that an identity is a set of attributes; each attribute is a statement about or property of a principal. You have many identities that you present to those around you. Some of them might uniquely identify you, others might not. An identifier is an attribute that is associated with exactly one principal, perhaps within a given population.

Enrollment is the process of establishing an identity. We go through enrollment protocols all the time, e.g.,

The amount of work that the principal enrolling us does varies widely. Websites rarely verify many of our attributes, but governments issuing travel documents usually do. And we can pay to get various levels of verification from companies like Verisign.

Enrollment is tricky to design. It's where the digital world interfaces with the real world, so there's no fully technical solution.

Biometrics

"Something you are" is authentication based on biometrics. Biometrics are a measurement of your physical or behavioral traits, e.g., your fingerprint, face, iris, retina, hands, or DNA. To be usable for authentication, a biometric must be (i) an identifier; (ii) invariant over time; (iii) difficult to spoof; (iv) easy to measure; and (v) acceptable to users.

Biometric measurement suffers from the problem of errors: it is based on physical characteristics and measurements that vary, so biometric authentication mechanisms can incorrectly accept or incorrectly reject an authentication request. Which is better depends on context. Another problem with biometrics is updating of identities. If a fingerprint is disclosed, how do you issue the human a new finger? What about a new retina?

But despite these problems, biometrics are attractive. You can't lose them, forget them, or share them.

Privacy

When authenticating humans, privacy is an important concern:

So authentication of humans must be handled carefully.

Here are some guidelines for privacy in human authentication:

Exercises

  1. Consider using biometrics to implement authentication at an airport terminal security gate. The biometric mechanism attempts to answer the question: "is this human who they claim to be?" What might be the consequences of a false accept rate of 1%? And of the same false reject rate? For sake of concrete numbers, consider a Boeing 777 with capacity of about 365 passengers.

  2. Construct a plausible scenario (not one we discussed in lecture) in which false accepts would be far more problematic than false rejects. Then do the same for a scenario in which false rejects would be far more problematic than false accepts.

  3. The Cornell CS department implemented an authentication system in Gates Hall. At night, many doors are closed and locked. To unlock a door, a Cornell ID card is required. These cards have passive RFID chips as well as magnetic stripes. Both can be used to communicate the card’s unique ID number to a reader at the door. Assume that the reader can always correctly determine whether a particular ID number represents a valid Cornell identity.

    • One of the privacy guidelines is "Seek Consent." To what extent would that guideline be satisfied if the reader uses only magnetic stripes? To what extent would it be satisfied if the reader uses RFID configured at a range of 1 foot? At a range of 10 feet? What are the tradeoffs in convenience for each of these choices?

    • Another privacy guideline is "Select Minimal Identity." To what extent is that guideline satisfied here?