How should authentication be described?

Quandary’s blog has some noteworthy ideas on definition of strong authentication.

It is typically considered that there are three categories that authentication can fall into — “what you know,” “what you have,” and “what you are.” However, the idea that these forms of authentication are different is “ultimately incorrect, as it all comes down to what your attackers know, versus what the computer knows”.

“What you have” merely pushes the knowledge out of your head and either onto a piece of paper, or into some other device of some sort. So long as an attacker knows what is contained in the physical device, he has all the information he needs to successfully authenticate — the only extra obstacle he might encounter is physically interfacing with the hardware (e.g., a card reader) to communicate his knowledge.

“What you are” is also simply a matter of an attacker knowing what your fingerprint, retina scan, DNA, voice, or other characteristic is like. If a computer can model your voice well enough to determine if you spoke a phrase or not, then it is very likely that an attacker will be able to model (or even directly play back) your voice using a similar method, and authenticate to the system. Fingerprints, retina scans, and DNA matches are even worse, because these never change.

An alternative view on major axis of authentication is further described in the Quandary ’s blog. According to the author, “the most desirable authentication methods should be bidirectional, unique, and temporal, and should use each of these three attributes in a strong fashion”.

This blog is run by the authors of FindProtected.
Prior to developing security policy, it is essential to analyze your computer or corporate network for valuable resources, sensitive information that should by no means be disclosed. FindProtected is an effective security program that allows you to search your network for password protected files. With FindProtected, you can properly identify protected files and relocate them if necessary.

Leave a Reply