Other Authentication

• 2.1 continues
• An alternative to passwords is to ask something that only the person knows.
• The book states that these are mostly untested.
• Security questions
  • As we saw in the last set of notes, these can be defeated.
  • And at least I can't remember
    • Spelling
    • Capitalization
    • And Sometimes the answer
      • Do you have a favorite childhood song? I don't.
  • In general, they say that people are overwhelmed by password systems.
  • But security questions are not the answer.
• Biometrics: Something you are
  • Finger prints
  • eye scan
  • voice
  • Other things.
• They show some examples
• And I found some
  • DigitaPersona URU 4500 Scanner
• The book claims
  • This is new technology and
    • Scary to some.
  • Devices can be expensive
  • They are a single point of failure.
  • Slight variations can cause problems.
    • Changes in light or even position of finger/face/eye
    • Damage to fingers (ie a cut)
  • They might mis-identify someone (false positive, false negative)
  • They can be slow
  • Forgeries are possible.
• What strikes me is that
  • Biometrics are probably not here yet,
  • At least when our book was write (2015)
  • And probably not yet.
• The third type is tokens, or something you have
  • Examples
    • An office key
    • A credit card.
  • They discuss active vs passive tokens
    • Passive tokens do nothing, (key, photo)
    • Active tokens interact with the environment :
      • A swipe card that holds data and is rewritten.
      • A transmitter of some kind.
  • Finally Static vs dynamic
    • Most items we use for authentication are static. They do not change.
    • There are some devices that have changing values over time.
      • They say that such devices are good for remote authentication.
      • They are hard to duplicate.
• Some sites have Federated Identity Management.
  • You validate against some central authority
  • And then use this validation for all services.
  • This removes authentication from the clients.
• Finally they discuss multifactor authentication
  • You use two forms of authentication.
  • Usually a password and something else
  • The most common is a cell phone app.
  • But you can use a call back to a known number.
• Something that strikes me throughout the discussion is the trade off of security and ease of access or usability.