November 21, 2012

Some One Thing you know, you have, you are

Reading the FinServices' toungue-in-cheek prediction that "we should all be using Biometrics," I was struck by an old security aphorism was:

Something you know, something you have, something you are.

The idea being that each of these was an independent system, so if we had a weak system in each domain, we could construct a strong system by redundantly combining all three. It wasn't perfect, it was a classical strength-through-redundancy design, but you could be forgiven for thinking it was the holy grail because it was repeated so often by security people.

Meanwhile, life has moved on. And it has moved on to the point where we now have a convergence of these things into one:

the mobile phone

The mobile (or cell or handy as it is known) is decidedly something you have - and we can imagine bluetooth protocols to authenticate in a wireless context. We have SMS, RFIC and NFC for those who like acronyms.

It is also something you know. The individual knows how to fire up and run the apps on her phone. More so than anyone else - smartphones these days have lots of personality for our users to relish in. It is just an application design question to best show that this woman knows her own phone and others do not. Trivial solutions left to reader.

Finally -- the phone is something you are. If you don't follow that, you've been in a cave for the last decade. Start your catchup by buying an iPhone and asking your 13 year old to install some apps. Watch that movie _The Social Network_. Install the facebook app, perhaps related to that movie.

The mobile phone is something you know, have and are. It will become the one security Thing of the future. This one Thing has some good aspects, and some bad aspects too. For one, if you lose the One, you're screwed. Even with obvious downsides, users will choose this one option, and as systems providers, we might as bind with them over it.

With further apologies to J.R.R. Tolkein,

One Thing to rule them all,
One Thing to find them,
One Thing to bring them all
and in the darkness bind them.
Posted by iang at November 21, 2012 11:29 AM | TrackBack

The other version, which is far easier understandable in my opinion was this one:

Something you have forgotten, something you lost, something you arenīt anymore.

But there is even another variant, that should not be forgotten:

Something that someone else got to know, something that was stolen, something someone faked/cloned.

By the way, the concept is called "Multi-Factor-Authentication".

Posted by: Philipp at November 21, 2012 06:48 AM
Post a comment

Remember personal info?

Hit preview to see your comment as it would be displayed.