I believe that the only way you can know which way to go is to look as forward as you can.

Wednesday, March 02, 2005

Person authentication

What I see as being the future in person authentication … is... Parameterized Authentication
"Parameterized Authentication moves beyond the traditional approach to security by acknowledging that identity verification cannot always produce perfect results. Our model addresses such inherent imperfections by introducing a metric, the Authentication Parameter, that captures the overall quality of authentication. We define authentication quality in terms of sensor trustworthiness and the accuracy of sensor measurements."

    I shell split things in two directions:
  1. Authentication in a non-computer based system. (ATM, entrances)
    I assume that nobody can imagine that something else then “Biometric readers” will survive over the time. Using only fingerprints, maybe it can fail. Using faces, the same. But doing a combination of face, iris, fingertips and let’s say voice… I think is strong enough. I cannot imagine a way to gather and imitate somehow all this information. Ok: maybe having a clone of the same age. (Oh yes, the voice has a harmonics that can be found beyond how the speaker intonates. Remember the Fourier transform?) Ok, this works perfectly for ATM, for entrances, etc.

    Only when you say biometrics… you say a lot of methods…
    Of course all these can be done in the Parameterized Authentication terms.

  2. Authentication in a computer based system.
    What about the computer authentication? The password can be stolen. Secure connections? Maybe, for a while this will be the way to go.

    Want to go further? Ok, unique identifiers, or perhaps chips will be provided. PIN? Yes of course.
    Password hardening based on keystroke dynamics?

    Why not?

    Or perhaps ... graphical password or… signature written with mouse?
    We can add also some fingerprints recognition embedded in the keyboard... If you want strong authentication I think the answer is combine in a smart way the basic stuff that we have already.

    Oh yes… do again Parameterized Authentication.

    It is clear to me that year by year people get tired of making all kind of accounts and remember all kind of passwords. So, web-sites might give you the possibility to authenticate using some third-party internationally certified methods. This third party can send to the portal some basic information like… a customized username, decided by the user, at the first entrance-time.

    So, if your account can be accessed only using this third party that is doing sophisticated stuff like
    Password hardening based on keystroke dynamics combined with finger prints recognition then you can be sure that nobody ever will be able to still your password…

    As a final conclusion, I can say that the password issue is much solvable than the software cracking issue… Any suggestions?
    If you want to see a non exhaustive list of the main authentication methods you can visit Password Replacements
    article written by…  a gooood friend of mine ;)