specifications. Whereas the theory of access is quite solid by now, there are indeed competing technologies, and therefore there will be variations in any presentation of the subject. Authentication means recognizing that requesters of content are indeed who they claim they are. Authentication relies on two concepts, identity and credentials. To illustrate the difference, let’s consider Marie Doe, who has a daughter, Suzie Doe. There is no doubt on Suzie’s identity. However, Suzie may have a passport which is passed limit date. In this case, Suzie has a solid identity, but weak credentials. Reversely, let’s consider John Reborn, who has a valid passport, but, who, in fact, is a spy with a false name. The identity of John is false, but his credentials are strong. So we see that identity and credentials are two different concepts. Identity is who the person is; credentials are here to affirm that the person is who he or she claims to be. When presented with credentials, the recipient must first establish trust in the credentials, and then establish how much trust it assigns to the linkage between the credentials and the person they represent.

For a computer to authenticate a person, credentials of the person can be of different forms that we will present in order of increasing confidence. The first credential is the name of the person, then perhaps a password that they can provide, then perhaps an object they carry that they can present to the computer, and further on even a representation of themselves that is associated with their physical presence. If the name of the person is all there is, the trust is minimal, unless the context is such that there is no possibility of mistake. Otherwise, it’s easy for anybody to give a false name. Concerning the password, the level of trust can be much higher if the password is complex enough. If the password is, say, four letters long, it’s not difficult to try all combinations. Some computers limit the numbers of trials for that reason, but then the odds are high that a password may be compromised when multiple accounts are searched. Long, unwieldy passwords are more secure, although more difficult to remember. In the end, passwords have a major weakness. They are easy to steal.

There are many ways to surreptitiously obtain passwords, and therefore, only limited trust is placed in them. That’s why tokens have been introduced, in the form of Radio-Frequency Identification (RFID) tags or smart cards. With these, the user presents physical evidence to the computer. Such tokens can be sophisticated in that they can talk with the recipient computer to make sure that they recognize that computer, and that the computer recognizes them. Moreover, they can be set up such that they are only activated if their owner provides evidence of ownership. Of course, by now you recognize that we can say that the owner authenticates to the token, which in turn authenticates on behalf of the owner to the recipient computer. That’s two levels of security. The way the owner provides evidence of proof to the token can be through a password or through physical presence, what is called biometry. Biometry is the science of associating particular features of humans with their identity. For example, fingerprints, iris scan, hand geometry, DNA, these are all unique identifiers of humans. Biometry can be used in two different ways in the authentication scheme. If this is direct authentication without a token, the user provides, say, the fingerprint, and the recipient computer double checks the fingerprint against a database. With a token, things can be made much more secure, because the user provides the evidence to the token itself, which may double check with its own database, all in the protected environment of the token. The biometric sensor is attached to the token and is therefore much less liable of having been tampered with, and the processing of information happens inside the token. As the token itself is physically protected, the likelihood of interference is very low, and therefore we can say that an authentication system that relies on a token plus biometry is quite strong. In fact, this is how secure governmental facilities are protected, with the additional precaution that not one, but several biometric verifications may be requested at once.

Book available at Midori Press (regular)
Book available at Midori Press (signed)
Book available at Amazon (regular)