Order of the Bath

There are three well known factors than can be used to establish a personal identity (this word is used here as a relative not an absolute i.e. who you are with respect to the service you wish to obtain).

• Something you Know—such as a password or anything else not easily guessed.
• Something you Have—such as a swipe card or warrant.
• Something you Are—such as a fingerprint or other metric that is an integral part of the body.

Using all three of these becomes “three factor authentication” the holy grail of identity management.

The caveat of “relative identity” is important because people hold a number of separate identities at different times and places. For example at one moment you may be “mummy” and at another, “teacher.” In the shop you would be “customer” and at work “employee.” It is important to note that these are truly independent and don’t need to relate to each other in any way nor require the same degree of authentication.

In many cases reputation plays a key role. If you are behind the counter and the sign over the shop says “Jones—Butcher” then it matters not at all if your name is really Jones, but if you serve good meat then customers will come back with confidence. If someone else takes your place they will be less sure. Similarly if next day you are in the Bakery, then you will need to establish your reputation again before they will trust your bread.

Each of the first two factors have serious weaknesses when used on their own. Passwords can be forgotten, disclosed or compromised requiring an elaborate secondary mechanism for resetting them; cards can be lost, stolen or forged. Used together they are quite effective and form the mechanism of many well known authentication systems—ATM, chip and pin, Secure-id tokens and the better door entry swipe cards for example.

In theory the third, the “Are,” has the potential to be both an absolute (unique in the population) and sufficient (for the same reason) but in practice obtaining and validating such a metric is often beyond the capability of the systems available. Thumb prints have been used for login to a lap-top or starting a car for instance, but the experiments with facial recognition have been a disaster.

The factors are only valid if they are kept completely independent of each other. It becomes meaningless if you tattoo your password on your hand or store your finger-print on your passport but an exceptions are made, e.g. a photograph (a weak “Are” factor) on an employee id card ties the card to the person before using it to gain entry. This guards against loss or theft (to some extent) but not forgery; for that you need to ensure the uniqueness of the document. At validation this would mean comparing a master copy with the one presented, a relatively simple account lookup. For issuing new documents it means cross checking against all others issued, not just the person standing in front of you; this is a much harder empirical search.

Let us consider some traditional and modern examples. I have selected a few to illustrate both the wide variety of situations where we evaluate identity and the different means and rigour by which we do it.

Let’s look at correspondence; try a telephone call—the recipient may be partially identifiable in respect of having answered the call but the caller is anonymous (disregarding caller-id) unless they give you a name. Voice “Are” identification is not reliable even for people we know well. This explains the lengths the credit card company will go to establish who you are before discussing account details. Face-to-face conversation is little better, you have only substituted another unreliable “Are” factor, your face, but that is about all unless you can identify them from another source. A chat room/forum is even worse, the law may now require proof of age (somehow) for obtaining an account but little else. Your tag (name) is your own choice and there are no secondary means of identification. Try an email; even with ISP or domain addresses, the only requirement is that the user pays the bill. The service provider will know rather more but will only reveal it when legally obliged. Disposable email addresses are available which are not tied to anything. Perhaps you should write a letter; A name is now tied to a house address (an unusual “Have” factor) which needs to be valid because without it you won’t get a reply. There may be a signature but there is often nothing to validate it against. BUT—the question to ask is does it matter? No, not always! If you get an email of thanks for a helpful web page, does it really matter who sent it? Would they have sent it if they had to positively and absolutely identify themselves?

Other examples are financial transactions: You have an account number; depending on how secret this is kept this can vary from a “Know” factor to virtually useless. The Americans have hit this problem with their Social Security Numbers. It can be used to authenticate that the account owner is entitled to the service but not that the person giving the number is that person so requires additional verification. On a cheque, the signature is a very weak “Are” factor which, in theory, is validated against a master copy held by your bank or in association with the “Have” factors, the guarantee card and pre-printed cheques. Use your credit card then you “Have” the card and you “Know” the pin (or on old systems you use your signature which is, in theory, verified from the card). But if you are not present, by phone or web site for instance, then you “Have” the card but have to prove it by giving the secondary security number. How about cash; this is the best known of the “Have” tokens. It doesn’t matter at all who you are, only that your authority—the ready cash—is valid. Extraordinary measures have been take to ensure that it is hard to forge. At the extreme is the contract which requires identifiable witnesses present who know you and are prepared to vouch for your identity. They may also be required to be recognisable members of a community such as professionals.

Now you could argue that a simple National Identity Card would solve all of our problems but that would be to disregard my early point that the absolute and incontrovertible identity that this would attempt to give is not always necessary or desirable; and at what cost? After all, it is only a single factor “Have” token which attempts by some magic to connect itself to your “Are” existence by means of biometrics. None but the blinkered are convinced that this is even possible beyond the photo-id and signature we already have.

You are better off writing a good password down rather than memorising a poor one.

I have already posted the method I use for managing passwords but this relatively high-tech solution is not for everybody. I am not advocating the “post-it on the monitor” that the cartoon in the last post was talking about, but for those important passwords that you don’t use often and can’t remember, write them on a slip of paper and put them somewhere safe. This is a much better plan than using a silly password that anyone can guess.

The point is that everything deserves just the right amount of security. Providing any more is counter productive. You have to balance the potential loss against the risk and take into account the inconvenience; if it is too difficult then you won’t stick with it.

Some accounts don’t need much security at all—a simple password will do for subscription news accounts and you can safely let the browser remember them and automatically log you in (but write them down anyway in case you have to change machines). Most shopping accounts are similar, but email and forum accounts need a little more care because your reputation could be at stake. For financial & eBay passwords make sure that they are good and random and keep them very safe somewhere. If you need an email account on the road then the safe place could be as simple as your wallet. This is not a good place for your online banking account however, as there is a lot of other information in your wallet to help the thief. For most systems an adequate place is a notebook in another part of the house from your PC; you are hardly ever going to use them. And, as I said before, make sure that your heirs know where they are.

Thanks to the Security Buddha for this.

These are the guidelines given in a press release from the Bank of England (PDF) about the new “Adam Smith” £20 note.

What should I do if I think I have a counterfeit note?

Counterfeit notes are worthless. It is a criminal offence to hold onto or pass on counterfeit notes. If you suspect a note is counterfeit, take it to the police as soon as possible. They will give you a receipt and send the note to the Bank of England for analysis. If the note is genuine, you will be reimbursed.

That last sentence doesn’t exactly encourage you to look too carefully does it?