Authentication is proving who you are. Not to be confused with authorisation, which is having permission to access or use something. In security we often talk about CIA, Confidentiality, Integrity and Authorisation (well the A can be different things depending who you talk to). But although we lump them together like this, authorisation is very different to confidentiality and integrity. 

Confidentiality and integrity are both things that happen inside the computer, in the land of data that the computer can control. Computers are good at doing things with data, they are good at keeping data confidential and maintaining integrity. Computers are not good at authentication – this is a real world thing and out of the computer’s control. The computer can only deal with a proxy, eg the map of a fingerprint, a hash of a password etc. It doesn’t actually know if the fingerprint belongs to the person or if it is a fake, or if the fingerprint scanner is even connected and an attacker isn’t just feeding data in.

Authentication is knowing the ‘who’. How do we do it in real life? I’ve been pondering this while doing mundane things like dishes. When I walk into the lounge room, how do I know my son is my son? How do I know he hasn’t been substituted with a replacement person or robot or shapeshifting alien? His appearance, voice, his behaviour, the way he responds, ‘handshake’ interactions that only he and I have.

How do we do it in security? Authentication orthodoxy is based on:

• Something you have – eg a passcard, phone, atm card
• Something you know – eg a password, PIN
• Something you are – eg name, mothers maiden name, user name, some biometric

But they are all leakable and forgeable. The best we can do is use more than one and trust in the shared secret. We can add multiple ‘factors’ but we need to be careful that they are not creating a false sense of security.