Why identification is not authentication

Universal enthusiasm toward biometry leads to dramatic underestimation of some risks. It has been already discussed on this blog, and the discussion will go on.

Today we remind a proven principle of information security. If this principle was not ignored, the recent troubles would not appear.

A user is coming, looking into the security camera, his facial features are registered. The system evaluates data, the door opens, money is given, or another action is completed. What kind of process was performed? A what results from it?

Traditional information security theory defines two separate processes with different goals, outputs and performance indicators: identification and authentication.

Identification aims at learning identity of a person. A reception nurse asks a client on his/her name. If there are individuals with the same name, she also asks for the birth date. A front office clerk asks for name and address. The identification is often performed through a simple recognizing a person.

Sometimes it is complete. Sometimes another process, authentication, starts. It aims at proving that the person is really who he/she claims to be. There are big differences in robustness of authentication process, dependent on kind of risk. The risk of free tram ride does not need the same measures like access to a secret weapon. But in any case, it is true that the three basic methods are available (listed below). It is important to find the right authentication solution based on a balance between security, comfort, and effectivity for each authentication case.

Identification thus aims at learning; authentication aims at bringing evidence. Consequently, there are differences even in the implementation of the same technology. Let us consider biometry. There is a security video solution in a Moscow bank, which reads your face features after entering the door, identifies you a and sends all relevant information to the computer of your banker before you reach his/her desk. At football stadium in Poznan, you come with your ticket, and the security system needs to make sure that it is you.  They need to eliminate the risk that a convinced criminal hooligan comes with your ticket. Therefore you have to stand up in front of the camera, the picture is compared with your picture in the database and if everything is o.k., the gate opens for you.

What are main findings? For example using biometry for personal identification does not enhance the security. On the contrary, it leads to its deterioration. Biometric data are stored, no system protection is perfect… The user runs the risk although there is no need to prove anything. Why? Is this comfort enhancement so important?

Another conclusion says that authentication should not be based on just one method, such as biometry. Authentication should be based on a combination of:

–    Knowledge (PIN, password, etc.)

–    Ownership (a card, token, badge, etc.)

–    Body (e.f. fingerprint)

Optimal security level should comport with risks in particular situation /process. However, it is still true that three methods should be used.

Conclusions for document protection. Documents for identification include useful information, but it is expected that nobody could be motivated to counterfeit or tamper them. Example: application for a medical investigation. Documents for authentication are supposed to be attacked by falsifiers so that they need reliable protection.

It leads to another proven security principle. It is not good to protect everything „a bit.“ Focusing on the protection of the main assets is critical.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s