Emergent Chaos: There are three types of authentication

Navigate to next or previous posts:

« I'm Glad I'm a Beta! | Emergent Chaos Main page | It's a Flawless Plan for Making Money »

There are three types of authentication

(Posted by mordaxus)

They are:

Something you've lost,
Something you've forgotten, and
Something you used to be.

Here is a sad tale of a man who has a failure on (3), realizes he's done (2), and his solution to the problem. It's a classic tale of how more is often less when it comes to security. Lest you think it, I am not making fun of his solution to the problem.

The sad part is that he thinks the problem is dependence on technology, when in fact it is the inappropriate use of technology, and the "ooo, shiny" technolust making you think that something is a good idea when it isn't. Other cases include electronic voting machines, RFID passports, airport fast-track systems, and so on.

photo courtesy of split-ends.

Posted by mordaxus on January 25, 2007 at 8:36 PM in Usability , personal security . You can: comment, view comments (28), search Technorati.

Bookmark this post:

Comments

Eric's problem could have been solved by writing down the password: see my arguments for writing down passwords. Bruce Schneier has pointed out that the conventional wisdom can easily be wrong and that a written password IN A SAFE PLACE can be a good idea. It's as practical as a spare car key.

Posted by: Fred Wamsley | January 26, 2007 1:34 AM

Good point, Fred. I sometimes tell people to write their password down and put it in their wallet. No one is going to take their wallet without them being aware of it, and if that happens they can simply change the password to something else. Far better than "hiding" it under the keyboard, which is most people's first inclination.

The story also reminds me that one laptop I played with allowed you to register more than one fingerprint, so you have another one to try if you injure a finger. Using a fingerprint as a key would seem to violate the principle in the previous post, though, since you're relying on a secret you can't change. ;)

Posted by: Orv | January 26, 2007 3:46 AM

Oops, guess it was two posts ago. :)

Posted by: Orv | January 26, 2007 3:56 AM

Many years ago, each system I worked on required a twelve-character, pre-generated password. They were changed every two weeks. I also regularly worked on a good half-dozen computers. All of us wrote passwords down and kept them in our wallets, but with little tweaks.

I would frequently omit one character, or write an extra one. I could remember what I had done to it, easily. A friend of mine would ROT-1 a character.

Nonetheless, this completely fried the password-memorizing parts of my brain. I've been horrible at it ever since.

Posted by: Mordaxus | January 26, 2007 4:49 AM

I have the Shmoo Group "Something I lost, (etc etc)" sticker on the bumper of my car :)

Posted by: Matt | January 26, 2007 2:31 PM

I think it might have been Russell Brand who started the "put your password in your wallet" meme, because how often do you lose your wallet? When I used to generate password lists for the operations staff at (omitted), they were on paper, but they were missing a key component. You just had to remember the key component, and rest of the stuff you could look up until the new password was fully embedded in your fingers.

When I setup my Thinkpad to use the fingerprint scanner, to prevent the problem this fellow encountered I enrolled multiple fingers on both hands. I figure if I lose both hands, I'm not going to need the laptop anymore anyway.

Posted by: Kenton A. Hoover | January 26, 2007 3:41 PM

The pogrom against written passwords dates back to the days of student labs and secretaries who entered the bosses accounts ... and always wrote the password under their keyboard. Those days are long gone.

Someone did point out that shoulder surfing is still a threat on aircraft. Frankly, if it is, I wonder if you have bigger problems, and shouldn't open up your laptop at all...

Another one that is also out of date and should be changed is the sodding password boxes that always print as ******.

Posted by: Iang | January 28, 2007 2:16 PM

Very good site. Thank you.
http://valium-xanax.vichyme.info valium xanax

Posted by: valium xanax | February 12, 2007 2:56 PM

Nice site. Thanks.
http://cheap-xanax.thysami.info cheap xanax

Posted by: cheap xanax | February 12, 2007 4:32 PM

Cool site. Thanks!
http://buy-online-xanax.vichyme.info buy online xanax

Posted by: buy online xanax | February 12, 2007 6:38 PM

Good site. Thank you!!!
http://sears-travel.vichyme.info sears travel

Posted by: sears travel | February 12, 2007 11:16 PM

Good site. Thank you!!!
http://sears-travel.vichyme.info sears travel

Posted by: sears travel | February 12, 2007 11:17 PM