Wednesday, March 08, 2006

Identity and Authentication must remain distinct

An excellent article from Steve Riley, Senior Security Strategist at Microsoft, on Why Identity and Authentication Must Remain Distinct

"Identity. A security principal (you or a computer, typically) wants to access a system. Because the system doesn’t know you yet, you need to make a declaration of who you are. Your answer to the question “Who are you” is the first thing you present to a system when you want to use it. Some common examples of identity are user IDs, digital certificates (which include public keys), and ATM cards. A notable characteristic of identity is that it is public, and it has to be this way: identity is your claim about yourself, and you make that claim using something that’s publicly available.

Authentication. This is the answer to the question “OK, how can you prove it?” When you present your identity to a system, the system wants you to prove that it is indeed you and not someone else. The system will challenge you, and you must respond in some way. Common authenticators include passwords, private keys, and PINs. Whereas identity is public, authentication is private: it’s a secret known (presumably) only by you. In some cases, like passwords, the system also knows the secret. In other cases, like PKI, the system doesn’t need to possess the secret, but can validate its authenticity (this is one of many reasons why PKI is superior). Your possession of this secret is what proves that you are who you claim to be...

Identity and authentication are distinct components of the steps necessary to use a secure computer system. Identity without authentication lacks proof; authentication without identity invalidates auditing and eliminates multi-user capability (consider Windows 95/98, which supported a password as an authenticator but no user ID). If biometrics become important to you as you begin considering how to strengthen identity and authentication in your security strategy, remember to evaluate how a particular biometric implementation views itself. Proper biometrics are identity only and will be accompanied, like all good identifiers, by a secret of some kind -- a PIN, a private key on a smart card, or, yes, even a password...

Now consider biometrics. Given the definitions and characteristics of identity and authentication, which is biometrics: identity or authentication?

Before we answer the question, think about the attributes of biometrics. Is it public or private? Public, of course. You leave various biometrics everywhere you go -- your fingerprints remain on anything you touch, your face is stored in countless surveillance systems, your retina patterns are known at least by your optometrist, perhaps. And it’s believed, although there is no actual evidence to support the claim, that biometrics are unique. (How would one prove it, other than examining the fingerprints and retinas of every single individual on the planet?) Given this, it follows that biometrics are identity, not authentication -- despite the claims of some vendors. "

Got that?

1. Identity is public.
2. Authentication is secret.
3. Biometrics are public so fall into the identity bucket.

William Heath has a question in the light of Steve Riley's lesson:

"If biometrics are public, why do we need to pay billions to have them compulsorily recorded and stored on a highly secure national server?"

No comments: