Tag Archives: authentication

Who are you? – Identifying yourself, from a security perspective

They say you are what you eat. I think that you are whoever you seem to be plus who you really are. Others perception of you while not truly important may attribute to the scope of “who you are”.

Who are you?

In a doctors office they would start off with questions regarding name, address, gender, family, and then get into activities you do. They are attempting to triage you based on your lifestyle, the activities you perform and your genetic history. There is obviously merit to this as it is certainly a strong factor in well being. The car you drive, the clothes you wear…while they own’t affect your health, they certainly factor in to how others perceive you. The way you walk, the way you curse (or not), is it rude to text while talking to someone else. All of these things come together to form an image, you.

Let’s explore these relationships and how understanding them can help identify and understand “you” the best we can.

1. You are a person.
2. Your gender is male.
3. You have dark hair.
4. You wear glasses.
5. You are left handed.
6. You live in Baltimore.
8. You are married.
9. You have two children.
10. You work in Baltimore.
11. You drive to work in a car.
12. You drive a sedan.
13. You own a mobile phone.
14. You are a Software Engineer.
15. You enjoy solving challenging problems.
16. You enjoy classic rock.
17. You are a passionate person.
18. You talk loudly.
19. You do not like hot weather.
20. You like to eat blueberries and do not like bananas.

Okay, so these are all true observations about myself. Let’s analyze this list for a second. Most of this list can be broken up into categories:

1. Observable physical attributes
2. Observable personality traits
3. Family members
4. Possessions
5. Preferences and opinions

I would call all of these attributes “core” attributes. They can change over time, like I may drive a different car, or own a different phone. Ultimately this list would be up to date and relevant.

There is a new buzz word being used, IoT or Internet of Things. This notion isn’t a new idea…just like the “cloud” isn’t a new idea. IoT emphasizes the relationships between objects that do not need human interaction. A prime example could be a door that has a special lock that is linked to your mobile phone and unlocks the door when you are within a certain proximity to it. Most of these items to date have been more about convenience and have not really been adopted by the layman.

I think that IoT can be utilized to fill in the blanks between our lives in more ways than you might think. Combining the proper IoT devices and highly advanced software you can build an ecosystem that can make your security and connectivity as simple as snapping your fingers.

I have a phone a work, my mobile phone when I’m on the go, and a phone at home. Imagine that when I am work all of my calls were routed to my work phone. When I am on the go, all to my mobile phone, and when at home all calls routed to my home phone. Aside from a nice convenience, this buys you a lot more. That call never rings at work and therefore no one can answer it for you.

Replace a phone call with my computer. I have one at work, and at home. When I’m at home my work computer is locked and home computer is unlocked. When at work, my work computer is unlocked and home computer is locked.

Now replace a computer with a virtual account like your bank account. When the user is “you” you have access to your account. Somebody else doesn’t have access to your bank account.

Today, you use things like inputted secret credentials to authenticate yourself. Since you know this secret information you must be the account holder. Therefore, anyone who knows this secret information may access your account.

Additional precautions have been added to further lock down your account. You need your smartphone in order to receive a code in addition to your secret credentials. Not only do you need to know the secret information, but also have access to your phone. This is an obvious step in the right direction, but certainly makes it more difficult for “you” to access your account. Obviously, to date the extra step has been worth the added security measures to prevent unauthorized access. What if you could just say to your bank account…it’s me let me in!?

Let’s take what we have already established about your core attributes and what we know about secret credentials. What if we could take properties from the five categories we listed above and use them to build a signature that would clearly identify you, and no one else.

Let’s pretend that we walk around with a special bleeding edge recording device that captures all sorts of information for a month. This device takes everything and categorizes its data into these five different categories. It breaks down that data into a knowledge database that has facts and assumptions. Associated with each assumption may be a corresponding confidence, expressing the level of certainty of each assumption. Certain types of facts may also have confidence levels, perhaps this fact was observed but only rarely or special circumstances. Assumptions may have been suggested based on facts that haven’t yet reached the threshold of a fact.

Next time you want to access your bank account instead of logging in with your secret credentials and multi-factor code, what if you provided your signature? After you walked around with this recording device and the data was converted in a knowledge database that generated a signature. This signature is a representation of the knowledge about you. Now when you want to access your account you need to satisfy the knowledge base to produce a compatible signature.

What is this signature?
How is it derived from the knowledge base?
How do you produce a valid signature that is compatible with the initial signature?

We said earlier that there will be a confidence associated with facts. Assumptions are assertions that are less than a fact but may be true.

If you asked me to write down a list of five items that identify you with your core attributes, I would most likely respond with some version of the list of twenty.

– Location is easy…high confidence
– Certain attributes change, that would be specified in their definition and taken into account according to the nature of how they change
– Data feeds from other “people” can be linked into yours like the next evolution in social networking
– I may be acting slightly different, but because I am sitting here with my son, and daughter I must be me. Using data from other people in conjunction to your own data. Data is published to granted parties for consumption.

Authentication: The real me

Authentication as we use it in the security world is obviously from the word “authentic”, meaning genuine. Today we find most common authentication means are simply fulfilling an already established contract with secret information that only the account owner would posses. This gives no insight that the given user who initially established his account let’s call him Bob is in fact Bob logging into his account or Alice, a third party listener may have somehow obtained Bob’s authentication credentials. Since Bob’s credentials may be a username and password pair, the only thing that protects this account is possessing this secret information. You haven’t missed anything, all I have said is that modern day authentication means rely on secrecy or private information that only the account hold would posses. What if we were able to actually establish that Bob, is the same Bob that initially established his account. Not due to knowledge of a simple pair of username/password credentials, or a selected picture and the like. Rather, what if Bob was somehow able to expose his likes, dislikes, habits, tendencies, interests, etc. and this information may be used to not verify that Bob knows his password, but that Bob is Bob.

The closest thing I have seen that somehow utilizes this is during credit checks. The questions are almost entirely address verification related multiple choice questions. Did you live in the street X?

Imagine you have a browser extension installed. You read an article that makes you “sad”, or makes you “happy”. You click on your “authentication” icon and use an emoji to express what you feel, or perhaps use a few tag keywords to convey your response. This data may be collected and used to build a statistical model to build verification questions for a authentication service. Your web history, emails, shopping tendencies, music you listen to. All of this can be used to provide data to help paint a picture of things that would show “how” you think and how your react.

Pandora does this to provide you with recommended music. The more you show how you like and dislike the recommended music the more you train your station. Imagine if the next time you logged in to “Bob”s account he was asked two questions which songs in this list would you prefer to listen to. This is not ironclad and different types of data can have different results and predictability.

This is a very general idea, but I think that ultimately just as now we can use Facebook and Google as ways to login into our account…imagine if we used our Pandora, Netflix, and Amazon account as seed data to ask us questions to verify our identity!!

I am about to post another idea about CAPTCHA’s but look at this post http://en.wikipedia.org/wiki/Google_Image_Labeler I remember when this game was around and Google used people to help train/verify its image search results. I could certainly see a game such as this use to both train and verify a user’s identity.

This can become a great deal more abstract. I have read recently about http://www.washingtontimes.com/news/2015/jan/24/true-cybersecurity-intelligent-computer-keyboard-i/ recent efforts in keystroke analysis in identifying by their unique electronic signature.

A bit of a rant, but I think there are some solid ideas here.