Who are you? - Identifying yourself, from a security perspective
They say you are what you eat. I think that you are whoever you seem to be plus who you really are. Others perception of you while not truly important may attribute to the scope of “who you are”.
Who are you?
In a doctors office they would start off with questions regarding name, address, gender, family, and then get into activities you do. They are attempting to triage you based on your lifestyle, the activities you perform and your genetic history. There is obviously merit to this as it is certainly a strong factor in well being. The car you drive, the clothes you wear…while they own’t affect your health, they certainly factor in to how others perceive you. The way you walk, the way you curse (or not), is it rude to text while talking to someone else. All of these things come together to form an image, you.
Let’s explore these relationships and how understanding them can help identify and understand “you” the best we can.
1. You are a person.
2. Your gender is male.
3. You have dark hair.
4. You wear glasses.
5. You are left handed.
6. You live in Baltimore.
8. You are married.
9. You have two children.
10. You work in Baltimore.
11. You drive to work in a car.
12. You drive a sedan.
13. You own a mobile phone.
14. You are a Software Engineer.
15. You enjoy solving challenging problems.
16. You enjoy classic rock.
17. You are a passionate person.
18. You talk loudly.
19. You do not like hot weather.
20. You like to eat blueberries and do not like bananas.
Okay, so these are all true observations about myself. Let’s analyze this list for a second. Most of this list can be broken up into categories:
1. Observable physical attributes
2. Observable personality traits
3. Family members
4. Possessions
5. Preferences and opinions
I would call all of these attributes “core” attributes. They can change over time, like I may drive a different car, or own a different phone. Ultimately this list would be up to date and relevant.
There is a new buzz word being used, IoT or Internet of Things. This notion isn’t a new idea…just like the “cloud” isn’t a new idea. IoT emphasizes the relationships between objects that do not need human interaction. A prime example could be a door that has a special lock that is linked to your mobile phone and unlocks the door when you are within a certain proximity to it. Most of these items to date have been more about convenience and have not really been adopted by the layman.
I think that IoT can be utilized to fill in the blanks between our lives in more ways than you might think. Combining the proper IoT devices and highly advanced software you can build an ecosystem that can make your security and connectivity as simple as snapping your fingers.
I have a phone a work, my mobile phone when I’m on the go, and a phone at home. Imagine that when I am work all of my calls were routed to my work phone. When I am on the go, all to my mobile phone, and when at home all calls routed to my home phone. Aside from a nice convenience, this buys you a lot more. That call never rings at work and therefore no one can answer it for you.
Replace a phone call with my computer. I have one at work, and at home. When I’m at home my work computer is locked and home computer is unlocked. When at work, my work computer is unlocked and home computer is locked.
Now replace a computer with a virtual account like your bank account. When the user is “you” you have access to your account. Somebody else doesn’t have access to your bank account.
Today, you use things like inputted secret credentials to authenticate yourself. Since you know this secret information you must be the account holder. Therefore, anyone who knows this secret information may access your account.
Additional precautions have been added to further lock down your account. You need your smartphone in order to receive a code in addition to your secret credentials. Not only do you need to know the secret information, but also have access to your phone. This is an obvious step in the right direction, but certainly makes it more difficult for “you” to access your account. Obviously, to date the extra step has been worth the added security measures to prevent unauthorized access. What if you could just say to your bank account…it’s me let me in!?
Let’s take what we have already established about your core attributes and what we know about secret credentials. What if we could take properties from the five categories we listed above and use them to build a signature that would clearly identify you, and no one else.
Let’s pretend that we walk around with a special bleeding edge recording device that captures all sorts of information for a month. This device takes everything and categorizes its data into these five different categories. It breaks down that data into a knowledge database that has facts and assumptions. Associated with each assumption may be a corresponding confidence, expressing the level of certainty of each assumption. Certain types of facts may also have confidence levels, perhaps this fact was observed but only rarely or special circumstances. Assumptions may have been suggested based on facts that haven’t yet reached the threshold of a fact.
Next time you want to access your bank account instead of logging in with your secret credentials and multi-factor code, what if you provided your signature? After you walked around with this recording device and the data was converted in a knowledge database that generated a signature. This signature is a representation of the knowledge about you. Now when you want to access your account you need to satisfy the knowledge base to produce a compatible signature.
What is this signature?
How is it derived from the knowledge base?
How do you produce a valid signature that is compatible with the initial signature?
We said earlier that there will be a confidence associated with facts. Assumptions are assertions that are less than a fact but may be true.
If you asked me to write down a list of five items that identify you with your core attributes, I would most likely respond with some version of the list of twenty.
- Location is easy…high confidence
- Certain attributes change, that would be specified in their definition and taken into account according to the nature of how they change
- Data feeds from other “people” can be linked into yours like the next evolution in social networking
- I may be acting slightly different, but because I am sitting here with my son, and daughter I must be me. Using data from other people in conjunction to your own data. Data is published to granted parties for consumption.