Information Technology: New Identification Tech

(authentication technology)

Protecting electronic identity is a top priority


Greater precautions to protect vital information are available

While authentication technology has been around since the early days of computing, increased awareness due to more information security threats and greater affordability are pushing the use of these technologies to the forefront. Authentication technologies help to ensure individuals are who they claim to be. They "authenticate" or validate their identity and control access to resources in these broad categories:

  1. Something you know.
  2. Something you have.
  3. Something you have (again).
  4. Something you are.
  1. Something you know: passwords.
  2. Passwords are the least expensive and most common type of authentication technology. Based on "something you know," passwords require a user to remember a string of characters and enter this information to gain access to a desired resource.

    Unfortunately, passwords are also one of the weakest forms of authentication technology, most often because of the users themselves. Passwords that are shared, left blank, unchanged for long periods of time, reused across multiple accounts or overly simplistic, leave the user at risk to even the most novice identity thief or simple hacking tool.

    Ultimately, passwords should continue to play a role in user authentication, but should be used in conjunction with other technologies for adequate security.

  3. Something you have: tokens.
  4. Based on "something you have," token-based authentication technology; such as, magnetic strips (credit cards), smart cards, SecurID cards, USB keys, etc. can hold longer and harder to break "secrets" that are more difficult to hack or reproduce than passwords.

    Little protection is afforded if the token device is lost or stolen; and similar to passwords, simple possession of these objects often serves as the only means to distinguish the owner. The effectiveness of tokens can be significantly enhanced; however, by combining their use with "something you know," for example, a PIN code or a password.

  5. Something you have: Public Key Infrastructure
  6. Public Key Infrastructure (PKI) refers to another authentication technology based on "something you have." With PKI, digital certificates are often issued by an independent Certificate Authority that then acts as a third-party reference regarding the identity of the owner. These certificates can then be attached to e-mail messages or referenced by a Web browser during an e-commerce transaction as a means of identification.

    When applications encounter these certificates, the origin can then be verified by inquiring back to the issuing Certificate Authority to ensure the identity of the sender or Web site owner.

    Digital certificates also provide a means to allow users to exchange highly secure, encrypted information using a combination of a private key (owned by the sender) and public key (freely shared with recipients) to encrypt and decrypt message text. Despite its many benefits and reasonable price, PKI has seen limited adoption in the marketplace.

  7. Something you are: biometrics
  8. The final category of authentication technology is based on "something you are" and refers to the use of biometrics to examine unique physical characteristics to differentiate one person from another.

Some common biometric technologies include:

  • Fingerprint recognition
  • Fingerprint identification systems take a digital scan of a person's fingertips and record unique physical characteristics. Data is then either stored as an image or encoded as a character string. Some fingerprint ID systems go so far as to also measure blood flow to the finger, so that "fake" fingers can't be used to fool the system.

    Of all the biometric technologies, fingerprint recognition is the most common. It's a part of a number of new devices coming to market from PDAs and thumb drives; requiring the user to swipe their finger prior to unlocking the device, to mice and keyboards.

    In addition, a number of vendors now sell external USB-based devices that can be plugged into any desktop or laptop computer to inexpensively ($50 to $100) add biometric authentication capabilities.

    Besides computers, fingerprint recognition is now being used in a number of other devices including time clocks, cell phones, door locks, and safes.

  • Iris recognition
  • Iris-scan systems analyze and map numerous points of the iris. Eyeglasses, contact lenses, and eye surgery do not change the characteristics of the iris so this method is very reliable, even as a person ages.

    Iris recognition systems often vary the light during the scanning process in order to verify that the pupil dilates, so that a fake eye can't be used to fool the system.

  • Face recognition
  • Facial recognition measures and analyzes the physical attributes of a person's face including the overall structure and shape of the face, and distances between the eyes, nose, mouth, and jaw edges.

    Facial recognition systems can accurately verify the identity of a person standing a few feet away in a matter of seconds.

    Biometrics is considered the most secure authentication technology

    Of the three types of authentication technology, biometrics is considered the most secure since physical characteristics are unique to each individual and can't be easily spoofed; and similar to the other types of authentication, the reliability of biometrics can be further strengthened by combining several types of recognition, known as Multiple Biometric, and/or requiring users to enter a PIN code in order to uniquely identify a user; combining "something you are" with "something you know."

    As users increasingly rely on electronic means of conducting business and exchanging information, the need for authenticating user identity and ensuring reliability will continue to be a high priority.

    While most small businesses will not require the more sophisticated solutions, it's important for any business to understand its options and incorporate appropriate authenticating technologies to safeguard their users and information.

—David M. Cieslak, Information Technology Group, Inc. (ITG),
a computer consulting firm in Woodland Hills and Simi Valley, Calif.
He specializes in micro-computer accounting systems, information security,
and the Microsoft Windows operating environment.