How do we know that someone really
is who they claim to be?
In the “days of yore” (typically, the era of your
grandparents) a handshake was good enough
to back up a deal … a person’s reputation
was developed over time as he or she became
known in the community … however, as a
community becomes larger, and distance
greater, it becomes necessary to provide
formal documents that “vouchsafe” identity
Documentary proof of identity
The “usual” documents include
• Birth certificate
• Driver’s license (or alternative)
Along with others – college id, credit card,
even utility bills!
(What is needed to open a bank account
How reliable are such documents, in and of
themselves? In the aggregate?
… consider, if you were so inclined, how
could you build an alternate identity?
The Internet “community” is too large for
people to know everyone else directly, and
on-line “identities” such as ImAGoodGuy
can be changed readily; the face-to-face
methods aren’t available here to ascertain
who someone is, how reliable they are, and
what level of privilege is available to them.
The primary means to ascertain identity on
computing systems is by means of a user ID
and associated password or Personal
Identification Number (PIN).
A login to a network computer account
requires an ID and password, as does a dial-
up session to an Internet Service Provider.
Need some cash from an ATM? This, too,
requires a card (with an account number)
and associated password.
The use of passwords as the sole means of regulating
access is a notoriously weak method of
authentication. People choose passwords that are
easy to remember, which generally means that they
choose words or names that are familiar. This
practice restricts the range of passwords to a
fraction of what is possible, and by choosing
passwords that might be found in a dictionary they
become much more vulnerable to the most
common techniques of computer hacking.
Improving password security
• Disallow dictionary-based passwords
• Require combinations of upper and lower case
• Include non-alphabetic characters
• Require a minimum of, say, eight characters in a
password, as short passwords are easier to crack
• Limit the number of unsuccessful login attempts
• Implement a password expiration program such
that passwords expire at intervals (perhaps every
thirty days, or even every day or after each
• Implement “challenge and response” strategies that
require users to periodically reenter passwords
(either the original or second-level personal data)
during active secure sessions
• Ensure that passwords are encrypted for
transmission across networks
• Implement a physical security inspection
process that prevents “post-it” problems and
related physical security leaks
Given that the password mechanism is so
common, protecting everything from our
computer files to our bank accounts, it is
easy to overlook the fact that passwords
don’t authenticate users at all; they merely
indicate that someone knows the password!
There is no actual verification that the
person entering the code really is the person
that they claim to be.
This is a staggering realization. Our most
common method of user authentication
does not really authenticate the users!
Situations and environments requiring high
levels of security now rely on biometric
methods to verify identity, with statistically
higher levels of confidence … methods
include fingerprinting, hand-scans, voice
prints, retina scans, even DNA data.
Not all such techniques migrate readily to the
Internet environment – why not?
Whatever method is chosen for the
authentication of users, it should be
relatively non-obtrusive, and, ideally,
transparent to the user – unless the hassle
factor is part of the security strategy!
One approach that is quite intriguing is that of
“keystroke dynamics”. Consider that a weakness
with the existing password system is that anyone
can type in a correct password and gain admission
to the system.
Suppose, however, that the way that you type your
password is also retained every time you log in:
how long it takes to enter the password, the
duration of each keystroke, and the delay between
Initially, the system is “loose”, allowing some
variability in the entry, but as time goes on
the data establishes a “tighter” range of
acceptable patterns, and in so doing
increases the probability that the person
entering the password is the same one, every
time. The user might never know that the
system is in place, at least until the usual
pattern is broken and the login rejected.
Early research suggests that keyboard dynamics, that
is, the way that a user enters a password, can be
more discriminating than the use of fingerprinting!
Similarly, graphical passwords have the same
characteristics. Suppose that the authentication
process requires that you physically write or draw
your password. It would be difficult for a person to
replicate someone else’s drawing, and even more
difficult to draw it in the same way, with the
identical sequence of pen strokes and flourishes.
the use of biometric techniques and the
resulting stronger authentication associated
with their use would prevent now-routine
practices such as checking the e-mail of a
co-worker while traveling, but then there
are other, more reliable and accountable
methods involving shared access privileges
that would re-enable that sort of activity.
There is also the problem that any type of remote
authentication has certain risks of “man-in-the-
middle” sniffing and related “replay” attacks, such
that prior login attempts might be captured and
successfully resubmitted, but these too can be
addressed using other methods involving time
stamps and sequencing information.
And there’s always the possibility that if the
biometric patterns are too rigidly enforced,
an extra cup of coffee on the way to work
might prevent a user from accessing his or
her own account.
The need for user authentication commensurately
increases as the degree to which users access
privileged information or conduct financial
transactions increases. A solution that requires a
high level of confidence in the user authentication
process will likely use several techniques in concert,
so as to raise the probability of accurate
authentication as close to 100% as is possible.
An interesting early paper on user
authentication through keystroke analysis is:
Fabian Monrose and Avi Rubin.
Authentication via keystroke dynamics. In
Proceedings of the 4th ACM Conference on
Computer and Communications Security,
pages 48-56, April 1997.
Graphical passwords are explored in: I.
Jermyn, A. Mayer, F. Monrose, M. Reiter,
A. Rubin, "The Design and Analysis of
Graphical Passwords," In Proceedings of
the 8th USENIX Security Symposium,
Washington, D.C., August 1999.