Insider Intelligence: The New World of Authentication

July 12, 2013
Tattoos and biometrics on phones?

This article originally appeared in the July 2013 issue of SD&I magazine.

From my past life of being a card geek, I still get a lot of weekly periodicals about identification (ID) cards, secure credentials and NFC (Near Field Communication…I believe someday soon, due to NFC, your smartphone will replace all of your banking and credit cards, your ID cards and more,) but I digress…

Anyway, I found two recent articles to be really interesting and relevant. The Motorola idea is wacky, no question about it, regarding body tattoos to replace passwords and was recounted in SecureID News. Motorola has proposed an electronic tattoo fixed to the user’s skin as a means of authentication. The “biostamps” are being manufactured by Massachusetts-based engineering firm MC10. These tattoos contain soft electronic circuits that can be adhered to the user’s skin via a rubber stamp. According to the story, these biostamps that Motorola is experimenting with were initially designed for healthcare, but the mobile giant seems to think that the stamps could be used in the consumer sector as well.

But, hey it's all about authentication. We are all just trying to find better ways to really authenticate that you are who you say you are. This is our world of security. The more factors used to help somebody identify and verify someone, the more secure that transaction becomes. In another story from the same publication, reports from Taiwanese components suppliers “suggest that the next iteration of the iPhone–likely the 5S–will feature capacitive-touch, sapphire crystal Home buttons that will support a new form of fingerprint scanning.”

In addition, according to a report on the iPhone 5 News Blog, Taiwanese-based TechNews, who claims to have contacts within Apple’s chain of suppliers, revealed that Apple has opted to use sapphire crystal for iPhone’s Home button.

All these sources talk about adding layers of security; additional factors to help authenticate that person or that transaction— also known as multi-factor authentication. This is an approach to authenticating someone that requires the presentation of two or more of the three “official” authentication factors. These authentication factors are identified in the standards and regulations for access to U.S. Federal Government systems and are also a part of HSPD-12, Homeland Security Presidential Directive 12, that spawned the Federal Government smart card standards for identifying and verifying federal employees and contractors (FIPS 201, PIV, PIV II, PIV-I and so on).

These three authentication factors are:

  • Knowledge factor: something the user knows (e.g., password, PIN, pattern)
  • Possession factor: something the user has (e.g., ATM card, smart card, mobile phone)
  • Inherent factor: something the user is (e.g., biometric characteristic, such as a fingerprint)

When a bank customer visits an ATM machine, one authentication factor is the physical ATM card the customer slides into the machine (“something the user has”). The second factor is the PIN the customer enters through the keypad (“something the user knows”). Without the verification of both of these factors, authentication does not succeed. This scenario illustrates the basic concept of most two-factor authentication systems; the combination of a knowledge factor and a possession factor, and all of this to make a transaction more secure.

So now, when we add in the 3rd factor, something that the user “is,” as both of these articles talk about—we can potentially use all three factors to help truly identify and verify people and transactions. Now that’s secure (until something better comes along)!