Do You Need a Digital ID?

Anne & Lynn Wheeler lynn at
Mon Mar 21 22:11:51 EST 2005

Jerrold Leichter wrote:
> I don't think the 3-factor authentication framework is nearly as well-defined
> as people make it out to be.
> Here is what I've always taken to be the core distinctions among the three
> prongs:
> 	Something you know
> 		Can be copied.
> 		If copied illicitly, you can't tell (except by noticing
> 			illicit uses).
> 	Something you have
> 		Cannot be copied.
> 		Can be transferred (i.e., you can give it to someone
> 			else, but then you no longer have it)
> 		Hence, if transferred illicitly, you can quickly detect it.
> 	Something you are
> 		Cannot be transferred.
> 		Cannot be changed.
> 		Inherently tied to your identity, not your role.
> This classification, useful as it is, certainly doesn't cover the space of
> possible authentication techniques.  For example, an RFID chip embedded under
> the skin and designed to destroy itself if removed doesn't exactly match any
> of these sets of properties:  It's not "something you have" because it can't
> be transferred, but it's not "something you are" because it can be changed.
> Attempting to force-fit everything into an incomplete model doesn't strike me
> as a useful exercise.

but business rules for public(/private) key infrastructure can describe 
that only the associated authenticating entity is the only one in 
possession of the private key ("something you have") .... as a way of 
relating the objective of having a specific entity's exclusive ability 
to access and utilize a private key to three factor authentication.

almost all of the existing "something you have" authentication objects 
are capable of being counterfeited to a greater or lesser degree. 
possibly the widest deployed "something you have" authentication objects 
are magstripe plastic cards ... and it turns out they have been proven 
to be remarkably easy to counterfeit/copied. the distinction between the 
ease or difficulty of counterfeiting/copying a magstripe plastic card 
vis-a-vis a private key ... depends on the level of security used to 
prevent it from being copied. obviously a private key can be copied with 
relative ease (possibly much easier than a magstripe plastic card).

in general, you will find that almost all "something you have" 
authentication objects are subject to being copied ... the issue is the 
degree to which security processes are in place to prevent them from 
being copied. just because a private key ... represented by some 
sequence of bits can be easily copied ... when no protections are in 
force ... doesn't mean that there can't be security procedures put into 
place that would make it extremely difficult to achieve copying of a 
private key.

most models serve a useful purpose until somebody comes up with a better 
or more applicable model.

many of the 3-factor authentication implementations actually use some 
representation that allows the actual occurence to be implied by 
something else.

for instance "something you know" authentication can be done as a 
"shared-secret" where both the originator and the relying party are both 
in possession of the shared-secret. an example are keys in symmetric key 

however, it is possible to have "something you know" authentication 
where the secret is not shared. For instance if there is a hardware 
token that is certified to only operate when the correct PIN has been 
entered .... the PIN represents "something you know" authentication w/o 
having to share the secret with any other party (the relying party 
assumes that the correct PIN has been entered by a) being confident of 
the operation of the particular hardware token and b) the hardware
token having done something known & expected).

similarly, biometrics systems are frequently implemented as a form of 
shared-secret. an entity's biometric template is registered with some 
relying party .... and subsequent transactions are authenticated by
checking a new biometric template with the biometric template on file.
the x9.84 biometric standard devotes a great deal to the security for 
centrally stored biometric templates .... treating them as a greater 
security risk than traditional "something you know" shared-secrets. the 
threat is that somebody can obtain files of registered biometric 
templates and be able to subsequently retransmit them electronicly 
attempting to impersonate the associated person. The issue in the 
traditional 'something you know" shared-secret is that a PIN compromise 
can be reported and a new, replacement PIN/password created.
However, it is somewhat more difficult to replace a thumb or iris when 
there has been a reported compromise of "something you are" shared secret.

in any case, for all of the deployed existing authentication systems 
involving any one of the three factor authentication paradigms, all of 
the methods are vulnerable to copying to one degree or another. as a 
result, I would assert that criteria of being able to copy or not is not 
useful .... in all of the different three factors, it isn't whether they 
are copyable .... it is the difficulty with which they can be copied.
The difficulty that any of them can be copied or counterfeited can be a 
combination of their native characteristics and the level of security 
that they are wrapped in.

i would further assert that the meaningful aspects represented by the 
three=factor authentication model is not the native characteristic of 
the components but how the individual being authenticated interacts with 
the components .... i.e.

1) something you know .... implies that the person has to know the value

2) something you have ... implies that the person is in possession of 
the thing or value ... but doesn't actually know or have it memorized

3) something you are .... implies that it represents some physical 
characteristic of the person ... w/o the person needing to either know 
or otherwise possess the object or value.

all three methods can be implemented as static value or shared-secret 
implementations ... where the characteristic of the particular 
authentication mode is expressed as some static value and is vulnerable 
to shared-secret eavesdropping or skimming. "Something you know" 
shared-secrets can be eavesdropped and fraudulently used. A magstripe 
plastic card "something you have" is expressed as transmission of the 
contents of the magstripe, which can be skimmed and used to create 
counterfeit/copied cards. A "something you are" feature is expressed as 
biometric template which can be eavesdropped and used in fraudulent 
transmissions (or counterfeited in things like the gummy bear attack).

rather than interpreter 3-factor authentication as physical 
characteristics which are classified as being copyable or not-copyable 
... 3-factor authentication is frequently interpreted as how the entity 
being authentication relates to the authentication process.

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list