Friday, February 07, 2014

Something you have (and some other things you have)

The trinity of 'Something you know, something you have, and something you are' is the default model for describing authentication options.

The three are traditionally described as follows

  1. The 'know' factor is a secret like a password or a PIN. 
  2. The 'have' factor is some physical object in your possession. 
  3. The 'are' factor is a biometric like finger or retina print.
Think about the 'have'. It's clearly not enough to merely have possession of a SecureId or smart phone. You have to demonstrate (or prove) possession of that object. Typically, possession is proved by entering in some OTP, or responding to a challenge sent to that object. 

Now consider the 'know'. When I enter a password to login, what am I doing other than proving possession of (the knowledge of) the shared secret?

And for the 'are' factor, when I enter Canada using a Nexus kiosk, what am I doing other than proving possession of my retinas?

Would it not be simpler to model all authentication operations as 

Something you have (with various proof mechanisms) 

We are headed to a future where the things we have (see this) will be more and more involved in our authentication. While the phone may have primacy at the moment, over time it will become just one of many devices floating around us with an opinion on our status & presence (and an ability to assert it). 

So perhaps the ultimate model for describing authentication is 

Some things you have (with various proof mechanisms) 

You can take it with you (if you have a super long ethernet cable)

In a post titled 'Can you take it with you? Uninstalling the internet of things', Stacey Higginbotham considers how the installed base of home automation gear will impact moving households.
of the installed $250 thermostats or the $60 light bulbs, what comes with you if you have to move
Well clearly the fridge is coming with.

Two commenters propose what seems to me the smartest (as it minimizes effort) route

Bob Sanders' comment hilites a procedure & mechanism that I don't think has received sufficient attention as yet.

What would it look like for the new owner to 'establish his own credentials'? What accounts need be created? What assistance would the new owner be given - without the inevitably discarded original owners manual?

How would the privacy of the previous owner be ensured? Should all data be erased and the new owner start from a (freshly) blank slate? But as there can be value in historical data (why are my heating costs significantly more than the previous owner's? etc) could we contemplate moving overly some suitably anonymized version of the data (presuming consent)?

Beyond the devices themselves, what of the IFTTT-type rules that the previous owner might have defined for their operation? A lighting system is much more valuable with appropriate customized themes, such as 'Watching a movie'. Are these rules & patterns transferable to the new owner?

It seems to me that transitioning a device from one user to another is a special case of the more general mechanism of how to bind a fresh from factory device to its first user - and the associated questions.

  • How are these two identities associated?
  • How and where is the user's consent captured?
  • How is that consent manifested? How is it revoked?
  • How is the device added to the home network? 
Bob posed his question in terms of 'credentials', but those are I think simply a manifestation of the more fundamental identities involved.