2

I know the difference between Identification and Authentication, which are basically claiming who you are and proving that claim. In terms of a system, they are username and password in general.

But what's about biometrics like brain wave? It is somehow the username plus password which can actually tell a system who you are and at the same time prove that you are who you are (assuming such biometrics are impossible to be stolen).

I am not concerning about the feasibility or appropriateness of such biometrics system. My question here is - can I argue that, such identification process also implies / includes (or whatever better term) authentication?

WhiteWinterWolf
  • 19,082
  • 4
  • 58
  • 104
Victor Wong
  • 123
  • 4

3 Answers3

2

Not sure about whether it can be used as a standalone authentication system but it can be used as a part of multi-factor authentication system.

Reference:

More info:

Identification

Identification is nothing more than claiming you are somebody. You identify yourself when you speak to someone on the phone that you don’t know, and they ask you who they’re speaking to. When you say, “I’m Jason.”, you’ve just identified yourself.

In the information security world, this is analogous to entering a username. It’s not analogous to entering a password. Entering a password is a method for verifying that you are who you identified yourself as, and that’s the next one on our list.

Authentication

Authentication is how one proves that they are who they say they are. When you claim to be Jane Smith by logging into a computer system as “jsmith”, it’s most likely going to ask you for a password. You’ve claimed to be that person by entering the name into the username field (that’s the identification part), but now you have to prove that you are really that person. Most systems use a password for this, which is based on “something you know”, i.e. a secret between you and the system.

Another form of authentication is presenting something you have, such as a driver’s license, an RSA token, or a smart card. You can also authenticate via something you are. This is the foundation for biometrics. When you do this, you first identify yourself and then submit a thumb print, a retina scan, or another form of bio-based authentication.

Once you’ve successfully authenticated, you have now done two things: you’ve claimed to be someone, and you’ve proven that you are that person. The only thing that’s left is for the system to determine what you’re allowed to do.

Ijaz Ahmad
  • 1,592
  • 1
  • 11
  • 20
  • I am not concerning if it is feasible or not. It's something like, if I am holding a membership card representing myself, and the rest of the world trust that this card can only be held by myself. When I use this card to enter a secured room, the guard can already speak out my name (identified me). Is this process also implying authentication? – Victor Wong Jun 27 '16 at 10:44
  • identification is not the same as authentication , if the card is bound to your identity , that works only when only you can use it , it implies authentication – Ijaz Ahmad Jun 27 '16 at 11:38
  • @VictorWong: The card has your name => identification, the card has a photo that the guard can compare to your face => authentication. – WhiteWinterWolf Jun 27 '16 at 11:42
2

This seems a bit like using the password for both purposes.

Technically this works, as long as people are using strong enough passwords all people passwords will be unique (as a good biometric will do), and therefore you can imagine a system where identification too can be accomplished using only a password.

However this would open a big flaw since an attacker will not need to find the authentication matching a certain identity anymore: all he will have to do is guess any valid authentication matching any identity and the access will be granted.

This makes the attacker's task far easier, which in turns makes such system unsuitable as a main access control.

However, in high security environments, such system could be easily adopted as an unobstructive second-line defense:

  • At the facility or area entrance you do a traditional identification + authentication check,
  • Within the facility or area you implement unobstructive checks avoiding employees to waste their time by identifying themselves each time they want to open a door or cross an hallway, but allowing to detect if someone managed to bypass the main entrance security system.

Now, following your comment, from a more theoretical point-of-view, "if the "password" is strong and unique enough (assuming no attacker can imitate, I know this assumption is impractical though)", then yes the whole identification + authentication system can rely on the authentication process.

Even if it goes out of the biometric world, I can even think of a concrete application of this: X.509 certificates.

While certificates by themselves respect the duality of identification (distinguished name) and authentication (certificate owner's private key), certificate's security actually relies on the fact that every secret keys composing the certification chain's must remain unknown. It is therefore sufficient for an attacker to find any of the private keys composing a certificate's trust chain to break the corresponding certificate-based authentication system (he would then be able to forge new "valid" certificates at will, or use your wording to imitate a valid signature).

This works because certification chains are usually short, they do not count thousands of levels. While it is sufficient for an attacker to find any key, the range of the valid keys remains very narrow while the range of possible keys is very huge, thus keeping such attack impractical (fortunately!). In other words this allow us to assume that an attacker cannot imitate legitimate certificates.

In theory you could expand this to biometric authentication at a given point in time. This does not solve biometric specific issues, but as long as an attacker is not able to find or reproduce any identification/authentication token, no matter what it is, then yes you can merge identification and authentication in a single step.

WhiteWinterWolf
  • 19,082
  • 4
  • 58
  • 104
  • Thanks for the great explanation. I just need a simple yes/no answer - if the "password" is strong and unique enough (assuming no attacker can imitate, I know this assumption is impractical though), can a successful identification also imply successful authentication? – Victor Wong Jun 27 '16 at 14:17
  • @VictorWong: Answer updated! – WhiteWinterWolf Jun 27 '16 at 15:22
  • Thanks for the update. The example of X.509 is excellent. Marked accepted! – Victor Wong Jun 27 '16 at 15:30
1

Here's a few things you need to consider:

  1. Biometrics can be stolen fairly easily. We don't have yet figured out any biometrics on which can be verified by one party and one party only. You leave fingerprints everywhere you go, HD cameras may be developed in the future that could gather enough resolution for retina scan.

  2. Biometrics are immutable. Once leaked, you can't change your retina, fingerprint, or brain wave patterns. Not easily at the very least.

  3. Biometrics are fickle. Your fingerprint may got cuts, you may get cataract, so you need a backup access method.

  4. The security of biometrics depend on the security of the reader. Unless you carry your own trusted biometric readers, you're essentially trusting a machine that's put in a fairly public place, by whoever.

Biometrics are convenient. And in low security settings, biometric can be sufficient, but serious security would never rely on biometric alone.

Lie Ryan
  • 31,089
  • 6
  • 68
  • 93