-1

What are some systems of identity verification that fits these sort of constraints:

  1. Doesn't require the subject know a specific piece of information (e.g. always know a password or birthday)
  2. The authenticator isn't guaranteed to have a specific piece of information about the person (e.g. they don't have everyone's fingerprints)
  3. The authenticator has all public and semi-public information (e.g. possible profile pictures, all reasonably accessible web content, open sourced data, and perhaps some data you can purchase, no government surveillance info)
Maggie
  • 99
  • 2
  • TOTP systems satisfy all those requirements - no one knows anything except the time and a shared seed – schroeder Nov 09 '17 at 23:34
  • Without boundaries, this is impossible to answer. There is no public, accessible, digital data for most of the world's population. Even for highly connected countries, there's going to be some subset of the population for which very little (if any) of this data exists, so a universal system under these constraints is simply not possible. – Xander Nov 09 '17 at 23:35
  • @schroeder TOTP does't satisfy the "only public information" requirement, or the "authenticator isn't guaranteed to have a specific piece of information" requirement unfortunately. At least as I read it,. – Xander Nov 09 '17 at 23:36
  • 1
    I think the answer would require a philosophical debate on the nature of 'identity' and if there is an element to there being a private factor to the data in order for it to be trusted as a true identity – schroeder Nov 09 '17 at 23:49
  • 2
    @Maggie I think you are going to have to unpack this a little bit. – schroeder Nov 09 '17 at 23:49
  • 1
    @Xander I think the condition is really that "The authenticator has _only_ public and semi-public information!", not _all_ the information. And actually intending to mean that it does not have _private_ information. I'm with schroeder that a TOTP would fit it. They would only need to enroll the TOTP, though. – Ángel Nov 10 '17 at 00:37
  • I guess I need to think more about what I even want to get out of this question. I was imagining a stateless (i.e. states as in countries) world and ways that authentication could happen between two people meeting for the first time without any central authorities. – Maggie Nov 11 '17 at 22:47
  • 1
    @MagO there is a protocol known as a "web of trust" where identity is decentralised, but that requires that there are 3rd parties involved who can vouch for the individuals. You present your identity and a token by the 3rd party that the other party also shares. – schroeder Nov 13 '17 at 07:28

2 Answers2

1

A government issued identity card / passport

Doesn't require the subject know a specific piece of information (e.g. always know a password or birthday)

No information from the user is needed.

The authenticator isn't guaranteed to have a specific piece of information about the person (e.g. they don't have everyone's fingerprints)

The authenticator validates that the ID is valid (issued by the government). This may be by physical inspection if we are in an IRL scenario, or by checking that it is signed by the proper government CA.

In any case, the authenticator doesn't need everyone's data.

The authenticator has all public and semi-public information

The authenticator doesn't need government surveillance info, he relies on that valid ID.

The identity is actually verified

If the identification is expected to be done by a human, comparing your photo against the one in the ID may be enough.

If the identification is against a machine, there are a couple of options:

a) the ID contains extra data that can be extracted by the authenticator (eg. it can read the fingerprints stored in the e-passport). This is inconvenient from a privacy perspective, though, as it requires the biometric data to be readable from the ID.

b) the ID has a chip which can validate the fingerprint data obtained externally (like some national ID cards do). The authenticator would provide a fingerprint reader, whose input would be passed to the ID card chip. If the chip accepts the identity as valid and shows evidence of being an actual ID, eg. verify that it can sign an authenticator-provided nonce with a certificate that is signed -and not revoked- by the government identity CA.

Ángel
  • 17,578
  • 3
  • 25
  • 60
1

Depending on your meaning, this may not be a workable system. There are three different types of factors that can be used for authentication, what you have, who you are and what you know.

What You Know For what you know, your constraint is that it can only use publicly available information. This rules this out as a secure means of authentication as anything that the public knows, an attacker also knows, so there is no acceptable private information in this category.

Who You Are You specifically mention not having finger prints, but it isn't really clear about what you mean by that point. If you have public information that is validated as genuine, it may potentially be useful to authenticate someone, but verifying the authenticity of submitted information is a problem since, again, the information is available to an attacker. If you control the system taking the authentication measurements you can make this work, but if you are working over the Internet, you are likely out of luck given the public knowledge constraint.

What You Have If people have some form of publicly validated cryptographic ID, this could be used for authentication. Similarly, if they do not, you could use a one time authentication via biometric measures and then issue a cryptographic ID that could be used for authentication. If authenticating in person, non-cryptographic IDs could also be used. That said, there is still the potential issue of theft. What You Have, on it's own, is a relatively weak form of authentication as it is the only one of the three factors that is trivially compromised via theft.

As you can see, this really doesn't leave a whole lot in the way of good options. You can go for public knowledge quizzes, but often times an attacker may actually have less trouble with this than a real person. If you ask an average person for information from their credit report for example, they are likely not going to know off the top of their head and if they look it up, so can an attacker. An attacker can also have a complete enough profile on hand to compete with a real person to impersonate knowledge of their life.

AJ Henderson
  • 41,816
  • 5
  • 63
  • 110