Shostack + Friends Blog Archive


There are three types of authentication

cut-finger.jpgThey are:

  1. Something you’ve lost,
  2. Something you’ve forgotten, and
  3. Something you used to be.

Here is a sad tale of a man who has a failure on (3), realizes he’s done (2), and his solution to the problem. It’s a classic tale of how more is often less when it comes to security. Lest you think it, I am not making fun of his solution to the problem.

The sad part is that he thinks the problem is dependence on technology, when in fact it is the inappropriate use of technology, and the “ooo, shiny” technolust making you think that something is a good idea when it isn’t. Other cases include electronic voting machines, RFID passports, airport fast-track systems, and so on.

photo courtesy of split-ends.

8 comments on "There are three types of authentication"

  • Fred Wamsley says:

    Eric’s problem could have been solved by writing down the password: see my arguments for writing down passwords. Bruce Schneier has pointed out that the conventional wisdom can easily be wrong and that a written password IN A SAFE PLACE can be a good idea. It’s as practical as a spare car key.

  • Orv says:

    Good point, Fred. I sometimes tell people to write their password down and put it in their wallet. No one is going to take their wallet without them being aware of it, and if that happens they can simply change the password to something else. Far better than “hiding” it under the keyboard, which is most people’s first inclination.
    The story also reminds me that one laptop I played with allowed you to register more than one fingerprint, so you have another one to try if you injure a finger. Using a fingerprint as a key would seem to violate the principle in the previous post, though, since you’re relying on a secret you can’t change. 😉

  • Orv says:

    Oops, guess it was two posts ago. 🙂

  • Mordaxus says:

    Many years ago, each system I worked on required a twelve-character, pre-generated password. They were changed every two weeks. I also regularly worked on a good half-dozen computers. All of us wrote passwords down and kept them in our wallets, but with little tweaks.
    I would frequently omit one character, or write an extra one. I could remember what I had done to it, easily. A friend of mine would ROT-1 a character.
    Nonetheless, this completely fried the password-memorizing parts of my brain. I’ve been horrible at it ever since.

  • Matt says:

    I have the Shmoo Group “Something I lost, (etc etc)” sticker on the bumper of my car 🙂

  • Kenton A. Hoover says:

    I think it might have been Russell Brand who started the “put your password in your wallet” meme, because how often do you lose your wallet? When I used to generate password lists for the operations staff at (omitted), they were on paper, but they were missing a key component. You just had to remember the key component, and rest of the stuff you could look up until the new password was fully embedded in your fingers.
    When I setup my Thinkpad to use the fingerprint scanner, to prevent the problem this fellow encountered I enrolled multiple fingers on both hands. I figure if I lose both hands, I’m not going to need the laptop anymore anyway.

  • Iang says:

    The pogrom against written passwords dates back to the days of student labs and secretaries who entered the bosses accounts … and always wrote the password under their keyboard. Those days are long gone.
    Someone did point out that shoulder surfing is still a threat on aircraft. Frankly, if it is, I wonder if you have bigger problems, and shouldn’t open up your laptop at all…
    Another one that is also out of date and should be changed is the sodding password boxes that always print as ******.

  • valium xanax says:

    Very good site. Thank you. valium xanax

Comments are closed.