Identification Performed by Humans

Identification is a process whereby an identity claim is made and evaluated.

Cyber woman with technolgy eye looking

 

Organic Operations

Humans do this very naturally when we learn one another’s look, voice, walk and other mannerisms.  The more intimately we know someone the more difficult it is to forge or impersonate that identity in our presence.

The complexity of identification is compounded by the sensitivity of the rights that will be granted to the authenticated user.

To better demonstrate how the significance of the claim affects our trust level imagine someone wanting you to hold the elevator; that person doesn’t need to present overwhelming personal credentials as we tend to consider that behavior baseline civility.  However, someone asking you to trust them to keep your children all day probably gets a higher degree of scrutiny of their credentials.

Identification
Not only does the risk of fraud or impersonation increase but the significance of that potential compared to the overall volume of known attributes increases until it is effectively impossible to manage the possibility of fraud or impersonation without adding more factors or security controls.

 

To see how our intimacy with an identity’s credentials affects how we evaluate an assertion of identity, consider an intimate acquaintance (e.g. a spouse).  How easy would it be for someone to impersonate that person to you?  Would it be easier or more difficult for someone to impersonate him/her over the phone?  What about via text?  Could you tell if you were conversing with the authentic person or an impostor from the grammar and vocabulary?

Next consider a co-worker who’s a regular acquaintance.  How easily can you tell if that person is affected by something when you’re in their presence versus when you’re engaging one another via a conference call, instant messaging or e-mail?  What if that person left their computer unlocked, walked away and someone else used their account to send an e-mail?  Do you think you’d notice that the e-mail wasn’t from them?

The number of attributes by which you can authenticate an identity decreases as your intimacy with a subject decreases.  That’s because humans used one type of factor far more than any other and it’s easy for us to obviate and replace any given factor for a period of time.  Systems (and people) who are unfamiliar with an identity must rely on one of the other two factors besides what an identity is.

 

Factors

Identity depends on three types of credential factors:

  • Knowledge – something someone knows
  • Possession – something someone has
  • Inherence – something someone is

In our examples above the quality that makes it easier for humans to authenticate people with whom we’re familiar is Inherence.  I know someone because I know who/what they are.  I know my wife’s voice, her walk, her mannerisms and her attitudes.  Physically impersonating her to me would be much more difficult than if a friend of hers picked up her phone & texted me.  Similarly I have many data points stored subconsciously for friends of mine who would be difficult to impersonate.  My kids’ teachers, however, have far less data points by which I recognize and authenticate them.  Let someone from the school use one of the school’s “public use” e-mail accounts instead of their personal account and I have to look for their signature to tell who sent it.  I just don’t know their diction, tone or delivery via e-mail.

The data we have stored on intimate acquaintances still suffers from the fact that it can be hampered.  In security terms the Integrity of the data points can be messed with not by someone hooking us up to an electric current (although that would probably work, too) but imagine someone has an event like a car wreck that affects them.

Storytime

Your turn a corner in the hallway and see a friend walking towards you with a pronounced limp.

In this short story what would be your first statement or question be to your friend when you were at a comfortable speaking distance?  How much would you consciously evaluate the person coming towards you before you got to the point of speaking?

Humans use biometrics (inherence) constantly to identify people.  When our usual data about identifying someone aren’t met our conscious mind kicks in to examine other data we have stored and we induce a challenge/response process.

You: “Hey, Bill, what happened to your leg?”

Bill: “Had a motorcycle accident over the weekend.  I was trying to jump a shark on skis when I ….”

You probably don’t think of this as a challenge/response because we tend to think that we’re just inquiring but effectively your mind is reconciling failed data points that it has collected against known good data points about the person.  If you don’t believe me, imagine Bill suddenly spoke to you about three octaves higher and in another language.  Would you think that maybe you were asleep and dreaming or that Bill had been replaced by an alien or a spy or …?

 

Not all of us have as distinctive attribute as Harry's lightning scar
Not all of us have as distinctive an attribute as Harry’s lightning scar

 

Computer systems don’t yet have this volume of intimate data (although people are working on that) by which to make effective switches between biometric points.

When humans are confronted with challenges in identifying someone and we lack enough data points we tend to rely on Possession.  At work we have over 10,000 employees and I can remember about 150 of them on sight.  I know far less of them intimately enough to authenticate them (which thankfully isn’t my primary job).  To alleviate the burden we have two instances of Possession: a photo ID that’s issued by the company and proximity badges.  The photo ID affords me the opportunity to glance down and speak to someone by name (a social convention we all like) where the RFID badge allows automated security systems to identify the person and lock them out of areas they aren’t authorized to enter.

Police officers (and banks and voting precincts and …) use similar identification items with driver’s license (or bank cards/checks or voter’s registration cards or …).

When it comes to computer systems, however, issuing an item of Possession is costly at scale.  Key fobs cost for the hardware as well as the service.

RSA key fob

When an identity is associated with this item and the item is compromised it is costly to replace.  Given that computer systems lack the ability to easily use Inherence at this point we’re left with Knowledge or passwords.  Something a person knows is easily the least expensive and most effective factor to use.  It’s no more onorous for the user than if every bank account & website issued them a key fob for them to keep up with but it does depend on their conscious interaction.

Efforts are underway, and have been for several years, to digitize authentication of identities in ways that are similar to how humans identify one another but we’re not there yet.  Machine learning may help us move forward but some of the most advanced systems commercially available have demonstrated to us that computer systems need to rely on different attributes of inherence than humans do to make similar authenticating decisions.  Where I might notice Bill’s limp and issue a challenge that allowed me to corroborate that data point against his voice and the logic of his explanation given that I know Bill’s penchant for adrenaline-based activities, computer systems don’t perceive humans the same way and they tend to rely on digitized points of data.  Thus, logging in from a particular IP address range, having a cell phone respond with its GPS location to a ping and receiving an SMS message might give a computer system multiple factors upon which to base its evaluation of the identity claim you submitted.

Perhaps some day we’ll teach computers to automatically and effectively recognize us by our biometric attributes although we know that facial recognition systems have been used by well-funded agencies for years with varying degrees of success.