News and updates
In Praise of the Humble PIN, Authentication that works for the Web.
Dr Michael Scott
By which I mean the Personal Identification Number. Most days we use it in conjunction with our ATM card to perform relatively large value transactions. As such its a pretty proven way of authenticating ourselves. So if we already have the authentication problem solved, why don’t we use the same method when authenticating to services on the Web? Why do we persist with the much more inconvenient and insecure Username and Password combination, rather than a Card and PIN number type of solution?
As we all know a PIN is much more convenient than a password – its shorter and much easier to remember. Without getting into too much detail the basic reason for this is that the Card and PIN are associated with one another (by the Bank), whereas any password can be used with any Username.
For now think of the Card as being analogous to the Username, and the PIN to the password.
Classic multi-factor authentication recognises three different classes of authenticators – something we are, something we have, or something we know. However I would group the first two together. If the something we have were embedded into us, then it would become part of who we are. The fact that the card is in my wallet and not embedded in my arm, is arguably only a minor detail. You only have to look at a commuter staring into their mobile phone to appreciate that the phone is really part of who they are. Its an extension of their hand!
So to my way of thinking if we really want two authentication factors that are completely independent of one another, one should be "something we are/something we have" and the second should be "something we know".
With Username and password the authenticators are something we are (our Username) plus something we know (the Password).
With Card and PIN its something we have (the Card) plus something we know (the PIN).
Now a Username isn't a great authenticator. Its stored in the clear on the Server, and it may well be our email address which is known to lots of people. So Username and Password is considered as just one-factor authentication.
Where do biometrics come in? Well a biometric is definitely a much better "something we are" type of authenticator. Nonetheless it is much closer to being a Username than it is to being a Password. For one thing you can't change it. And it may in fact be known to others, as unless we live as hermits we spend most of our day actively putting our biometrics out there into the public domain, our faces, our fingerprints (they are all over everything we touch!), our voices etc.
The modern trend seems to be towards a combination of biometric (something we are) and the mobile phone (something we have). But to my way of thinking that's just two Usernames. Both can be taken from us.
The great thing about a PIN or a Password is, that unless mind-reading becomes a possibility, it cannot be extracted from us by any kind of clever technology. And we can change it on a whim.
Which brings me full circle back to my original question. Why don't we use the proven Card plus PIN combination on the Web? Clearly choosing a PIN and committing it to memory is the easy part. The problem is – how do we emulate the Card part, and how do we associate it with the PIN?
Let's first demystify the Card. Before the advent of Chip-and-PIN the card's payload was just a blob of data recorded on a readable magnetic strip. The Chip was introduced to facilitate off-line payments – and relieved us of the need to manually sign anything after we paid for that meal. But to this day a bank's ATM machine reads only the contents of the magnetic strip (and completely ignores the Chip if the card even has one).
So if all we need is a blob of data and a PIN number, what is stopping us? Well the banks have a big advantage here, as they use specialised hardware and they control more of less everything from the ATM all the way to the back-office. In the Web context we do not have such control, and certainly not over the communications links. We cannot even be confident that the client database, that allows the server to authenticate us, will not be stolen by a clever hacker.
Actually what was stopping us was that until recently there was no known cryptographic technology, which didn't require expensive specialised hardware support, that could get the Card and PIN idea to safely work over the Web. Then along came MIRACL and MIRACL Trust ZFA®! Read more about user authentication or try our demo in just 5 minutes.