Multi-factor security authentication is not a new concept; we’ve been doing it for centuries. Kings messengers had both a seal from the king and a password. Speakeasy doors had special knocks and code words. Secret societies showed tokens and had known members vouch for identities. Aside from the technology shifts over the years, not much has changed in multi-factor authentication, except how we mechanize the process. The reality is that current multi-factor systems are no different than ones from centuries past, even in the way the attackers (and modern day hackers) attempt to bypass them – but with one significant exception.
And this one exception is that in our modern technology age, we in the security business have categorically stated that there are only three factors available:
- What you know, such as passwords, PINs or challenge questions
- What you are, such as thumbprints, retinal scans, and face recognition
- What you have, such as tokens and certificates
What we have lost – or maybe not accepted – is that more factors than just these three have socially existed over the centuries. These other factors are just as strong and definable, and we have probably long exploited them in authentication and identification processes. But we simply have not found a way to exploit them technologically in a way that we can all agree on.
In the “what if you could” scenario, what could these other factors be? For example, they could be the mirror opposites of the existing three, well-defined factors that are equally as useful. Some of these factors could include:
- What you are not
- What you do not have
- What you do not know
- And I would add two more – what you do not do and what, in spite of all evidence to the contrary, someone else says it is
However, one of the great challenges is to define how these other factors would be practically applied. Why? Simply put, factors are only useful (and therefore only exist) if they can in fact be coded and made into a working piece of software in modern culture. For example, let’s envision a challenge question that mixes the known and unknown. Some may dispute if this as a viable example with the argument that my identity is as much a factor as those items I do not know. And with sufficient effort, for all of these items similar ideas can arise, and for each, we can debate endlessly if they are or are not factors.
But there is still hope. Outside of the primary three security authentication factors we currently use, there is one factor that has, I believe, at least two real world implementations. I call this the “Peter Mayhew” factor. The reason for that goes back to Peter himself. Peter Mayhew is the actor who plays Chewbacca in the Star Wars series. There is a story that when he was filming “Empire Strikes Back” he was sick one day, and they used another actor to film his scenes. When the film was reviewed, those parts of the film had to be cut out because Chewbacca was obviously not Chewbacca. Something was off – it was not him. The truly interesting part of this story is that the Chewbacca costume completely hides the actor, except for his eyes. How did we know? In some indefinable but inherently socially agreed upon way, we just knew.
How do we know that a guy dressed in a giant fuzzy suit is or is not this specific actor? We can’t see the person, so it is not who they are. He doesn’t say anything intelligible, so it is not what they know. And both actors are wearing the same costume, so it is not what they have. Yet, we can accurately identify the “real” Chewbacca without any of these factors. And this leads us to what is the fourth factor – what we socially agree as an identity. As in the example of Chewbacca and the Peter Mahew factor, I believe that we as a social group collectively define identity, and in doing so, establish this fourth factor.
But does this security authentication factor exist programmatically? I believe it does. In fact, today, there are at least two implements using this fourth factor that are in widespread use (and probably others). The first is bitcoin. Bitcoin is a digital currency that has value and exists because we say it exists – the same way that the US dollar has value because we all collectively agree it has value. Bitcoin is simply a mathematical construct (looking for hashes that match a certain format) that has been assigned a value by market economics. We use blockchain technology to assign its currency value to an individual and that individual has ownership because we publish the information publically. As a group, when we add to the chain, we accept those changes as valid from a social perspective, as long as they follow the rules defined by the group.
The second instance is software company MIRACL (formerly Certivox) – and for full disclosure, NTT for whom I work, owns 20% of MIRACL, which is how I stumbled across this idea. In his paper “How to Renew Trust in the Internet” Chief Cryptographer Michael Scott states that our trust for identity is upheld and managed in ways that are fundamentally broken. Additionally, as is the basis of MIRACL’s technology, identity should not be defined by a single source, as is the nature of digital identity now, but rather defined as the collective sum from multiple providers – a compromise of any one provider invalidates the identity. Only when you compromise all providers can one compromise the identity. And here, we have an implementation of the fourth factor, social agreement of identity.
Only by social agreement can an identity be authenticated, and as long as at least one of the social agreement sources is truthful, the identity cannot be compromised. From that, we have at least one factor beyond the traditional three. And if we have identified one more factor, then most likely, many more exist.