My interpretation of what interests and confounds me ....

Thursday, February 18, 2010

Desi ingenuity defeats state-of-the-art authentication mechanism

Authentication in the digital domain is a tough nut to crack. Beginning with permitting authorised personnel to their workplace (that is a vertical in itself, and goes by the name of access control), through allowing users secure access to their compute infrastructure/ workstations, to accounting for electronic signatures, it covers the gamut of operations that makes ones (and the security administrator's) life secure in the digital domain.

There are myriad technologies that come to the rescue of the harried systems administrator, who is usually the one saddled with this unenviable task - that of ensuring fool-proof authentication mechanisms for the organisation's burgeoning information assets and to its premises per se. Most (if not all) solutions use either one, or a combination of what is classically quoted by the security engineer as "what you know", "what you have", and "what you are" (By now you would have guessed that like other professionals, the IT guy too, revels in propagating her/his lingo, if not for anything else, to observe the discomfiture of mere mortals squirming in discomfort at their abysmal ignorance).

Be that as it may, some illumination, on the (dense) pronouncements made in the previous paragraph is considered inescapable. The pecking order begins with "What you know" (WYK), that (in plain-speak) refers to "user id" and "password" ('cause that's what only you (at least theoretically!)"know!). Most rudimentary systems easily survive with this basic level of authentication instruments. At the next level are the "What you have" (WYH) contraptions. These are essentially chip based cards (of the size of a credit card, that you carry, and therefore you "have") that contain some unique information about the entity to be authenticated (that's geek-speak for the guy authorised to hold the card!). These could be "contact" or "contact-less", meaning, one either needs to slip the token (that's the card's other name!) into a slot on a card-reader (just like one inserts an ATM card to draw out money, although with an ATM, the results are far more encouraging!), or hold it close enough for the card reader to recognise its presence. The proximity at which the card reader recognises the card (that reminds me - this kind of a token is also called a proximity card - and you know where it derives this name from) has a lot to do with the way it communicates to the card (radio frequency being just one such medium). Finally, at the highest echelon, sits the snobbish "What you are" (WYA) devices. These require additional hardware (wonder why I didn't use that terminology before) in the form of biometric readers, iris scan devices, voice-recognition systems, retina scan devices (just listening to that jargon drives the IT security types to the Big O!) etc. to authenticate (perfectly normal) human beings by using their unique biological assets (these incidentally have nothing in common to the "assets" that drive the Big O, but make you, what you "are").

As one may have guessed by now, the security of the authentication system is built layer by layer, with the bottom-most rung comprising systems with WYK devices. As we move up the value-chain, systems begin to deploy a combination of two concepts (WYH and WYK), till we come to the really pricey ones (in more ways than one), that employ all three concepts (WYK + WYH + WYA).

All systems are known to suffer from false negatives (yet another geek-speak, that refers to the system failing to recognise an authorised entity) or false positives (that's when a crook is allowed access), some more so than the others. For instance, a sore throat may render the voice-recognition system unable to recognise a valid user. Ditto for an infection in the eye with the iris scan. As regards, biometrics, it is touted as the closest to a fool-proof authentication system. And that's when the infamous Indian ingenuity checks in.

Employees of the Municipal Corporation of Delhi (MCD), who were issued with biometric cards to punch in their entry to workplaces for marking attendance have come up with the ludicrous claim that diabetes has prevented the biometric readers from recognising them. As one can imagine, there is more to it than meets the eye. The real reason apparently is that over 20,000 employees were being paid without fingering in their hours. Roughly a third of these, reportedly afflicted with the condition, have blamed diabetes for causing their fingers to wrinkle or crack and, subsequently, the biometric system failing to recognize them. The skeptics however, have called their bluff claiming that those who blame their affliction are trying to skip work without being noticed. Local doctors have also found the reasoning of the diabetics questionable as they have never seen such results in diabetic patients in the past (refer Hindustan Times of 15 Jan 2010).

As they say man proposes, and technology dispossesses.

No comments:

Post a Comment