Methods for (1) people differ significantly from those for authenticating machines and programs, and this is because of the major differences in the capabilities of people versus computers. Computers are great at doing (2) calculations quickly and correctly, and they have large memories into which they can store and later retrieve Gigabytes of information. Humans don’t So we need to use different methods to authenticate people. In particular, the (3) protocols we’ve already discussed are not well suited if the principal being authenticated is a person (with all the associated limitations).
All approaches for human authentication rely on at least one of the following:
• Something you know (eg. a password). This is the most common kind of authentication used for humans. We use passwords every day to access our systems. Unfortunately, something that you know can become something you just forgot. And if you write it down, then other people might find it.
• Something you (4) (eg. a smart card). This form of human authentication removes the problem of forgetting something you know, but some object now must be with you any time you want to be authenticated. And such an object might be stolen and then becomes something the attacker has.
• Something you are (eg. a fingerprint). Base authentication on something (5) to the principal being authenticated. It’s much harder to lose a fingerprint than a wallet. Unfortunately, biometric sensors are fairly expensive and (at present) not very accurate.
