You Can’t Have One Without the Other(s)

Remember the old New Yorker cartoon about the canine computer user telling his sidekick: „On the Internet nobody know’s you’re a dog“? That was back in 1993, but it still holds true. And hile many, myself included, relish the anonymity the Net gives us, the inability to prove conclusively who is on the other end of the line can be irking, and even downright dangerous, when large sums of money or the running of critical or possibly even existential systems is concerned.

Of course, the username/passwort currently used by almost everybody doesn’t prove who you or I are at all. It simply proves that there is indeed an entry in a database that uses these attributes, so anybody who knows them can get in. hat’s probaböy okay for most use cases. After all, the world as we know it won’t come to an end if somebody highjacks my Facebook account. And for thing like eBanking or PayPal I have additional ways of protecting myself: tokens, one-time passwords or Transaction Numbers (TANs), for instance. And yes, my laptop does have a fingerprint reader built in. I don’t have an Iris scanner yet, but these things are available if needed. There are lots of other methods out there, such as systems that analyze my typing behavior or listen to my voice patterns. One of my favorites is a system called “PassFaces” which makes you memorize the faces from pictures of total strangers whom you are then required to pick out from a matrix of mugshots. Presumably, if you can recognize, say, three people, then this must be the real you knocking on my digital door.

Unfortunately, each of these methods has its foibles and weaknesses, so relying on any one of them just gets us back to square A, namely a relatively insecure system. So why not use a bunch of them simultaneously? That’s the idea that occurred to the folks at Delfigo Security, a tiny South Boston start-up I visited recently. Their product, DSGateway, is supposedly able to analyze up to 17 different identity factors at once to create what Bharat Nair, who heads development at Delfigo, calls a “confidence factor” which I would describe as the probability of it really being me, as opposed to some crook or software robot trying to impersonate me.

According to Bharat, the attributes DSGateway goes after can be divided loosely into three categories: Personal (things only I can know, like my dog’s birthday), technical (things I carry with me like tokens, smartcards or smartphones), and human (things that are a part of me, like my fingerprint or the way I type a text on a keyboard). The system will also draw on hardware and software factors such as IP addresses, browser types, monitor resolution, operating system, etc., and in the case of mobile users, location information can also be figured in. (BTW: What good are the “mobile TANs” German banks are becoming increasingly fond of if the user if doing his home banking from the same smartphone he or she is receiving the SMS or text message on? Good question raised by Bharat during our talk!)

All this may sound like a lot of number crunching going on in the background and slowing the system down, but Delfigo swears users will hardly notice. That’s because of all the smart algorithms they have cooked up and that can also be used to monitor and double check on users desiring access to a system. In the event that the algorithm smells something fishy, it can escalate and require additional identification, either digital or analog, such as freezing an account and requiring the user to show his driver’s license to an official or have his Iris scanned.

During our conversation in Boston I was reminded of a session Dick Hardt convened back at IIW #11 in Mountain View a few weeks ago in which he discussed the germ of an idea he has for an “identity-aware device”, e.g. a smartphone that can tell from the way I wave it around and by the tone of my voice as I speak into it that it is truly me using it. Like the guys at Delfigo, Dick is convinced that no single system will ever be enough to solve the problem of providing conclusive proof of personal identity over digital systems. It seems you just can’t have one without at least some of the others. After all, as Dick is fond of pointing out in his presentations on “Identity 2.0”, we are the sum of our many, many attributes in real life, so the more I can present as credentials on access to a system, the greater the probability that I’m who I say I am. And while no number of single proofs ill probably ever up add to 100 percent security on the Internet (or anywhere else in life, for that matter), they may at least help keep the dogs at a reasonable distance.