Maybe it’s time to eliminate “something you know” as an authentication method

Secure authentication is crucial to protect data and guard your identity from being stolen or hijacked. The vast majority of authentication used today is based simply on a username and password, which has proven time and time again to be inherently insecure. Perhaps it’s time to change our definition of authentication.

The All-in-One CISSP Exam Guide (a book I *highly* recommend if you’re studying for the CISSP exam) describes authentication like this: “Three general factors can be used for authentication: something a person knows, something a person has, and something a person is. They are also commonly called authentication by knowledge, authentication by ownership, and authentication by characteristic.”

Let’s use the front door of your home as an example scenario. Something you know can be a secret knock or secret password or possibly a PIN code used to unlock a door. Something you have would be a physical key required to unlock the door. Something you are would be a fingerprint or retinal scan or facial recognition. It doesn’t even have to be high-tech. It can be as simple as me knowing what my brother looks like and granting him access based on a cursory visual inspection of the person standing on my porch.

Now, let’s examine each of those a little closer. Something you are is difficult to replicate or steal. Your unique biometric characteristics are yours and yours alone. It is technically possible to clone a fingerprint or trick some facial recognition tools with a photo or mask, but even that is becoming less feasible. Microsoft recently revealed that Windows Hello can differentiate between two identical twins.

Something you have is easier to steal or copy but requires some physical access or possession of the authentication method in most cases. For example, someone can steal the key to your front door or make a copy of the key to your front door so it’s possible for someone else to be in possession of your authentication method or for there to be more than one copy of the authentication method in existence.

Then there’s something you know. Something you know is very easy to compromise or steal. Someone can eavesdrop on your secret knock or secret password. A password can be written down. It can be shared with others. It’s possible for five, fifty, or five thousand people to all know what your password is. It’s also possible to guess or crack something you know in most cases. It may take weeks, months, or years—but there is a finite number of possible things to know.

That is the problem.

There is only one you to be something you are. You only have one physical key, or USB device, or mobile device to be something you have—possibly a few in the case of a physical key. Something you know, however, can literally be something that everyone knows. There is no limit on how many people can know your special something. Something you know can be easily cracked or compromised. It is innately the least secure of the three authentication methods and it has been the direct cause of many—if not most—of the major security and data breaches in recent years.

We need more devices with fingerprint scanners and more PCs equipped with the Intel Real Sense 3D camera necessary for Windows Hello facial recognition because it’s time to stop using passwords, PINs, or anything else in the something you know category as a means of authentication.