Facebook authentication

Authentication screen of facebook

The most common thing every designer has to deal with is ‘authentication‘. In simple words, person logging into Narendra Modi’s account is Narendra Modi himself, not Roudy Ranganna. In case of real world you see his face and authenticate (not thinking about thing called ‘humshakals’ and impostors. 😉 ). But in world of computers, which is simply too powerful than our real world, it gives you a set of choices. There are 4 authentication techniques for users. They are

  1. What you know? (E.g.: Passwords and PIN)
  2. What you have? (E.g.: Key-cards, RFID cards, OTP’s, Passes)
  3. Who you are? (E.g.: Fingerprint scan, Face Recognition, and other Bio-metrics)
  4. Where you are? (E.g.: Location tracking, I.P. tracking)

1. Authentication based on ‘What you Know?’

In ‘what you know’ based authentication, the 2 parties decide on a secret phrase to identify each other at the beginning. While logging in or doing transaction, this secret phrase is asked, which is then matched to authenticate. (PS: In all the websites its the encrypted code of password is matched, actual password is immediately encrypted.)

If you share this secret phrase with your friend, then your friend can use the service appearing as you. If your friend becomes greedy and misuses the service, it will be you, who will be first to get caught. Based on recent events, Don’t worry about getting prosecuted, because you are ‘donkey’ in eyes of law, not the perpetrator of crime.

2. Authentication based on ‘What you Have?’

In ‘what you have’ based authentication, the 2 parties decide on a thing to identify each other. All the banks in India send a thing called OTP to your mobile for authentication. Theaters give you a thing called movie pass to authenticate you. Companies give you a thing called RFID cards to authenticate you. Software vendors give you a thing called licence file to authenticate you.

‘What you have’ authentication is comparatively bit expensive but more stronger than ‘What you know?’ authentication. Also this authentication technique is vulnerable to sharing of the thing. Also this technique requires some physical infrastructure to give you the thing while signing up.

3. Authentication based on ‘Who you are?’

In ‘Who you are?’ based authentication, the authentication is based on your physical features. Some examples of this is Fingerprint scanning, Retina Scanning, Face Recognition. In case of criminal investigation DNA’s are used.  Since the physical features are unique to an individual, during the signing up phase, a copy taken by one of the party, and a pattern matching is done to authenticate.

‘Who you are’ authentication is by far the most expensive one and strongest one too. This authentication technique cannot be used on internet just because of shear volume required to do it. Being based on unique features of body, sharing problem doesn’t arise at all.

4. Authentication based on ‘Where you are?’

This by far is newest entrant in the world of authentication. In  ‘where you are?’ based authentication, the location of person is used to authenticate. Due to difficulty in ascertaining real-time location data of a person, this technique is often used as add on layer of security. One such example of this technique is the notification by facebook while logging in from different location. It asks you to save browser if you logged in from different location. It even sends the mail to your mail ID notifying login. Normally IP address or GPS data is used to ascertain the location.

Tips to follow:

  • Never share your secret (password or PIN) with anybody. Its difficult to track down perpetrators if crime happens.
  • Sharing of Identity is crime. Don’t complain if you get hacked, you are one who let the thief in.
  • If you can afford to purchase system based on who you are authentication then do it.
  • Save your passwords in your Brain(if there are lesser numbers of it to remember) or in Powerful password managers like Lastpass, or Keepass.

Do share your ideas in comments section.

Here are some articles I have written on security,