Hi folks, Ed Amoroso here, and in this video I want to talk to you about the proof factors that are used to validate a reported identity and authentication. Now first question is, what is proof? And a lot of you maybe have studied mathematics. Maybe you studied it in high school, or even in college, you studied it in college. Or maybe you didn't do mathematics, I don't know. I always find it interesting that when asked the question, what is the definition of proof, you expect a mathematician to have this really involved sort of a detailed, technical answer. You know what the correct answer is to what is proof? It's convincing evidence, isn't that crazy? It suggests that proof is subjective and contextual, meaning, if I can convince you, if I can provide convincing argument that something is the case, then I provided us a proof. I provided sufficient proof that something is true. So, here's what we're going to do. We're going to look at this question of Alice, a client, reporting an identity to Bob, a server. And for the most part, as we do this, Alice is usually a client, Bob is usually a server. I'll tell you when it changes. But you can more or less assume that. That makes it easier for us in shorthand. If I forget to say, you'll know, Alice, client. Bob, server. You got that? So, Alice is reporting an identity to the server, saying "Hey, I'm Alice." And then the server's going to go, Really? Prove it. Prove that you're Alice. Now what can Alice do? There's a number of different possibilities. So the one that you're most familiar with is that Alice knows some secret, a password, or pin, or something. That's the most universal type of validation proof that's used. Every single person hearing my words right now has used, or is using, or will continue to use passwords for a bunch of different applications, and systems, and network uses. And that's just not going to change. Well, obviously, some weaknesses there, we'll get to passwords. We're going to talk about them in a subsequent video, but that is the first type. And we would say, it's something you know, it could be a phrase, word, number, whatever, that's one. Second is something you possess, and that's usually something tangible, like my mobile device, handheld something, calculator type device, a little key that you would keep, that's something you possess. So if I have it, that means I must be somebody who got it. And if I have a trusted distribution mechanism, or I trust that mechanism, then I know that you have it, then you must have gotten it from that mechanism. Like a drivers' license, here in the United States, is a highly valued thing to possess. Because if you have a valid drivers' license, has your picture, has good watermarks signals, it's got information there about you, it matches you, it's hard to forge. Then if I present that, then all the power and authority of the issuing group, in the United States it would be the Division of Motor Vehicles. Wherever you're watching, whatever country, you probably have something very similar. But all the trust inherent in that provisioning process extends or cascades to that validation, do you follow? We call that, in computer science, cascaded trust. So, when Alice says, you want proof, let's just say, it was, here's my driver's license, it's not going to be for computing, but imagine. Bob says, who are you, you say, here's the drivers' license, and Bob looks at the drivers' license. All of the confidence Bob has in the issuing authority has been cascaded to that process. Do you see, it's not just Alice made something up, but you actually have a third-party authority that provides that. So that's the something you possess. Third would be something you embody, like something you are. And what are the things that are unique about a human being? Well, one is your retinal pattern. So you can imagine going tappity tappity tap, prove it, and put your eyeball up to something. It wouldn't be my favorite way to authenticate to like Facebook or something, but it's one possibility. Fingerprints is another one. By the way, what would be an example of someone who would not be able to use thumb prints for some sort of validation of identity? Well, someone with no thumbs. I mean I know that's, I don't mean that in a good manner, because there's probably people watching who don't. So if you don't, then you can't use the thumbprint, right? So it's not always just a slam dunk. I said retinal pattern, there might be people that don't have a retina that they can use for that. So you have to be very careful with these factors when you're dealing with a lot of people. You want to be respectful, not everybody's going to be able to do all of these things. Now one thing everybody can do, 100 percent of you could do, but 100 percent of you would not want to do is DNA. Like tappity, tappity, tap, log in, prove it and a little needle pops up and you go [NOISE]. It takes blood to see who you are. None of you are going to like that, but all of you can do it. If you're watching this, then you have blood in your DNA, but you'd hate that. So, something you embody is a little different. Now, voice is an interesting one, right, because voice works, but what changes about a voice? As you get older, your voice changes. When you get a cold, your voice changes. You can record a very high-quality version of somebody's voice. And you see a lot of hacks nowadays, where people will call you on the phone, ask you a question, get your answer to that question recorded and then use that in the subsequent query, as you, it's got your voice, to answer something. You gotta be quiet, be very careful when it comes to some of these proof factors, so something you embody. Another is someplace you are, your location. That's a squirrelly one, right? You have a credit card. You've had the experience of buying something over here. Credit card company calls you up. Hey, are you really in New York? Because I think you live in Paris, but are you buying something in New York, and you say, yes, yes, yes. I'm in New York visiting. Thank you for calling. So, location sometimes can be used in the context of making sense of all this. And then finally something you do. It's a common one now, the ergonomics. The way you tap into your device. The way you move it around. Sounds very space-age but there's a lot of companies now doing that. Now look when you put all of this stuff together, you can do it in a very contextual manner. Meaning, best case of all is where I ask you a question, you challenge, and then, depending on the situation, the challenge and the response might be different. Maybe I give you an answer to one, but you feel like you need more. But in another scenario you feel like maybe you don't need more and that matches normal validation. Things that we would do in our lives, like if we met together. Let's say we were in one of these lectures physically in a room. And I gave the lecture, and everything's great, and everybody claps, hopefully you clap. And then we're done, and we're all mulling outside and I bump into you, and I say, how did you like the lecture? You're not going to have to say, well, who are you? Because I'm me, you can see I'm me, I walked out of there, we were just in that room together. You don't need much proof. But if we just gave a lecture, and then, six months later, I happen to bump into you. I look a little different, and I say, how'd you like the lecture? And they go, who are you, again? I say, I'm Ed. They go. Yeah, you do sound like the, contextually, I need more, and computing works the same way. It's a very, very similar kind of set up. Now, we're going to do a very brief quiz as we often do. Just to test our understanding of identification authentication. And the answer is c, thumbprint on a device and a password. You'd want to say, maybe email but we said earlier not really clear that your email is a secret. It probably isn't. In some context, people will want your email to come from a known domain, maybe there's something about that. The thumbprint on your device and password is one of the classic examples of two-factor authentication. So with that, I'll let you go. We'll look forward to seeing you in the next video.
