There are traditionally three (3) authentication factors:

What You Know is the most common. It’s the prevalent, single factor online solution. With a bit of creativity, it can top the other two for best practice safety. Implementing ‘What You Know’ ranges from a magic phrase: “RumpelstiltskinSentMe”; to the less than loved CAPTCHA (which actually relies on your mental and visual acuity to decipher a graphic); to the mundane password. The noun password is misleading. Cyber security experts caution “never use a word”. They urge employing random upper and lower case letters, numbers & symbols.*

Remember: combinations must be different for every website and app you access. Of course, most people can’t easily memorize things like 59wyuF[Z’N83-<Te. That’s why writing the codes down somewhere, or using ‘12345678’ and ‘password’ are still the most popular choices. They’re also quickly exploited by hacker dictionaries when breaking into accounts. Don’t feel bad. Criminals can take a crack at every word in the world in seconds. Digital thieves can also automatically decipher character substitution like J0e$3ntMe or £etM31n. Tr1x ar3 f0r k1d$..

We’ll return to What You Know with a fresh look in a minute

Next there’s What You Have – like a door key or a digital fob. The caution with ‘What You Have’ is it works just as well for everyone else who has it. That’s why your friend can give you their house key to feed kitties while away. A credit card is a variation on ‘What You Have’. And we all love waiting while the chipped plastic processes. The exciting news sweeping retail stores was touchless cards. Unfortunately brick and mortar merchants spent billions for technology that’s already outdated since 80% of shopping is now online. Stand alone, ‘What You Have’ is frail.

Which seems to leave the more exotic What You Are story. This is the realm of fingerprints, facial recognition, iris scans, DNA analysis, and SciFi. Alas, there are two massive shortfalls:

(1) the source is stored as data (no need to cut off a finger) so a hacked server is bad.
(2) once compromised, the crook is identical to you. You’ll spend the rest of your life trying to prove otherwise. For the latter reason alone. “What You Are” is the most dangerous to trust.

Nevertheless, big money has gone into selling the illusion that some machine will detect who you are by the pheromones you exude. That they may change their tune as quickly as they dropped fingerprints in favor of face recognition should raise questions about how much was marketing versus real security for the consumer. To say buyer beware of biometrics is an understatement.

There was, a promise to return to the factor that does have promise.What if we flip “What You Know” to “Who You Know”?

The improvement eliminates the weaknesses outlined above while simultaneously introducing total unpredictability. Most of us can instantly identify hundreds and hundreds of faces on sight from every point in our lives. Let’s think about the question: Do I want to memorize a complex combination of letters, numbers and symbols… or authenticate my identity because I’m the only person within a thousand miles who recalls the face of my tenth grade crush?


*Recently there was a ‘relaxing’ of the recommendations. Perhaps it’s valid; however it’s wise to wonder who benefits from weak security.


How do you feel about this topic? Please share your thoughts…