In 1981, the President of the United States,
Ronald Reagan, was shot by a gunman in Washington DC. It wasnât fatal, but it was close. Reagan was rushed to hospital and in the chaos,
the Biscuit went missing. The Biscuit was the nickname given to a small
plastic card, sealed inside an opaque case, that contained the secret codes that would
identify the President over the phone if he gave the instruction to fire a nuclear weapon. The card was eventually found. Some reports say it had been hastily stuffed
in the Presidentâs shoe when the trauma team cut away his clothes. Others say that the FBI had seized all those
clothes, and the card, as evidence, and they didnât give it back until
a couple of days later. Itâs possible that both are true,
depending on the timing. Now, there are some overexcited people who will
say that for however long that card was missing, it would have been impossible for the United States
to launch or to reply to a nuclear exchange. Thatâs not true, the Vice President
had a backup, but in 1981, in the middle of the Cold War, a President with lost nuclear codes added
some instability that the world really didnât need. This story has something to do with your phone,
I promise. There are three ways that a computer,
or any system, can identify you. It can ask for something you know,
something you are, or something you have. Those are the three âfactorsâ of authentication. And the gold standard for checking identity
is multi-factor authentication. At least two of these different factors. Two different passwords arenât much better
than one. But two factors are. When you do something as simple as withdrawing
cash from an ATM, that is two-factor authentication: the something you have is your card, and the something you know is your PIN. So letâs look at each of these factors. For something you know. Well, for that,
these days, thatâs a password. The traditional login system,
username and password, is usually credited to Dr Fernando CorbatĂł
at MIT in the 1960s. And when the only input device to your computer
is a keyboard, a password absolutely makes sense. Something you know could also be a PIN,
which is just a short password, or in the days before computers, your signature. But using this one factor isnât ideal. Signatures can be forged. Passwords can be leaked or intercepted, either by someone hacking into the server
theyâre stored on, or putting a keylogger on your computer, or just by someone looking over your shoulder
while you type. I actually taught myself to shoulder-surf
passwords when I was high school. Learned a teacherâs password. Got in trouble for it. And the only reason that I got caught,
the only reason, is because I told someone else
that I'd done it. I didnât even want to do anything
with the password, I was just the sort of nerd who taught himself
skills like that for fun, 'cos I could. And the lesson I learned was not
âdonât do itâ, it was âkeep your mouth shutâ. Anyway. Passwords. Not ideal, but reasonable in the absence of
any other options. What about the next factor:
something you are? That would be âbiometricsâ. Things like fingerprint and face recognition. These are great for proving who a person is, and theyâre difficult to intercept. Although they do have downsides: the system has to trust that the device thatâs
reading the print or checking the face hasnât been compromised. And if your fingerprint gets leaked, because some high-tech spy took a copy of
it from a glass you drank from, you canât exactly change it. I tried once. Plus, you can pretend not to know a password. That doesnât work for your own face. Some people do say there is a fourth factor
of authentication, âsomewhere you areâ, the idea that if your credit card transactions
suddenly move to the other side of the globe, it might be worth checking whatâs going on, but Iâd say that gets rolled into
âsomething you areâ. Science fiction writers have also imagined
complicated artificial intelligence systems that can learn someoneâs behaviour patterns
over time and recognise them, or panopticon societies where privacy is a
thing of the past and everyone knows where everyone is and what
they're doing, all the time. But right now, for âsomething you areâ: weâre basically stuck with fingerprints and faces. So how about the third factor:
something you have? That would be your bank card, or your phone,
or a literal key. Which is ideal if youâre in the same physical
location, if you are unlocking a door: but how do you prove that someone has a physical
object when theyâre in a completely different location? That was a lot more difficult before smartphones. British banks have been sending out card readers
to their customers for many years: you plug in your card,
it reads a secret code off the chip, and then you type in your PIN and a one-time
code that your bank sends you for each transaction. And it mashes all those together,
does a lot of maths, and the result is a number that you send
back to your bank, confirming that you have the physical card. But these days, often you donât need all
that fuss: because almost everyone carries a phone now, and thatâs a physical thing that can work
as a token just by sending a notification to an app on it. Thatâs often secure enough. Sometimes thatâs still done with numbers
in text messages, but thatâs not ideal: SMS is not secure, and there have been attacks where criminals
have called up phone providers and convinced the provider to move someoneâs number
over to another phone that the criminal controls. Or you can use an authenticator
app on your phone. Now, that generates one-time codes. When you set up that app,
it stores a long secret code from the server: then it combines that with the current time, and every minute, you get a different six-digit number
that you can type in, to prove that you have that phone. Itâs basically a password that your phone
knows, but you donât. The codes you type in can be short because
they only last a minute each. Of course, if youâre not actually talking
to your bank, you're talking to some phishing web site thatâs just
taking the number you give them and passing it on to the bank
pretending to be you⌠thatâs not ideal. So some really high-security companies use
a small physical USB or Bluetooth token instead. Google gave those out to all their employees, and they claim it reduced the number of successful
phishing attacks to zero. The actual process of how it works is way
beyond the scope of this video, but itâs basically equivalent to the
bank card reader, only automatic and with a lot more complicated
maths going on behind the scenes to make sure that the key will only talk directly to the
correct web server. And because thereâs nothing
for you to type in, you canât accidentally give the code to
someone else. Youâre required to have
the actual, physical token. Those US nuclear codes use
all three factors of authentication. Something you have: the biscuit, the actual
code card. Something you know: there were fake codes
printed on that card, so the President had to memorise the position
of the correct one so that when he cracked open the card --
hopefully he'd never have to, but when we cracked open the card
heâd know which one to read out. And something you are: he had to be surrounded by the security apparatus
and top-secret infrastructure that would let him make the call to the military
in the first place. Of course, all that multi-factor authentication
could only check that it really was the President
giving the order: that the identity was correct. There was no way to check that the President
was sane, or that he wasnât being coerced or tricked. And in the same way, you can have all the multi-factor authentication
you want on your bank account and email. And you should. You should turn that on. You should go to your email provider and your bank
and turn on two-factor authentication for all your important accounts.
But it wonât help if the company that youâre
sending money to has been hacked, and the payment details theyâve emailed you
actually come from a scammer. It wonât stop you falling for a confidence
trick or a multi-level marketing scheme. Computers can only do what you say.
They canât do what you mean, and they canât stop you from asking for
terrible things. But at least they can be reasonably sure that
itâs you asking.
To be honest I'm more worried of losing my accounts when my phone with the authenticator app breaks/gets lost than I am of someone getting into my account.
Found this gem while reading about Fernando J. Corbato:
Offcourse it really keeps you safe
Love the explanation of the factors!