How do we make best sense of the bewildering array of authenticators on the market? Most people are familiar with single factor versus two factor, but this simple dichotomy doesn’t help match technologies to applications. The reality is more complex. A family tree like the one sketched here may help navigate the complexity.
Different distinctions define various branch points. The first split is between what I call Transient authentication (i.e. access control) which tells if a user is allowed to get at a resource or not, and Persistent authentication, which lets a user leave a lasting mark (i.e. signature) on what they do, such as binding electronic transactions.
Working our way up the Transient branch, we see that most access controls are based either on shared secrets or biometrics. Dynamic shared secrets change with every session, either in a series of one time passwords or via challenge-response.
On the biometric branch, we should distinguish those traits that can be left behind inadvertently in the environment and are more readily stolen. The safer biometrics are “clean” and leave no residue. Note that while the voice might be recorded without the speaker’s knowledge, I don't see it as a residual biometric in practice because voice recognition solutions usually use dynamic phrases that resist replay.
For persistent authentication, the only practical option today is PKI and digital signatures, technology which is available in an increasingly wide range of forms. Embedded certificates are commonplace in smartcards, cell phones, and other devices.
The folliage in the family tree indicates which technologies I believe will continue to thrive, and which seem more likely to be dead-ends.
I'd appreciate feedback. Is this useful? Does anyone know of other taxonomies?
This is an interesting and useful way to categorize authentication technologies. Thanks for giving us a new way to picture these.
I quibble a little bit, however, on which technologies are multifactor (brown). For example, a time sync token, by itself, is single factor: it's "something you have" unless there is an activation secret. Fingerprints and all other biometrics (except possibly prompted voice where the response includes something you know) is similarly single-factor. USB keys can be multi-factor, although some I'm familiar with are not.
The biggest change in view for me is the first-level separation between Persistent and Transient. Are there others that have made that separation? Is there an implied appropriateness of one or the other in certain applications?
I guess I adopted an optimistic view of how OTP tokens like SecurID are used in practice -- I've always seen them deployed with a secret password as well.
Your're quite right about biometrics being one factor; I surprise myself at how generous I'm being portraying them as multifactor ;-). The stark thing about biometrics is they can be purloined or "lost" without the Subject knowing.
So actually the number of factors alone is a bit misleading. A single factor token (with no password) is superior over biometrics in respect of it being more obvious when you've lost control of it. Maybe the taxonomical key is physicality of the method and not simply the number of factors.
As for the difference between signing and access control, I'm glad you like that we've surfaced that issue. I think this is fundamental and it's not always obvious in identity management policy & framework discussions that there is a difference. And yes, my thinking has a lot to do with qualifying appropriate apps. For instance, as a rule of thumb, digital certificates don't add a lot of value in access control only applications, or where an evidentiary trail can be established through access logs. The classic case is Internet banking, which apes telephone banking. No persistent signature required because it's a monolithic hub-and-spoke system; sufficient to log evidence at the hub of who logged and and did what when. Digital signatures are much more beneficial when the signed artefacts themselves persist across different contexts, systems and relying parties, and over long stretches of time.
If I may stretch the point ... I reckon a multi-variable taxonomy is a better way of matching apps to credentials than one dimensional LOAs, which really hide (and lose) a great deal of context-dependent risk analysis; see http://lockstep.com.au/blog/2011/04/08/i-dont-get-loas.html