Tuesday, October 06, 2009

Learning Authentication

Securing mission critical applications is vitally important. Everyone can agree on that. Securing access to personal information is also vitally important. I'm sure there'll be no arguments with that one either. And I'm also quite sure that there will be no arguing with the fact that not all applications carry the same risk and therefore they can be secured in various manners ranging from pretty insecure to secure to the point where even with all the necessary credentials it is still hard to get access.

When I was young, I had a ZX Spectrum 48Kb. When I switched it on (because in those days I had no concept of “booting”), I was presented with a fairly blank screen and a cursor. At this point, I would normally type LOAD “” and insert a cassette into my attached cassette player. A program would load (normally a game to be fair) and I would enjoy the pleasure of using the program (or playing the game) for quite some time thereafter. No authentication necessary.

These days, our children need to be a lot more careful as they typical use computers in a state of always being connected to the internet. But is it reasonable to expect a young child to enter a User ID and Password when they want to play “Dora The Explorer” on the Cbeebies website? Maybe they should have to authenticate at an early age – after all, it is teaching them good practice, yes?

Well, there's probably no harm in having a child click on a photograph of themselves when it comes to authenticating at the OS level and then getting access to a customised desktop with all their favourite links on it (such as the now infamous Dora) but what about a password?

Would it be fair to ask a child of 10 to construct an eight character password which had to have alphabetic, numeric and symbols in it? They might be able to do that and remember the password. What about a child of 6? What about a child with learning difficulties? I would suggest that a hard to remember password would be inappropriate – especially if all they were trying to access is the aforementioned Dora in her quest to defeat the naughty Sniper!

So what would be an appropriate means for this demographic to learn the beauty of authenticating themselves? Retina recognition? Finger-prints? Visual cues? Let's examine...

Bio-metrics may seem like a fun way of authenticating and it certainly has merit except that not every PC or laptop comes equipped with the necessary hardware to enable it. Should we all rush out and buy finger print readers? I'm thinking not.

Passwords aren't necessarily an option even if we make the passwords very weak indeed. Maybe the children aren't at a stage in their development where they can recognise the characters on the keyboard let alone use the keyboard appropriately.

Visual cues? Consider the scenario whereby the child in question clicks on their own photograph to authenticate and is then presented with four images of animals from which they have to select their favourite. Now, consider the scenario whereby the child is presented with four colours from which they have to select their favourite. All of a sudden, we are actually verifying that there is a good chance that the child is who they say they are. The child is learning the beauty of IT security in a safe environment with visual cues which are protecting non-critical services. The authentication process is probably one of the least secure mechanisms I can think short of no authentication whatsoever. However, in an environment where security doesn't matter and for the benefit of educating the young and getting them used to the concepts of identifying themselves and verifying that they are who they say they are, then it probably has merit. (And no doubt has already been done many times before.)

I spend my life working with IBM Tivoli security products, focussing on Tivoli Access Manager and Tivoli Identity Manager. I haven't come across an EAI for such an authentication mechanism but would imagine it would be easy to implement and could be very useful within learning environments. Maybe I'll write one in my spare time!

So is there a drawback? Of course there is. And it is the same drawback that exists for all user credentials. Setup, user registration or the provisioning process. That issues seems (to me, at least) to rest with the educators who can talk the child through the process and explain the reasons behind it.

No comments: