Updated: Apr 1, 2021
Over a year after the Tories’ 2019 landslide, my coping mechanism is to avoid reading about government policy as much as possible. Some things – like the disgraceful policing bill – we have a moral duty to protest, no matter how futile. But for most other things, I find solace in ignorance.
More than anything, this applies to the budget. The budget is the annual proclamation of the new ways the Tories have come up with to inflict pain and suffering in the coming year. After a decade, I can mostly guess what’s in a Tory budget – cuts, austerity, and economic liberalism. All this being said, one thing – apart from corporation tax, don’t talk to me about corporation tax – really cut through to me from this year’s budget. This year’s budget seemed to spell the end of multi-factor authentication.
Authentication is simply proving who you are. There are hundreds of ways to do it. The simplest way is facial recognition – usually done by just looking at someone. If I’m cooking dinner for my partner and want to make sure it’s only my partner eating the food I cook, I would use facial recognition. For most situations in everyday life, this system works fine. But, if I’m trying to authentication someone I’ve only met once or twice, it’ll be much less reliable. And this system scales terribly; if we have millions of people to authenticate, it will be a nightmare.
Facial recognition is an example of the one type, or factor, of authentication – something you are. With the advent of machine learning, facial recognition can now be done by machines as well as humans. There are similar methods of authentication, such as retinal scans, fingerprints, and DNA that work by the same principle, checking something that is intrinsic.
However, one problem of this factor of authentication is its non-transferability. You can’t lend someone else your retina to let them into your flat. It will also require either a human, or a high-tech system, to verify the authentication. This might be desirable, but often it will be a headache.
Say we want to authenticate who has access to our flat, there might not always be someone on hand to perform this authentication, and we might not want to install some high-tech facial scanning system on our front door – giving more data to tech giants in the process (see our blog by Joe Eastwood). So how do we authenticate access to our flat?
A key gives its (current) holder access to a building – or whatever else it might unlock. This is a whole other type of authentication: something you have. It has clear advantages, such as convenience, but with the big disadvantage that if someone steals your key – or, as I once did, you drop it while out running on the morning you’re supposed to start a new job – you get locked out, and someone else can get authenticated in your place.
One saving grace about losing your key, which may give you solace while you sit on your doorstep trying to wake your partner up, is that your key is worthless to whoever finds it; they won’t know what door it unlocks. This leads nicely to the final type of authentication – something you know.
Passwords are the classic example of something you know*. The drawbacks are simple, they can be hard to remember. Who of us hasn’t spent ages trying to guess which password we used for a website? And if you do manage to remember your passwords, would be hackers can easily guess them. It is a condemnation of humanity that “letmein” is one of the most used passwords. It’s not even a good joke. I would also wager that at least one of you reading this will have a password made up of your football team and your date of birth; if that’s you, stop reading and go change it now.
So here we have the three factors, something you are, something you know and something you have. Which should you use? Well, it depends on the job. Each factor of authentication has its own set of strengths and weaknesses. But when it is critical that the authentication be secure, we should use two or more of these factors.
Your passport is an example of this. It’s something you have, but also, your face needs to match the face on the passport. This makes it two factor authentication – I cannot just borrow my partners passport and fly out to Cluj with it. And as anyone who may have tried to get into a nightclub with an older sibling’s provisional license will know, it can easily become three factor authentication when the bouncer asks your postcode or star sign (E1, if you were interested).
The more factors, as a rule, the better. This is why the FCA requires two factor authentication for online banking. Your phone is something you have, so your bank sends you a text to check whoever is logging in has access to your texts (which isn’t always the same thing as having access to your phone).
All these are steps in the right direction, to a more secure system. It is baffling then, that the government seem to be going the other way with chip and pin.
Chip and pin is two factor authentication – something you have, your card, and something you know, your pin. Its predecessor, swipe and sign, was also multi-factor authentication (is your signature something you know or something you are?). Chip and Pin is relatively secure – I once lost my bank card in Fabric and didn’t cancel it for six months, as stupid as this was, no harm was done.
Contactless, on the other hand is single factor. If I find a card on the street, I can use the contactless on it. I cannot use chip and pin.
With the small payment limit, this was an acceptable trade off. Cash is one factor authentication, and the convenience of not having to put your pin in for small amounts was reminiscent of cash. But do I really want whoever found my card in Fabric to be able to spend £100 on it? I struggle to remember when I last spent over £100 on my card in person – this makes knowing my pin pointless.
I can appreciate, why in the context of a pandemic, increasing the contactless to £45 made sense. Increasing the limit to £100 at the end of a pandemic (touch wood) doesn’t.
Apart from, in one way it does. Like most of the budget, it’s a sideshow to distract us from its heart. Here I am writing about multi-factor authentication, instead of about the cuts to the NHS. While it might be bad policy, it is far from bad politics.
*Interestingly, with the advent of password managers, passwords may no longer be something you know, but something you have. I do not know most of my passwords, but I have access to my computer, which knows the passwords.
The views expressed in blog posts are the views of the author alone and do not necessarily represent the view of Scientists for Labour (SfL) unless posted from the official SfL account.