Hacker News new | ask | show | jobs
by thefurman 2437 days ago
"Something you are" and "something you have" are the same class, just that the thing you have is physically attached to your body. Doesn't matter if it's a fingerprint, a chip installed under your skin or a tattoo. Pretty pointless distinction. Fingerprints, faces and eyes are merely conveniences.
2 comments
petschge 2437 days ago
Nope, they are quite different exactly because "something you are" is attached to you and "something you have" is not. One can be swapped out if compromised or get lost. The other can not (intentionally or unintentionally) be replaced, but -- because it is something biological -- undergoes slow changes over time. These differences are sufficiently large that it makes sense to split it into two categories when modeling the whole system from a security -- or usability -- standpoint.
link
thefurman 2435 days ago
> "something you are" is attached to you

And can be compromised without theft, coercion or any other trace.

> One can be swapped out if compromised or get lost.

Which makes something you are strictly worse than something you have.

> undergoes slow changes over time

You are lacking an argument for anything attached to this point.

> ...it makes sense to split it into two categories

So you are arguing that because something is strictly worse from a security standpoint, it should be categorised as a new category? Have I summed up your position correctly?

There are usability benefits which would exist similarly by attaching something which couldn't be easily compromised to your body. For example a chip under your skin or just carrying a watch on your wrist which you could authenticate with after putting it on and which would un-authenticate automatically when it is taken off. Nobody would argue that you are your chip or your watch.

Something you know is different because there are no plausible ways aside coercion and similar for extracting such secrets in idle, and the other alternative is to get compromised on usage. It's about the threat models.

link
ses1984 2437 days ago
They are different classes. Something you are can be stolen or copied, but you can't easily trade it away.

Something you have can have strong copy protection like a yubikey and can be given away.

link
thefurman 2435 days ago
See answer above.
link