[jerf]

Something you know, something you have, something you are. Google may be trying to prefer something you have, but that's hardly going to kill "something you know" forever and ever.

I also look forward to the silly "two-factor authentication" that involves having two "something you have"s. It'll complement my bank's silly use of two "something you know"s nicely. (Perhaps they can get together for the true security ultimate, four factor authentication, security so secure that it uses four out of three possible authentication techniques!)

[lifeisstillgood]

> Something you know, something you have, something you are.

Excellent point - and oddly reflects a subtle point: Something you are (bio-id) is what we are asserting, and using one or both of the others to give the far point a guage of how likely fraud is.

In short:

* Something you are -> Username * Something you know -> Password * Something you have -> RSA fob

[jerf]

When it comes to security, when people refer to "something you are", they mean that distinct from the "totality of who you are" or "who you truly are" (if you can even define that). Thus, fingerprints are "something you are"... but they can still be faked, and they aren't necessarily immutable, either. They explicitly aren't talking about "who you 'really' are" because if we had a way of telling that, we would be done. We wouldn't need any of the the three factors if we simply knew who you were, magically, 100% accurately.

So, the "something you are" is still distinct from "who you really are", which is the thing we are trying to establish. (And we should have at least another two or three decades before that becomes a tricky question of its own.)

[lifeisstillgood]

who I am (my identity) is for all sensible purposes a construct of other people.

the real me sits behind my eyes. lets ignore that for current purposes.

my identity then is what other people chose to use to distinguish me from the other seven billion on the planet. mostly we used faces, and became real good at recognising them. then we moved to using names because there were so many of us.

but it is still notable that who I am (Paul) is really just a shorthand for other people's convenience. if I was the only human on the planet I would have no use for a name but everything about me otherwise would still be unchanged

in short who I am is my "identity" and that is just an assertion to help you tell me from the guy next door. Who I am is my name (if you are on the telephone) or my face if we are in the pub, or my DNA if you are in CSI. none of those things are to do with the quale of being Paul - but they are useful for other people.

make sense?

I'm saying that don't call into the trap of thinking that if there was some way to determine who I am really, the we could get rid of passwords. who I am really is a quale in my head and no use to anyone else - so instead we find ways to distinguish bags of meat and call it identity