Multi-factor Identification

In the security realm, we talk a lot about multi-factor authentication, but you
can also use multiple factors for identification. Why would we care about that?
If a guy shows up and claims to be "Joe", we take his word for it as long as he
can successfully authenticate using Joe's password, token, biometric, etc.
In other words anyone possessing matching authentication factors is assumed to
be Joe. But maybe he stole Joe's factors? Even some biometrics have been stolen
in both fiction and the real world. Remember Wesley Snipes stealing a guy's
eyeball in the movie Demolition Man? He holds it up to the iris scanner on a
ball-point pen. Nice. And a couple years back, I recall an article about some
thieves cutting off a guy's finger to steal his car whose locks and/or ignition
were biometric fingerprint scanners. So much for convenience. A key can be
replaced. Just saying.

In some applications, we only care about proper authentication and just take the
identification for granted. This is the case when logging into any computer
system, web site, and so forth. But in other cases, it may be really important
to correctly identify someone. In fact, there may not even be any authentication
involved if it's not a security situation. A family member was recently
hospitalized and during the admission process we discovered the hospital had
recently upgraded their check in process with a palm vein scanner. My first
instinct was to figure it had to do with authorizing access to health records.
No, it was to be used in any future admissions for positive and more accurate
patient identification. I thought why not use a fingerprint or something?

It turns out that the palm vein scanning is particularly useful in a medical
environment. The scanner works by using an infrared wavelength to record a
picture of the vein pattern in your palm. This pattern remains the same
throughout your life and can be read even through damaged skin (cut, burned, etc
). And a biometric works even if you are unconscious and there's no one else
present who knows you. So unless your entire hand is damaged, it makes a really
good choice. This particular scanner worked only on the right hand. I asked the
admissions person what about people who were missing their right hand? She sort
of stumbled on that and said they would "figure something out". :)

From a security perspective, it is highly unlikely that someone would want to
obtain a false admission to the hospital. Do you know why Joe was supposed to
be checking in? Maybe you're about to have your heart replaced. Yeah, I don't
see anyone abusing this. And you really don't need multi-factor identification
in a computer application. It would really just end up serving as yet another
authentication factor. Suppose you had to present a user name and biometric first
and then give the authentication factors associated with that pair. How is that
any different from giving only a user name and then one more authentication
factor? It's not. So identification is about getting the correct record, not
about whether you should or shouldn't. In the hospital case, the admissions
person already has permission, so they don't need you to authenticate anything.