In 1981, the President of the United States, Ronald Reagan, was shot by a gunman in Washington DC. It wasn’t fatal, but it was close. Reagan was rushed to hospital and in the chaos, the Biscuit went missing. The Biscuit was the nickname given to a small plastic card, sealed inside an opaque case, that contained the secret codes that would identify the President over the phone if he gave the instruction to fire a nuclear weapon.
The card was eventually found. Some reports say it had been hastily stuffed in the President’s shoe when the trauma team cut away his clothes. Others say that the FBI had seized all those clothes, and the card, as evidence, and they didn’t give it back until a couple of days later. It’s possible that both are true, depending on the timing.
There are some overexcited people who will say that for however long that card was missing, it would have been impossible for the United States to launch or to reply to a nuclear exchange. That’s not true, the Vice President had a backup, but in 1981, in the middle of the Cold War, a President with lost nuclear codes added some instability that the world really didn’t need. This story has something to do with your phone, I promise.
There are three ways that a computer, or any system, can identify you. It can ask for something you know, something you are, or something you have. Those are the three ‘factors’ of authentication. And the gold standard for checking identity is multi-factor authentication. At least two of these different factors. Two different passwords aren’t much better than one. But two factors are.
When you do something as simple as withdrawing cash from an ATM, that is two-factor authentication: the something you have is your card, and the something you know is your PIN. So let’s look at each of these factors.
1. Something you know
Well, for that, these days, that’s a password. The traditional login system, username and password, is usually credited to Dr Fernando Corbató at MIT in the 1960s. And when the only input device to your computer is a keyboard, a password absolutely makes sense. Something you know could also be a PIN, which is just a short password, or in the days before computers, your signature. But using this one factor isn’t ideal. Signatures can be forged. Passwords can be leaked or intercepted, either by someone hacking into the server they’re stored on, or putting a keylogger on your computer, or just by someone looking over your shoulder while you type.
I actually taught myself to shoulder-surf passwords when I was high school. Learned a teacher’s password. Got in trouble for it. And the only reason that I got caught, the only reason, is because I told someone else that I'd done it. I didn’t even want to do anything with the password, I was just the sort of nerd who taught himself skills like that for fun, 'cos I could. And the lesson I learned was not “don’t do it”, it was “keep your mouth shut”. Anyway. Passwords. Not ideal, but reasonable in the absence of any other options.
2. Something you are
That would be “biometrics”. Things like fingerprint and face recognition. These are great for proving who a person is, and they’re difficult to intercept. Although they do have downsides: the system has to trust that the device that’s reading the print or checking the face hasn’t been compromised. And if your fingerprint gets leaked, because some high-tech spy took a copy of it from a glass you drank from, you can’t exactly change it. I tried once. Plus, you can pretend not to know a password. That doesn’t work for your own face.
Some people do say there is a fourth factor of authentication, “somewhere you are”, the idea that if your credit card transactions suddenly move to the other side of the globe, it might be worth checking what’s going on, but I’d say that gets rolled into “something you are”. Science fiction writers have also imagined complicated artificial intelligence systems that can learn someone’s behavior patterns over time and recognize them, or panopticon societies where privacy is a thing of the past and everyone knows where everyone is and what they're doing, all the time. But right now, for “something you are”: we’re basically stuck with fingerprints and faces.
3. Something you have
That would be your bank card, or your phone, or a literal key. Which is ideal if you’re in the same physical location, if you are unlocking a door: but how do you prove that someone has a physical object when they’re in a completely different location?
That was a lot more difficult before smartphones. British banks have been sending out card readers to their customers for many years: you plug in your card, it reads a secret code off the chip, and then you type in your PIN and a one-time code that your bank sends you for each transaction. And it mashes all those together, does a lot of math, and the result is a number that you send back to your bank, confirming that you have the physical card. But these days, often you don’t need all that fuss: because almost everyone carries a phone now, and that’s a physical thing that can work as a token just by sending a notification to an app on it. That’s often secure enough.
Sometimes that’s still done with numbers in text messages, but that’s not ideal: SMS is not secure, and there have been attacks where criminals have called up phone providers and convinced the provider to move someone’s number over to another phone that the criminal controls. Or you can use an authenticator app on your phone. Now, that generates one-time codes. When you set up that app, it stores a long secret code from the server: then it combines that with the current time, and every minute, you get a different six-digit number that you can type in, to prove that you have that phone. It’s basically a password that your phone knows, but you don’t. The codes you type in can be short because they only last a minute each.
Of course, if you’re not actually talking to your bank, you're talking to some phishing web site that’s just taking the number you give them and passing it on to the bank pretending to be you… that’s not ideal. So some really high-security companies use a small physical USB or Bluetooth token instead. Google gave those out to all their employees, and they claim it reduced the number of successful phishing attacks to zero.
The actual process of how it works is way beyond the scope of this article, but it’s basically equivalent to the bank card reader, only automatic and with a lot more complicated math going on behind the scenes to make sure that the key will only talk directly to the correct web server. And because there’s nothing for you to type in, you can’t accidentally give the code to someone else. You’re required to have the actual, physical token.
Those US nuclear codes use all three factors of authentication. Something you have: the biscuit, the actual code card. Something you know: there were fake codes printed on that card, so the President had to memorize the position of the correct one so that when he cracked open the card -- hopefully he'd never have to, but when we cracked open the card he’d know which one to read out. And something you are: he had to be surrounded by the security apparatus and top-secret infrastructure that would let him make the call to the military in the first place.
Of course, all that multi-factor authentication could only check that it really was the President giving the order: that the identity was correct. There was no way to check that the President was sane, or that he wasn’t being coerced or tricked.
And in the same way, you can have all the multi-factor authentication you want on your bank account and email. And you should. You should turn that on. You should go to your email provider and your bank and turn on two-factor authentication for all your important accounts. But it won’t help if the company that you’re sending money to has been hacked, and the payment details they’ve emailed you actually come from a scammer. It won’t stop you falling for a confidence trick or a multi-level marketing scheme. Computers can only do what you say. They can’t do what you mean, and they can’t stop you from asking for terrible things. But at least they can be reasonably sure that it’s you asking.