Richard III – Authentication Gets Shakespearean
By Naresh Persaud on Feb 07, 2013
With the recent discovery of Richard III in a Leicester parking lot, we realize that authenticating an individual is as important as authenticating a king. Your identity is king.
The recent twitter #authchat provides a good survey of authentication techniques. Authenticating Richard required many of the same identity management techniques we use in software. Here are a few observations:
DNA evidence from two related descendants was critical in verifying the identity of the king. The same is true for the way we authenticate today. While we may use finger print readers on our laptops and in our data centers, we still rely on additional factors of authentication beyond biometrics. From the description of the battle of Bosworth, many thumbs and fingers were most likely misplaced – lots of parts everywhere. If Richard were alive today, he would have commanded, “my kingdom for a thumb!” If the researchers had tested DNA from the wrong thumb, the results would have been wrong. Biometrics are only a piece of the puzzle.
Third Party Verification
The research team had to find a descendant to verify the DNA of Richard III. DNA, like a certificate, on its own is not enough to prove who you are. A third party has to vouch for the fact that the information is correct. We may think we are advanced because we can make an instant SAML request to an identity provider to log into our 401K plan or download a ringtone, but it is perhaps more amazing that the team found an identity provider (Richard's descendant nephew) across 500+ years of the family tree, in a country thousands of miles away.
Finding the king and verifying the identity were almost equally challenging tasks. The location information from history played a role. In addition, the context of the injuries and the battle description were all indicators that helped to confirm the identity. Other factors including radio carbon dating and food consumption patterns were all part of the context used in the formula. Today, with many users with different roles accessing our systems, adaptive access and context aware security are used to complement authentication. Now, we may be a long way from using food consumption patterns to authenticate a user on a banking website, but I would not rule it out. It gives validity to the claim “you are what you eat.”
The key is that no single form of authentication is sufficient in all circumstances. Context helps to provide ongoing assurance that we are dealing with the correct user. It turns out Richard III was not the tyrant as he is remembered, but perhaps just the victim of identity fraud. Congrats to the research team – truly a remarkable accomplishment and the discovery demonstrates that “the king’s name is [still] a tower of strength”(Shakespeare,Richard III) -- especially given the amount of media exposure.