New Authentication Scheme Proposed

jerel brings us a story about a prototype authentication system which approaches security from an atypical angle. It focuses on hiding identity challenges from attackers in addition to the responses. The system, Undercover [PDF], "uses a combination of visual and tactile signals in the authentication process." "The system displays a set of images to the user and asks if any belongs to the image portfolio that the user had previously selected. At the same time, the trackball sends the user a signal that maps each button on the case to a certain answer. The user's hand must cover the trackball for it to operate, so a sneaky observer wouldn't be able to see his or her selections, or answers. So a would-be attacker can't 'see' the tactile challenge presented by the trackball and therefore doesn't get the user's authentication data, even though he or she could see the image challenge on the display."

Re:The problem with authentication is authenticati

[naasking]

How can your authorize something, unless you know who you're authorizing?

You've asked the right question. You can find an intro here. That article links to arguably the best authorization scheme: capability-based security, where authorization is combined with designation. This results in many useful security properties that aren't achievable via authentication schemes.