Schneier on the problem of de-identification

In the field of computer security, much attention is paid to the problem of identification. Whether it's passwords, security keychains (tokens), secret questions, mnemonics with pictures or something else, but the developers are constantly inventing more and more complex and, hopefully, safer ways to confirm your identity via the Internet.

This is an important thing, as any online bank account or VPN owner knows. But much less attention is paid to the other side of the problem: how can you tell the remote system that you have already moved away from the computer? How to carry out de-identification?

My home computer has to be turned off (or shut down) when I want to be unidentified. For me, this method is suitable, because I understand that it needs to be done every time, but many people just leave the computer turned on when moving away from it. As a result, work continues on many office computers when the owner of the computer goes to lunch or even when he has gone home. This is an obvious security hole.

The most common way to solve a problem is to set a timer. You can automatically set a timer to terminate a session after five minutes of inactivity, for example. However, to correctly set the timer, you need to calculate everything exactly. Too quick logoff will annoy the user, and too late threaten security. My corporate mail server ends a session in about 10 minutes, and this annoys me regularly.
')
Some are experimenting with tokens: USB sticks such as those that need to be inserted into the USB port for the computer to work, or RFID wireless sticks, which, when removed from the computer for a few meters, the session ends automatically. Of course, people will constantly strive to leave their token near the computer, because it is easier for them. Therefore, it is desirable to combine the token with car keys or a work badge, in which case users will have to carry it all the time with them. In this way, you can minimize the risk.

Still, it is expensive. As a cheaper option, you can consider a research project , within which the distance from the computer of a Bluetooth device, such as a mobile phone, is measured. The system can be programmed so that the computer will turn off if a certain mobile phone leaves the zone of reach.

Some systems end the session after each transaction. This method is unacceptable for computers, but it may well be suitable for ATMs. He can push out the card before issuing the money, and make sure that I have taken it, and before each new transaction, force him to insert the card again and enter the PIN code.

This method has a clear physical analogue: the door lock. Does it snap automatically when the door is closed, or does it remain open until you snap it yourself? The first option corresponds to the system with automatic termination of the session after each transaction, and the second option is the end of the session manually. Both types of locks are sold and used, and your choice of type of lock depends on how you use the door and who, in your opinion, can try to break into it.

System development in terms of usability is a very difficult task, especially if you have to think more about security. Practically by definition, by making the system more secure, you make it less usable.

The choice of the de-identification model largely depends on how the system is used, as well as on the assessment of potential threats. You have to choose between increasing security and jeopardizing users, and finding the right balance takes time and testing, and this is more art than science.