On Physical Authentication

Recently, I moved into a new environment and had the opportunity to witness a number of processes. This experience further reinforced in me the importance of policies over technical measures.

Physical authentication is simple compared to its online equivalent. For a small sized population, we recognise them by face. For a larger sized one, we use an identity card with a photo and verify that the photo looks similar to the person in real life. For extra security, we could go with biometric or password/PIN numbers. Putting fake IDs aside, that pretty much sums up physical authentication.

There is no need to worry about authenticating the "server" since it is highly unlikely for someone to setup a fake counter or service desk or even a fake building. MITM attacks are also out of the question since you are physically present at the location. Physical authentication is something that we all do in daily life subconsciously.

Yet it is still possible to screw up something like this. While collecting network equipment, I was not required to present any ID. I could have simply filled in my neighbour's name and address and got away with it. While collecting parcels, all I needed was the tracking number. Requiring me to sign for it doesn't help in the least bit since the signature isn't being validated against my own. While not as straightforward, obtaining tracking numbers shouldn't be a problem with a little social engineering, after all they are not meant to be confidential in the first place.

Update: Spoke too soon, apparently, it is possible to setup a fake bank. These folks had it running for more than a year!