Security: Best Methods for Authenticating Users 
There are so many different ways, methods, tricks, technologies, and gimmicks to mixing up authentication to make it strong, two-factor authentication or better. Here is a list of known methods new and old to consider. Please use the following key if you add to the list:
Something You have (SYH), Something You Know (SYK), and Something you Are (SYA)
Resources
When people hear biometrics, this is what they think of.
Digital Certificates are little files that are distributed by a PKI framework and they reside on your laptop/computer or some sort of token; this is probably the easiest strong authentication for the user but the hardest to manage - there is a lot of extensibility for the enterprise by choosing this method
Similar to tokens, and one step up from a magstripe on credit cards, smart cards have a chip that can hold digital certificates and other information. They are a popular method for logging into community workstations and for implementing SSO (Single Sign On)
SecureID is probably the most tried and true method of two-factor (strong) authentication. It is a token that you carry that displays a synchronized number that you must enter as an additional password. Some tokens also require an additional PIN in order to use.
A transformation of the token into a USB key. This method allows integration of the authentication hardware directly with the application.
The most popular and in-use form of user authentication. Combined with another form of authentication can be very secure; today, when used alone it is not very secure.
An innovative way of authentication that deals with the users memory of clickable 'key points' in an image. (the link is good for the origination, but I ran across a demo that used an image of a street in Amsterdam; if you know the url, please comment)
You've seen these before: What city were you born in? What is your pets name? and What is your mother's maiden name? -- probably the 3 most common challenge-response questions in use today, and probably the most widely used for social engineering and identity theft.
I noticed this method of authentication widely used during the BBS days; once again it is a viable method of increasing the difficulty of impersonating or using someones credentials by attempting to contact the person at their registered location or device (cellphone)
Another way of measuring a feature on a human and comparing it to a record, made popular by sci-fi, most noteably the films Blade Runner, and more recently Minority Report.
When comparing a scan to a database it takes time so it is advisable to make the scanned data as small/simple as possible so that the search can be done faster. Biometrics used in high traffic entry points requires very minimal time to perform, with minimal errors in order to be acceptable; all these are reasons for using this method.
Another method for authentication that deals with measuring the duration and speed of keystrokes when typing a phrase.
You've probably seen the rudementary method of recording your signature at Point-of-sale machines when making a credit card purchase. That data is only used as a record of the transaction; if it were compared to your real signature electronically it would be the proper method of this type of authentication. (no, the clerk comparing your card's signature isn't viable)
Lot's of references to this on the 'net but no meat yet. It is coming but don't expect to see it today unless your dealing with forensics.
'My Voice Is My Password' another method, not very practical in the future however.
Comments
