Authorization & Authentication: A Tale of Government Security Clearance
My first job after college was with a contractor to the United States Navy. I had to get a security clearance from the U.S. government to have access to classified data, the lowest category. One piece of the application was getting fingerprinted. From there, federal agencies like the FBI would check my fingerprints against criminal records databases to see if any matches turned up.
I walked down to the local police station in my college town of Waterville, Maine, which is not exactly a bustling metropolis. I expected a police officer to compare my picture on the driver’s license I’d brought with my actual face to confirm my identity, before taking my fingerprints and shipping them off to the appropriate authority.
But they did not.
First, when I arrived at the station, I was told to wait. “We’re questioning a suspect in the booking room!” This was clearly the most action these officers had seen in a while. They were psyched. But I was puzzled about why this was an impediment, so naturally I asked more questions: “Can you tell me more about the ink pad? Is it secured to the table in some fashion? Would it be possible to continue questioning the subject, but take my fingerprints out here in the hallway?”
After explaining this to two different officers and lots more waiting, they discovered that the ink pad was indeed able to be transported by human hands to interact with mine. They filled out the form with my name and some other details I provided verbally and took my fingerprints. I left.
It was only after I got back to campus that I realized the crucial step the police officers missed: they forgot to look at my driver’s license. They were so thrown off from their usual routine, both by having a suspect in custody and by moving the fingerprint pad to a different location, that they forgot to verify my identity.
I have no criminal record, I was only at the job for a short time, and my security clearance expired after five years without getting renewed, so the mistake was of no consequence.
But consider the alternative: I have a criminal record. I send my sister or a friend who knew enough about me to the police station. They impersonate me, and the fingerprint check of their prints turns up no suspicious activity. Now I have security clearance to access classified data about the American military when I shouldn’t.
The moral of this story: authentication and authorization go hand-in-hand. Authorization could have been circumvented by an unauthorized impersonator without the additional check of authentication. Putting someone in a particular security group is not enough: you’ve got to check that it’s them who’s supposed to be there.