“Star Trek” Authentication
If you are an IT professional and you’ve watched any “Star Trek” at all, you might have speculated about how when Kirk issues a command, the ubiquitous Computer knows it’s coming from him instead of red-shirted Ensign Jones who presumably has significantly reduced privileges on the Enterprise.
The most obvious answer is voice recognition. Your voiceprint could be considered a “something you are” factor of authentication — the other two factors of course being “something you have” and “something you know”. Good enough for basic ship operations.
For more critical actions, Kirk would add an extra passphrase to his command, like “Authorization: Kirk Alpha Echo One”. Requiring that additional step is a classic “step-up” authentication where the user provides extra evidence that they are who they say they are.
And for extra-critical actions like activating the Enterprise’s auto-destruct sequence, Spock might also have to concur by doing the same process — “four-eyes” approval, just like in the Cold War-era movies where the two guys across the missile silo from each other simultaneously turn their keys to launch the missiles.
When I was a kid, I always thought that those short passphrases seemed like a pretty weak form of evidence for use in an authentication flow. Then I didn’t think about it for a long time.
But this week I was catching up on “Star Trek: Strange New Worlds”, and a use case came up where Spock needed to transfer command and control from the bridge to the engine room. When Spock provided his passphrase, it finally occurred to me that this is actually a reasonably solid form of multi-factor authentication since Spock is adding a “something he knows” factor (the passphrase) to “something he has” (his voiceprint).
In other words, I won’t look at “Star Trek” quite the same way again.
So where is this most likely to break down? Probably the first step, actually, with the voiceprint.
It doesn’t take a genius black-hat hacker to realize that you might be able to attack the Enterprise’s authentication scheme with voice synthesis or maybe even a simple recording on your communicator. In fact, I believe this may have come up as a plot point in some old “Star Trek” episode or another, although I’m not quite enough of a Trekkie to point to exactly which one. But in terms of the state of the art even in the ancient year of 2023, there’s probably a reason why we aren’t routinely saying, “Hey Siri, unlock my phone!”.
That said, the second factor still helps protect critical ship operations even in the presence of a hacked voiceprint, as the hacker would also have to know the commander’s passphrase. We can assume that the system has an incorrect-attempts lockout to prevent brute-forcing the passphrase. And we can improve the protocol further if we choose by making the passphrases single-use-only.
With those measures in place, does it make the Enterprise any more secure to require a more complex passphrase? (This is what kid-me would have assumed.) Probably not as s second factor. Even a short passphrase can’t be brute-forced with the lockout mechanism in place, and the difficulty of getting Spock to reveal a long as opposed to a short passphrase is equivalent — although if you are designing a system like this, you’ll want to make sure the passphrase can only be random or nonsense and not allow people to select guessable passphrases like the names of their cats. And all that said, three or four words might still be a bit short, and I would lean toward six to eight.
So maybe “Star Trek” authentication isn’t as bad as you thought?
In general, I wouldn’t try to draw too many IT security lessons from “Star Trek”. We all know that is what “Mr. Robot” is for. But at least when it comes to authenticating for critical operations, the Enterprise uses MFA. Sadly that’s still better than a lot of websites and users on the Internet.
