The problems of remote contracting and security authorization (e.g. bank payment and entry to a door or computer network) can be classified into four groups: identification of a person taking an action (“identification”), proof of intent to take the action (“intent”), proof that neither of these was falsely simulated or altered (“integrity”), and assurance that any promised finds will be paid (“assurance”). To explain aspects of these problems, we begin by explaining these issues with respect to remote contracting with credit cards, debit cards, and checks.
When a credit card, debit card, or check is used for contracting in place of money, a remote third party (or group of parties), for simplicity called a “bank”, becomes involved. The buyer is instructing the remote bank to pay the merchant. The bank and merchant are concerned with all four problems identified above.
Checks provide no assurance that the funds will be paid, other than the buyer's promise, and offer no means of identification. Consequently, they are seldom accepted by merchants without additional reliable information. Credit cards and debit cards (authorization cards) allow banks to assure merchants that the funds will be paid, provided the merchant electronically queries the bank's computer before accepting the contract. Integrity of this query is maintained because a private electronic link to the bank's computer is used. Proof of intent is indicated by the act of signing, for a typical credit card, or entering a personal identification number (“PIN”), for a typical debit card. Identification is achieved by the facts that the person possesses the card and either can quickly generate a signature matching that on the back of the card or knows the proper PIN to go with the card (something you have plus something you know). Assuming the PIN is verified across a secure communications link, a PIN provides better identification than a signature because the signature could be false on the back of the card or the person signing might have learned to forge the signature. It is easy for a person to create a counterfeit copy of a credit or debit card but it is impossible to derive the PIN from the card.
Security authorization situations include the same problems as remote contracting except for payment assurance. Solutions include biometric detection, requiring that a PIN be entered on a keypad, and the use of contact-type or contact-less identity cards (something you have).
Until biometric systems are perfected that can unmistakably detect and distinguish each human, each person will have to carry one or more authorization devices. For high security, such authorization devices will require something you have (the device) plus something you know (“knowledge-type authentication devices”). Input of something you know (a “knowledge token”) can be by PIN on a keyboard or by voice into a voice recognition circuit or other input method.