The IT Law Wiki



Utilizing biometrics for personal authentication is becoming convenient and considerably more accurate than current methods (such as the utlization of passwords or personal identification numbers (PINs). The goal is to determine whether the person or object is who or what they claim to be.

Biometric technologies automate the identification of people using one or more of their distinct physical or behavioral characteristics — authentication based on something that users are. The use of security tokens or biometrics requires the installation of the appropriate readers at network and computer access points.


Authentication is

1. A security measure designed to protect a communications system against acceptance of a fraudulent transmission or simulation by establishing the validity of a transmission, message, or originator. 2. A means of identifying individuals and verifying their eligibility to receive specific categories of information. 3. Evidence by proper signature or seal that a document is genuine and official. . . .[1]

Computer security[]

Authentication is

[a] [s]ecurity measure designed to establish the validity of a transmission, message, or originator, or a means of verifying an individual's authorization to receive specific categories of information.[2]
[v]erifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in an IT and ICS.[3]
[t]he process of verifying the identity of an individual user, machine, software component, or any other entity.[4]

Authentication is "[p]rovision of assurance that a claimed characteristic of an entity is correct."[5]

CSS (Content Scramble System)[]

Authentication is a process for a DVD drive and the CSS decryption module to recognize (or authenticate) each other. It is necessary before reading data from DVDs. An authentication key is used for this process.



To be admissible at trial, the evidence offered must be authenticated, that is, shown to be what its proponent claims it is.[6] The proponent is not required to rule out all possibilities that are inconsistent with authenticity. The standard for admission is a reasonable likelihood that the evidence is what it purports to be. As stated by one court:

Authentication is a condition precedent to admissibility. . . . `If, upon consideration of the evidence as a whole, the court determines that [it] is sufficient to support a finding by a reasonable juror that the matter in question is what its proponent claims, the evidence will be admitted.' State v. Hager, 325 N.W.2d 43, 44 (Minn.1982). When evidence is not unique or readily identifiable, the integrity . . . of the evidence must be authenticated by establishing the chain of custody.[7]


Images used to illustrate a witness’s testimony are easy to authenticate, usually requiring only the witness’s testimony that, based on personal knowledge, the image is a fair and accurate portrayal of what it represents. Digital photographs offered as pictures of a crime scene should normally be authenticated as conven­tional photographs would be, unless some real concern arises regarding alteration.

For example, enhancing digital images may raise authentication issues. Re-cre­ations and simulations that accompany expert testimony may require the same foundation as the expert testimony itself to support the assumptions on which such evidence rests. Testimony that the input and output parameters were correct may also be needed. For example, simulations are commonly used in civil cases to portray airline disasters and automobile crashes.

Authentication issues in such cases focus on the extent to which input data corre­spond to actual events (in terms of accuracy and completeness) and the scientific validity of the mathematical model underlying the simulation.

Authentication of computer-stored substantive evidence[]

Key authentication issues for computer-stored evidence usually center on identifying the author or authors of the computer-stored record and showing that it has not undergone significant change in any respect that matters in the case. Both of these points can often be shown through the chain of custody and other circumstantial evidence.

Illustration (b)(1) of Fed.R.Evid. 901 provides for authentication through “testimony of [a] witness with knowledge” that “a matter is what it is claimed to be.” Many courts have recognized that, while the witness called to establish authenticity must have personal knowledge of the facts about which he or she testifies, the wit­ness need not have been the programmer of the computer in question, have knowl­edge of its maintenance and technical operation, or have seen the data entered. For example, computer-stored records of illegal drug transactions, found on a computer seized from a defendant’s possession, could be authenticated by testimony from both the investigating officer who seized the computer (showing that the computer was indeed found in the defendant’s possession and that names used in the files matched those associated through other evidence with the drug transactions) and the examiner who recovered the files (showing that the records are actually those found on the computer).

In some cases, because of the relative anonymity of some computer-stored records (such as those involving Internet-related crimes), establishing authorship may depend largely on circumstantial evidence. For example, in a child pornography case involving Internet chat rooms, evidence obtained from the defendant’s residence that linked him to his postings to the chat room, information he gave to an undercover officer, and infor­mation obtained from the ISP were sufficient to show authorship.

Authentication of digital evidence under the Federal Rules of Evidence is often a simple and straightforward matter. Defendants will sometimes challenge authenticity by alleging that the computer records could have been altered after they were created. Such arguments emphasize the ease with which computer records may be modified. Under the “reasonable likeli­hood” threshold for authentication, however, courts have generally not been receptive to such claims in the absence of specific evidence of alteration. Moreover, authentica­tion of data may not necessarily be precluded by the use of examination software that alters nonessential data but does not effect significant changes to substantive data. For example, alteration of time and date stamps may not preclude admission in a given case.

Other issues that may be raised, apart from the possibility of tampering, include the completeness of the record, the input procedures, and the input method (accurate data conversion). If these matters are genuinely at issue, the proponent of the evidence should be prepared to present witnesses to address them.

In the majority of cases, a combination of circumstantial evidence provides the key to establishing the authorship and authenticity of a computer record.

Authenticating e-mail[]

Common ways to authenticate e-mail include:

  • The content of the e-mail refers to matters of which the writer would have been aware.

Authentication of preexisting substantive evidence generated by a computer[]

Because computer-generated records are created directly by computer programs rather than by human input, authentication issues do not include identity of the records’ author. Rather, the central authentication concerns are the reliability of the processing and output functions. Particularly pertinent to these concerns is Fed.R.Evid. 901(b)(9), which provides for authentication by “[e]vidence describing a process or system used to produce a result and showing that the process or system produces an accurate result.”


The three generic means of authentication that tend to be used in practice can be described loosely as 'something you know,' 'something you have,' or 'something you are.'"[8]

Authentication is

the process of validating the credentials of a person, computer process, or device. Authentication requires that the person, process, or device making the request provide a credential that proves it is what or who it says it is. Common forms of credentials are digital certificates, digital signatures, smart cards, biometrics data, and a combination of user names and passwords.[9]

Authentication (of identity) is

an adjunct step to identification that confirms an asserted identity with a specified, or understood, level of confidence. Authentication can be used to provide high assurance that the purported identity is, in fact, the correct identity associated with the entity that provides it. The authentication mechanism can be based on something that the entity knows, has, or is (e.g., a password, a smart card that uses some encryption or random number for a challenge-response scheme, or a fingerprint).[10]

Authentication (of a message or a file) is

the process of adding one or more additional data elements to communications traffic (or files) to ensure the integrity of the traffic (or files). Such additional elements are often called "message authenticator(s)" and would be an example of an integrity lock.[11]


Authentication is

[a] security measure designed to protect a communication system against fraudulent transmissions.[12]

Overview (Computer security)[]

Authentication mechanisms can help ensure that online transactions only involve trustworthy data, hardware, and software for networks and devices.

The principal forms of authentication include static, dynamic, and multiple factor. Authentication technologies associate a user with a particular identity. People are authenticated by three basic means:

In general, the more factors that are used in the authentication process, the more robust the process will be.

People and systems regularly use these means to identify people in everyday life. For example, members of a community routinely recognize one another by how they look or how their voices sound — by something they are.

Authentication for individuals involves independent confirmation of identity using one or more methods. Typically, multi-factor approaches provide greater security than single factor methods. These might be retinal scans, DNA, fingerprints, voiceprints, etc.

Automated teller machines recognize customers because they present a bank card — something they have — and they enter a personal identification number (PIN) — something they know. Using a key to enter a locked building is another example of using something you have. More secure systems may combine two of more of these approaches.

While the use of passwords is an example of authentication based on something users know, there are several technologies based on something users have. Security tokens can be used to authenticate a user. User information can be coded onto a token using magnetic media (for example, bank cards) or optical media (for example, compact disk–like media). Several smart token technologies containing an integrated circuit chip that can store and process data are also available.

Once a user is authenticated, authorization technologies are used to allow or prevent actions by that user according to predefined rules. Users could be granted access to data on the system or to perform certain actions on the system. Authorization technologies support the principles of legitimate use, least privilege, and separation of duties. Access control could be based on user identity, role, group membership, or other information known to the system.

Most operating systems and some applications provide some authentication and authorization functionality. For example, user identification codes and passwords are the most commonly used authentication technology. System administrators can assign users rights and privileges to applications and data files based on user IDs. Some operating systems allow for the grouping of users to simplify the administration of groups of users who require the same levels of access to files and applications.

Overview (Internet of Things)[]

"Proper authentication also is a must in the Internet of Things. If a device transmits or receives sensitive data, an authentication failure could allow unauthorized access to that information. But with connected devices, the risk doesn't stop there. An authentication failure could expose sensitive data not just on the device, but on networks to which it's connected. In addition, if an unauthorized person is able to access a device remotely and change how it operates, the safety implications could be profound. Consider investing additional resources in the design, implementation, and testing of authentication."[13]


  1. DOD Dictionary of Military and Associated Terms, at 23-24 (2018 ed.).
  2. CNSSI 4009, at 9.
  3. Electricity Subsector Cybersecurity Risk Management Process, at 61.
  4. FFIEC, IT Examination Handbook Infobase, Glossary (full-text).
  5. Framework for Cyber-Physical Systems, at 6.
  6. Fed. R. Evid. 901(a).
  7. State v. Kottom, 2008 WL 4977337 (Minn. Ct. App. 2008) (full-text).
  8. Who Goes There?: Authentication Through the Lens of Privacy, at 2.
  9. Privacy Technology Focus Group Final Report, App. B, at 50.
  10. Cryptography's Role in Securing the Information Society, App. B, Glossary, at 354. See also 45 C.F.R. §164.304 ("Authentication means the corroboration that a person is the one claimed.")
  11. Cryptography's Role in Securing the Information Society, App. B, Glossary, at 354.
  12. NATO Standardization Agency, NATO Glossary of Terms and Definitions 2-A-21 (2008) (full-text).
  13. Careful Connections: Building Security in the Internet of Things, at 3.

See also[]