>I've only heard the "something you know" and "Something you have" from my old graduate level security class. This is the first I've heard of "something you ARE" and I like this distinction. It makes sense.
I'm somewhat surprised because it's definitely not new, I don't know what the exact genesis of that particular cryptographer's verse is but my vague recollection is I first heard it the late 90s, and the idea of extracting bits showing identity from physical qualities unique to a person certainly dates back a long ways. "Something you are" can cover a lot of possibilities too, and with vastly more variety and subtlety than I think a lot of people consider even in security fields. For example, there was recently a genuinely very interesting idea of measuring bottoms. As in, your actual behind/ass, via sensors in chairs. It should be unsurprising if you consider it, but of course the patterns of musculature/fat/bone structure are fairly unique to you for any part of your body if you have sensitive enough tools. It's a transparent measure for certain use cases like a workstation or the like since you're sitting down anyway, and hard to clone from afar since our butts are typically covered and subdermal is challenging without near contact. Another place if you want to look for cutting edge possibilities is advertising/surveillance. Near anything used for tracking fingerprinting could in principle be used for authentication too, and again there are potentially a lot of bits of entropy to be found there. Our gaits as we walk, our patterns of typing, our micro muscle movements, all sorts of things aren't so generic to a powerful enough system. "Biometrics" is to some extent at the stage of 80s or early 90s passwords, something to keep in mind in these discussions when people complain about them. 8-character alphanumeric passwords protected by crypt aren't exactly good these days either, but auth tech moved on even as tech benefitted attackers. In the future biometrics will undoubtedly consider far more than our current early generation systems, up to and including implants.
FWIW, I have (more rarely) seen a few other classes of factor suggested that do make sense, and are arguably distinct categories. One is spatiotemporal, ie., "somewhere/somewhen you are". This is used de facto by any sort of air gapping or "this system can only be accessed from this one place and console" or the like. It could though be taken advantage of far more thanks to more ubiquitous high resolution GPS and the like in our systems. Having certain kinds of data only become accessible in the right place/time could be very useful.
Another fuzzier category is "something you do", as-in observing the actions you take. I felt at one point that this was merely another way of measuring "something you are", but I can see the idea that it'd be distinct because it's about revealing your direct state of mind, whereas at least for the foreseeable future "something you are" tends to focus on more bulk matter aspects of your being. Technically state of mind is physical too, there is a specific vector state of axons and neurons and firing patterns that represent it, but it might make sense still to distinguish that from physical body structure or even implants. Whatever the case though it's still an interesting consideration, and makes a lot of sense in old school counterops. Sometimes the first sign of someone who "shouldn't be authenticated to use this" has been "they were 'acting funny'" after all.
"Something you are" and "something you have" are the same class, just that the thing you have is physically attached to your body. Doesn't matter if it's a fingerprint, a chip installed under your skin or a tattoo. Pretty pointless distinction. Fingerprints, faces and eyes are merely conveniences.
Nope, they are quite different exactly because "something you are" is attached to you and "something you have" is not. One can be swapped out if compromised or get lost. The other can not (intentionally or unintentionally) be replaced, but -- because it is something biological -- undergoes slow changes over time. These differences are sufficiently large that it makes sense to split it into two categories when modeling the whole system from a security -- or usability -- standpoint.
And can be compromised without theft, coercion or any other trace.
> One can be swapped out if compromised or get lost.
Which makes something you are strictly worse than something you have.
> undergoes slow changes over time
You are lacking an argument for anything attached to this point.
> ...it makes sense to split it into two categories
So you are arguing that because something is strictly worse from a security standpoint, it should be categorised as a new category? Have I summed up your position correctly?
There are usability benefits which would exist similarly by attaching something which couldn't be easily compromised to your body. For example a chip under your skin or just carrying a watch on your wrist which you could authenticate with after putting it on and which would un-authenticate automatically when it is taken off. Nobody would argue that you are your chip or your watch.
Something you know is different because there are no plausible ways aside coercion and similar for extracting such secrets in idle, and the other alternative is to get compromised on usage. It's about the threat models.
I'm somewhat surprised because it's definitely not new, I don't know what the exact genesis of that particular cryptographer's verse is but my vague recollection is I first heard it the late 90s, and the idea of extracting bits showing identity from physical qualities unique to a person certainly dates back a long ways. "Something you are" can cover a lot of possibilities too, and with vastly more variety and subtlety than I think a lot of people consider even in security fields. For example, there was recently a genuinely very interesting idea of measuring bottoms. As in, your actual behind/ass, via sensors in chairs. It should be unsurprising if you consider it, but of course the patterns of musculature/fat/bone structure are fairly unique to you for any part of your body if you have sensitive enough tools. It's a transparent measure for certain use cases like a workstation or the like since you're sitting down anyway, and hard to clone from afar since our butts are typically covered and subdermal is challenging without near contact. Another place if you want to look for cutting edge possibilities is advertising/surveillance. Near anything used for tracking fingerprinting could in principle be used for authentication too, and again there are potentially a lot of bits of entropy to be found there. Our gaits as we walk, our patterns of typing, our micro muscle movements, all sorts of things aren't so generic to a powerful enough system. "Biometrics" is to some extent at the stage of 80s or early 90s passwords, something to keep in mind in these discussions when people complain about them. 8-character alphanumeric passwords protected by crypt aren't exactly good these days either, but auth tech moved on even as tech benefitted attackers. In the future biometrics will undoubtedly consider far more than our current early generation systems, up to and including implants.
FWIW, I have (more rarely) seen a few other classes of factor suggested that do make sense, and are arguably distinct categories. One is spatiotemporal, ie., "somewhere/somewhen you are". This is used de facto by any sort of air gapping or "this system can only be accessed from this one place and console" or the like. It could though be taken advantage of far more thanks to more ubiquitous high resolution GPS and the like in our systems. Having certain kinds of data only become accessible in the right place/time could be very useful.
Another fuzzier category is "something you do", as-in observing the actions you take. I felt at one point that this was merely another way of measuring "something you are", but I can see the idea that it'd be distinct because it's about revealing your direct state of mind, whereas at least for the foreseeable future "something you are" tends to focus on more bulk matter aspects of your being. Technically state of mind is physical too, there is a specific vector state of axons and neurons and firing patterns that represent it, but it might make sense still to distinguish that from physical body structure or even implants. Whatever the case though it's still an interesting consideration, and makes a lot of sense in old school counterops. Sometimes the first sign of someone who "shouldn't be authenticated to use this" has been "they were 'acting funny'" after all.