LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

What's the difference between authenticating a machine and authenticating a person, and why does it matter for protocol design?

Machines have lots of memory and good compute (can do real crypto). People have very limited memory and poor compute (can only remember/type short secrets).

Machine Person
Memory Large — can store full keys, certs, key databases Tiny — a few short passwords at best
Compute Good — can run RSA, ECDSA, HMAC, full TLS handshakes None — can only type/click
Best auth method Certificate-based mutual auth, signed challenges Password + something else (token, biometric)

Implication for design:

  • You can't ask a person to "compute an HMAC mentally" — so human auth needs hardware (smart card, OTP token, phone app) to do the crypto on their behalf.
  • A common hybrid: Alice's password decrypts a keyfile on her computer, which then contains the real cryptographic key used for the protocol. This way she only needs to remember one short secret.

Or: the password loads a key from a key server (e.g. SSH agent forwarding, Hashicorp Vault, hardware-backed enclaves).

Tip: Passkeys/FIDO2 solve this elegantly — the phone/security key holds the private key and the user just touches a sensor or types a PIN. The user-facing secret is short; the cryptographic secret is full-strength.

From Quiz: ISF / Access Control | Updated: Jul 14, 2026