Quiz Entry - updated: 2026.07.14
What's the difference between authenticating a machine and authenticating a person, and why does it matter for protocol design?
Machines have lots of memory and good compute (can do real crypto). People have very limited memory and poor compute (can only remember/type short secrets).
| Machine | Person | |
|---|---|---|
| Memory | Large — can store full keys, certs, key databases | Tiny — a few short passwords at best |
| Compute | Good — can run RSA, ECDSA, HMAC, full TLS handshakes | None — can only type/click |
| Best auth method | Certificate-based mutual auth, signed challenges | Password + something else (token, biometric) |
Implication for design:
- You can't ask a person to "compute an HMAC mentally" — so human auth needs hardware (smart card, OTP token, phone app) to do the crypto on their behalf.
- A common hybrid: Alice's password decrypts a keyfile on her computer, which then contains the real cryptographic key used for the protocol. This way she only needs to remember one short secret.
Or: the password loads a key from a key server (e.g. SSH agent forwarding, Hashicorp Vault, hardware-backed enclaves).
Tip: Passkeys/FIDO2 solve this elegantly — the phone/security key holds the private key and the user just touches a sensor or types a PIN. The user-facing secret is short; the cryptographic secret is full-strength.