Q

Is a digital watermark a legitimate authentication factor?

Identity management and access control expert Joel Dubin explores how reliable a digital watermark is when acting as a authentication factor.

What are digital watermarks, and are they legitimate authentication factors?
A digital watermark is a hidden seal that is embedded in a digital image, recording, document or even a Web page. It is created by making bit-level embedded code changes that are invisible to users, though some newer watermarking systems use cryptography that make it easier to catch those who try to make an illegal copy of the protected material. It is meant to prove authenticity, but as I'll explain, a digital watermark is not necessarily a legitimate authentication factor.

An authentication factor is something used to prove someone's identity, such as a user ID and password, a one-time password (OTP) token or smart card. Biometric devices are another possibility; they measure a unique physical characteristic of a user, like their fingerprint, voice or face. The key difference is that an authentication factor is unique to the individual, while a digital watermark is unique to a piece of content. Also,...

an authentication factor is used for granting access, while a watermark is meant for tracking malicious use, like the illegal copying of copyrighted data.

On the surface, it might appear that a digital watermark embedded in an image in a Web site could be used to protect against phishing attacks. The hidden watermark could be used to identify a legitimate Web site, distinguishing it from a bogus phishing site used for stealing credentials.

But as with anything else on a Web page, the watermark -- especially if it is not encrypted -- could be lifted inadvertently by a clever phisher that builds a mirror image of a targeted Web site. Since the watermark identifies the site, not the user, it doesn't really identify anybody. So while digital watermarking can be an effective tool for protecting copyrighted digital media, it shouldn't be used for authenticating systems.

For more information:

  • To learn more about authentication, visit SearchSecurity.com's Identity and Access Management School.
  • In this SearchSecurity.com Q&A, Joel Dubin explores the differences of risk-based authentication vs. static authentication.
  • This was first published in April 2007

    Dig deeper on PKI and Digital Certificates

    Pro+

    Features

    Enjoy the benefits of Pro+ membership, learn more and join.

    Have a question for an expert?

    Please add a title for your question

    Get answers from a TechTarget expert on whatever's puzzling you.

    You will be able to add details on the next page.

    0 comments

    Oldest 

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to:

    -ADS BY GOOGLE

    SearchCloudSecurity

    SearchNetworking

    SearchCIO

    SearchConsumerization

    SearchEnterpriseDesktop

    SearchCloudComputing

    ComputerWeekly

    Close