Did you know the US legal system makes a distinction between something you have and something you know?If you lock a safe with a key, the authorities can obtain authorization to take the key (something you have) and open it. However, if you locked the safe using a combination (something you know), that information is protected under your Fifth Amendment right to avoid self-incrimination. \u00a0What that means is thats something you have, a key, can be taken and used against you. While something you know, a combination, can ultimately be compelled by a judge. Even then, you have rights -- and a decision -- to comply or not.The concepts of something you have, and something you know are core components of the three factors of authentication: something you know (passwords and PIN codes), something you have (tokens or devices), or something you are (biometric of some sort).Biometrics isn\u2019t new. For the last two decades (maybe longer) biometrics are held out as the answer to the \u201cproblems with passwords\u201d and other authentication schemes. However, the introduction of TouchID on Apple iPhones and iPads makes the potential of biometrics as the basis for more \u201cfriendly\u201d solutions possible.Now the courts have weighed in on the third factor. And what a Virginia judge just ruled should cause you to rethink the value of passwords.What happened and what the judge ruledThe police obtained a warrant for the cellphone (among other things) of a man indicted in an on-going criminal case. Unable to access the device, the police asked the court to compel the man to unlock the device by fingerprint (biometric) or PIN code (sometimes called a password).The full text of the judge\u2019s ruling is here. Jeff Kosseff at the Inside Privacy blog distilled right to the heart of the decision (link):Because the government had obtained a lawfully executed search warrant, Baust could not challenge the government\u2019s request on Fourth Amendment grounds. Instead, Baust argued that the request violates the Fifth Amendment, which provides that no person \u201cshall be compelled in any criminal case to be a witness against himself.\u201d Courts have long held that this privilege protects a criminal defendant from being forced to provide the government with \u201cevidence of a testimonial or communicative nature.\u201dVirginia Circuit Court Judge Steven C. Frucci rejected the government\u2019s request to compel Baust to provide his passcode, holding that providing his passcode would be testimonial because it would force Baust to \u201cdisclose the contents of his own mind.\u201d This conclusion is in line with a 2010 ruling by a Michigan federal court that forcing the defendant to produce a passcode is \u201cthe extortion of information from the accused.\u201dBut Judge Frucci allowed the government to compel Baust to provide his fingerprint. He concluded that the fingerprint, \u201clike a key . . . does not require Defendant to communicate any knowledge at all.\u201dShaking your head?I think the Judge got this right - especially in the light of how the courts have interpreted the 4th and 5th amendments.Shawn Tuma, a data security lawyer at Scheef & Stone, LLP, agrees. \u201cThis case demonstrates how courts approach cases from different perspectives, based upon different principles of law.\u201dTuma pointed out that if we view the ruling from a \u201cdata security and privacy law perspective, this case makes no sense because whether it is a passcode or biometric security restriction that is being used to access the device, the device and the data are still being accessed, so it is a distinction without a difference.\u201dReminding us this is a criminal case, he explained that \u201cFrom a criminal procedure and constitutional law perspective, the courts do recognize a difference between compelling a defendant to provide something he has, like a fingerprint or a key versus communicating something he knows, like a passcode. In this case, the court approached this from the latter view.\u201dThe effect of this ruling, for now, is that neither biometrics or \u201csomething you have\u201d require the communication of knowledge -- which is protected.Considerations and possible implicationsAs this report made the rounds, I noticed a common confusion between the concept of authentication versus the specific factors of authentication. I even read an account where the author conflated a biometric (something you are) with a PIN (something you know). The complaint was that the courts \u201cjust don\u2019t understand.\u201dTherein lies the rub. A fingerprint is not the same as a PIN.Does this ruling spell the end of biometrics as a viable option?Probably not (nor should it).It does, however, signal an opportunity to consider and discuss the factors of authentication when designing or selecting authentication systems.In the meantime, consider the implications of the word: compel. With a password, you have a choice. With no current manner to extract something you know from your mind, that means that you can choose to defy a court order to reveal what you know. It likely comes with a penalty, but that\u2019s your choice.This ruling puts an emphasis on implementationThat got me wondering how the ability to \u201ctake\u201d and use my biometric to unlock my phone or other device would play out in terms of password managers and other information currently protected by the TouchID system.I noticed that both the Apple and 1Password implementations still require passwords and PIN codes at defined and perhaps even random intervals. For example, when restarted, TouchID cannot be used until after the PIN code is entered (one of several events that trigger a PIN\/Password requirement).What happens when the system is protected by both a PIN\/Password and a biometric -- when the system has locked out the biometric in favor of the PIN?Tuma points out that \u201cin this case the issue was raised about the possibility that the PIN could be required in addition to the biometric and this article says the judge did not compel the giving of the passcode so, if the biometric did not work, the phone would remain locked under the ruling.\u201dPasswords for the win?Tuma suggests \u201ccourts are gaining a better understanding of more subtle data security and data privacy issues, I do not expect this case to be the final word on the subject and I suspect we will see more cases exploring the issues dealing with biometrics and this area of law will evolve.\u201dWhat is clear from this ruling is that while password bashing may be popular, it is prudent to stop. Instead, consider:The real problem with passwords? We only treat symptomsBefore we abandon passwords, these 3 critical elements of authentication need to be fixedUltimately, this is an opportunity for us. We need to consider authentication as a system. We consider expected and unexpected uses. Consider it as a system. Find a way to improve it better. \u00a0Let me know what you think about the judge\u2019s ruling and what, if any, impact this has on your actions and conversations around authentication. Leave a comment below of take it to twitter (@catalyst).