Duke IT Security Logo just a line

People are sometimes surprised that Duke Unique ID numbers (DUIDs)and Duke NetIDs are public information, but this is usually because they are confused about the difference between identification and authentication.

Identification is the process of representing person. Identifiers are, therefore, comparable to names. Ideally, a name should be widely known in order to be most useful. The NetID value (not the NetID password) and the Duke Unique ID are no more than unique electronic names.

Authentication is the process of verifying that a person claiming an identity is who they say they are. Authentication is typically based on something you know (e.g., a password), something you have (e.g., a badge or drivers license) or something you are (e.g., biometrics). The NetID password is an authenticator for the NetID value. The DUID has no corresponding authenticator and is solely used for identification.

The DUID was created in the mid-1990s in order to address the problems that Duke saw with Social Security Numbers. The SSN was created by Congress and intended to be an identifier only. However, in the 1990s, many companies began using knowledge of the SSN as an authenticator, assuming that only you would know your SSN. Unfortunately, the qualities of an identifier (publicly known, not changeable, etc.) make for a poor authenticator, leading to the identity theft problem observed today. The DUID was created as a proxy for the SSN in its identifier role. The number was created to be a publicly known value, and this has been reinforced over the past decade. Authenticating with the DUID (i.e., treating knowledge of the DUID as proof of identity) has been stopped wherever it has been discovered. Therefore, knowing someone's DUID should not grant you any access to their services or other information.

Likewise, the NetID value (not the password) is an identifier. You claim to be the person issued your NetID and you prove it with the password. Hiding the NetID value would provide no increase in security. It is possible to enumerate all values of the NetID independently of the password. This means that if the expected time required to find a valid NetID is E[ID] and the expected time required to find a valid password is E[Password], then the time to find a valid combination is the sum, not the product of the two times.