On my way home from Bejing on Friday, I had to change planes in Tokyo. And since I was changing airlines from JAL to American, I also had to change terminals. This involves taking a bus from Terminal 2 (where JAL arrives) to Terminal 1 (where American departs).

The Japanese take their security pretty seriously. You get screened (X-ray and metal detector) both on leaving the first terminal and entering the second terminal. This seemed a bit excessive unless they were afraid I was going to hijack the bus using the metal knife that JAL gave me to butter my breakfast roll.

What amazed me, however, was how you could authenticate yourself to be allowed on the bus to the other terminal in one of two ways.

The first way was by showing your Passport and boarding pass for a flight departing Terminal 1, just as if you were entering from the outside world. This seemed not unreasonable and would also prevent anyone from accidentally getting on the bus if they weren’t supposed to.

The other way was with a “connecting bus ticket to terminal 1.” As you can (barely) see:

this is just a photocopied slip of paper and all I had to do was walk up to the JAL employee standing in front of a list of flights leaving Terminal 1, point at one of them, and was handed this slip of paper.

Once I had my “bus ticket”, I was exempt from producing my boarding pass and passport to prove I should be allowed at Terminal 1.

So what I would love to know is what the goal of this process was? If it was simply to make sure that people didn’t get on the bus to Terminal 1 by accident, then why did people need to show their passports along with their boarding pass? If it was to re-authenticate that only people who were supposed to be going to Terminal 1 did, then why was I allowed on the bus with my completely unauthenticated Bus Ticket?

There is obviously a significant discrepancy between the “quality” of the two forms of Identity, yet they were used interchangably. People who didn’t get a Bus Ticket were pretty strongly authenticated–they had to prove both that they had a need to get to Terminal 1 (their boarding pass) as well as demonstrate that they were the owner of that boarding pass. People with a Bus Ticket, however, were effectively not authenticated at all.

How many security systems can you think of with similar design flaws? Do they require too much authentication in some cases or allow unauthenticated users to be treated as authenticated in others?

Lastly, why does it seem to be so hard to do this stuff right?