1 / 32

Authentication II

Authentication II . Going beyond passwords. Agenda. Announcements Biometrics Physical devices General authentication. Biometrics. Biometrics is the comparison of live anatomical, physiological, or behavior characteristics to the stored template of a person. Physiological:

chaim-freeman
Download Presentation

Authentication II

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Authentication II Going beyond passwords

  2. Agenda • Announcements • Biometrics • Physical devices • General authentication

  3. Biometrics • Biometrics is the comparison of live anatomical, physiological, or behavior characteristics to the stored template of a person. • Physiological: • Fingerprint, hand or finger geometry • Patterns of retina, veins, irises, faces • Behavioral: • Signature • Voice • keypresses See http://www.biometrics.org/biomvendors.htm for lists of vendors

  4. Potential Advantages • Eliminates certain password problems – difficult to share, misplace, and forge • Convenient and potentially easy to use • no remembering • nothing physical to forget or misplace • Improve access speed

  5. Authentication • Identification vs. • Verification • Question: what’s the difference?

  6. Biometrics process • Enrollment • Acquisition • Creation of template • Storage of template • Use • Acquisition(s) • Comparison • Decision

  7. Performance metrics • FTE – Failure To Enroll • FTA – Failure To Accept • FAR – False Acceptance Rates • FRR – False Reject Rates • Common goal: FAR = FRR. Why?

  8. Fingerprints • Traditionally used in law enforcement and border control for identification • Many uses • Walt Disney World • Payment systems – example: BioPay in North Carolina • Variety of cheap devices available

  9. Recognition • Current technology • Optical • Ultrasonic • Capacitance • Identify patterns • Loops, whirls • Or Identify minutae • Ridge endings, etc.

  10. Advantages Long history of use Unique and permanent Variety of cheap technologies Reasonable performance Disadvantages Association with law enforcement Quality of prints vary with race, age, environmental factors Dirt & grime Placement of finger can be important Can be easy to circumvent Fingerprints

  11. Face recognition • Select facial features from images and compare • Variety of environments • Search for criminals in crowds (airports, large events) • Border control & passports • Casinos

  12. Advantages Universal More acceptable? Indoor and outdoor use reasonable Easy to perform without awareness Disadvantages Requires straight on, neutral expression Photos can circumvent Accuracy is still a problem Face recognition

  13. Unique patterns in the iris – iris code Currently lowest false accept rates Can be used in variety of environments BUT Requires good image from cooperative user Iris Recognition

  14. Voice Recognition • Speech input • Frequency • Duration • Cadence • Easy deployment • Microphones easy to install • Gathering voice can be done unobtrusively

  15. Voice recognition • Background and ambient noise is a huge problem • Templates are large compared to other biometrics • Longer enrollment time (training) • Recording may be an issue

  16. Keystroke biometrics • Keypress timings or pressure • Advantages: • Easily used in conjunction with computer-based passwords • Can be gathered automatically • Disadvantages: • Not very unique or permanent • Can listen to keyboard typing to determine • Can be used to infer password

  17. Other techniques • Hand geometry • Retinal scans • Signature • Hand veins • Odor • Gait • Ear • DNA

  18. General requirements • Universality • Distinctiveness • Permanence • Collectability • Performance • Acceptability • Circumvention • Question: What other usability requirements?

  19. Comparison

  20. Security Considerations • Biometrics are not secrets and are therefore susceptible to modified or spoofed measurements • There is no recourse for revoking a compromised identifier • Strategic Solutions • Liveness testing • Multi-biometrics

  21. Privacy Considerations • A reliable biometric system provides an irrefutable proof of identity • Threatens individuals right to anonymity • Cultural or religious concerns • Violates civil liberties • Strategic Solutions • Biometric cryptosystems • Transparency

  22. Other issues • Exception handling • Time consuming enrollment • Sociological concerns • Cause personal harm or endangerment? • Cultural or religious opposition • Comparing systems in the real world • User training • Comfort with technology and methods • Experience of specific device

  23. Questions • Where would you like to see biometrics used? • In what situations would it be inappropriate? • How and when to offer user training?

  24. Physical devices • “What you have…” piece of the puzzle • Typical example: • ATM cards • Public transportation cards

  25. Technologies • Smart cards • USB • Cell phones • OTP tokens http://www.rsa.com/

  26. Comparisons • Advantages? • Disadvantages? • User issues: • Acquiring the device (expense, time) • Installing and connecting it properly • Loss or failure of device

  27. Usability study • Motivation: compare alternative forms of cryptographic smart cards • Question: which device is faster and easier to use in a mobile setting? • Method: • Within subjects user study with 3 devices • task adapted from Johnny Can’t Encrypt • Testing mobility by changing computers • Debriefing questionnaire for user impressions

  28. Results • USB tokens faster to use • USB token users made fewer errors • Smart card has poor feedback for inserting card • USB token means no separate installation – device already plugged in • Added value helps users care about them more

  29. Questions • Is it possible to have authorization without identification? • How would you increase acceptance of biometric systems? • Are there any current password systems that you would like to replace with a biometric or hardware scheme? Why? • How would you design a study to test the usability and utility of a laptop fingerprint reader?

  30. Let’s compare • Paypal: • Email (user id) + strong password, challenge questions + email for password recovery • Email + OTP, defaults to password if token lost • Email + fingerprint, defaults to password if reader unavailable

  31. Evaluation • Accessibility • Memorability • Depth of processing, retrieval, meaningfulness • Security • Predictability, abundance, disclosure, crackability, confidentiality • Cost • Environmental considerations • Range of users, frequency of use, type of access, etc.

More Related