320 likes | 454 Views
Authentication II . Going beyond passwords. Agenda. Announcements Biometrics Physical devices General authentication. Biometrics. Biometrics is the comparison of live anatomical, physiological, or behavior characteristics to the stored template of a person. Physiological:
E N D
Authentication II Going beyond passwords
Agenda • Announcements • Biometrics • Physical devices • General authentication
Biometrics • Biometrics is the comparison of live anatomical, physiological, or behavior characteristics to the stored template of a person. • Physiological: • Fingerprint, hand or finger geometry • Patterns of retina, veins, irises, faces • Behavioral: • Signature • Voice • keypresses See http://www.biometrics.org/biomvendors.htm for lists of vendors
Potential Advantages • Eliminates certain password problems – difficult to share, misplace, and forge • Convenient and potentially easy to use • no remembering • nothing physical to forget or misplace • Improve access speed
Authentication • Identification vs. • Verification • Question: what’s the difference?
Biometrics process • Enrollment • Acquisition • Creation of template • Storage of template • Use • Acquisition(s) • Comparison • Decision
Performance metrics • FTE – Failure To Enroll • FTA – Failure To Accept • FAR – False Acceptance Rates • FRR – False Reject Rates • Common goal: FAR = FRR. Why?
Fingerprints • Traditionally used in law enforcement and border control for identification • Many uses • Walt Disney World • Payment systems – example: BioPay in North Carolina • Variety of cheap devices available
Recognition • Current technology • Optical • Ultrasonic • Capacitance • Identify patterns • Loops, whirls • Or Identify minutae • Ridge endings, etc.
Advantages Long history of use Unique and permanent Variety of cheap technologies Reasonable performance Disadvantages Association with law enforcement Quality of prints vary with race, age, environmental factors Dirt & grime Placement of finger can be important Can be easy to circumvent Fingerprints
Face recognition • Select facial features from images and compare • Variety of environments • Search for criminals in crowds (airports, large events) • Border control & passports • Casinos
Advantages Universal More acceptable? Indoor and outdoor use reasonable Easy to perform without awareness Disadvantages Requires straight on, neutral expression Photos can circumvent Accuracy is still a problem Face recognition
Unique patterns in the iris – iris code Currently lowest false accept rates Can be used in variety of environments BUT Requires good image from cooperative user Iris Recognition
Voice Recognition • Speech input • Frequency • Duration • Cadence • Easy deployment • Microphones easy to install • Gathering voice can be done unobtrusively
Voice recognition • Background and ambient noise is a huge problem • Templates are large compared to other biometrics • Longer enrollment time (training) • Recording may be an issue
Keystroke biometrics • Keypress timings or pressure • Advantages: • Easily used in conjunction with computer-based passwords • Can be gathered automatically • Disadvantages: • Not very unique or permanent • Can listen to keyboard typing to determine • Can be used to infer password
Other techniques • Hand geometry • Retinal scans • Signature • Hand veins • Odor • Gait • Ear • DNA
General requirements • Universality • Distinctiveness • Permanence • Collectability • Performance • Acceptability • Circumvention • Question: What other usability requirements?
Security Considerations • Biometrics are not secrets and are therefore susceptible to modified or spoofed measurements • There is no recourse for revoking a compromised identifier • Strategic Solutions • Liveness testing • Multi-biometrics
Privacy Considerations • A reliable biometric system provides an irrefutable proof of identity • Threatens individuals right to anonymity • Cultural or religious concerns • Violates civil liberties • Strategic Solutions • Biometric cryptosystems • Transparency
Other issues • Exception handling • Time consuming enrollment • Sociological concerns • Cause personal harm or endangerment? • Cultural or religious opposition • Comparing systems in the real world • User training • Comfort with technology and methods • Experience of specific device
Questions • Where would you like to see biometrics used? • In what situations would it be inappropriate? • How and when to offer user training?
Physical devices • “What you have…” piece of the puzzle • Typical example: • ATM cards • Public transportation cards
Technologies • Smart cards • USB • Cell phones • OTP tokens http://www.rsa.com/
Comparisons • Advantages? • Disadvantages? • User issues: • Acquiring the device (expense, time) • Installing and connecting it properly • Loss or failure of device
Usability study • Motivation: compare alternative forms of cryptographic smart cards • Question: which device is faster and easier to use in a mobile setting? • Method: • Within subjects user study with 3 devices • task adapted from Johnny Can’t Encrypt • Testing mobility by changing computers • Debriefing questionnaire for user impressions
Results • USB tokens faster to use • USB token users made fewer errors • Smart card has poor feedback for inserting card • USB token means no separate installation – device already plugged in • Added value helps users care about them more
Questions • Is it possible to have authorization without identification? • How would you increase acceptance of biometric systems? • Are there any current password systems that you would like to replace with a biometric or hardware scheme? Why? • How would you design a study to test the usability and utility of a laptop fingerprint reader?
Let’s compare • Paypal: • Email (user id) + strong password, challenge questions + email for password recovery • Email + OTP, defaults to password if token lost • Email + fingerprint, defaults to password if reader unavailable
Evaluation • Accessibility • Memorability • Depth of processing, retrieval, meaningfulness • Security • Predictability, abundance, disclosure, crackability, confidentiality • Cost • Environmental considerations • Range of users, frequency of use, type of access, etc.