760 likes | 1.26k Views
Authentication Mechanisms. Authentication Mechanisms. 1) Token-based Magnetic cards, smartcards, … 2) Biometrics Fingerprints, iris recognition, face recognition … 3) Knowledge-based Passwords, PIN, questions, … These may be combined in an authentication procedure.
E N D
Authentication Mechanisms 1) Token-based • Magnetic cards, smartcards, … 2) Biometrics • Fingerprints, iris recognition, face recognition … 3) Knowledge-based • Passwords, PIN, questions, … These may be combined in an authentication procedure.
Token-based authentication • Pros • Lower memory load • Cons • Higher cost • Can be lost or stolen • Will users remember token? Best if combined with access_card or similar • Multiple tokens become a burden • often combined with password or PIN (replaces user_id only)
Security token • Identify legitimate users through possession of token • Can be lost, stolen, passed on • Security risk • High cost • Usually employed as part 2-step procedure, combined with • PIN or password • biometrics
2-Factor Token Authentication • Time-based (e.g. Secureid) • User_id • Passphrase + timecode • Pros • Remote access • Cons • Infrequent users forget syntax
Example: Securid • Example: Securid • 3-step authentication • Username • Password • Timecode • Not cheap • Widely used in financial industry http://www.rsasecurity.com/
USB security tokens • Can be used to access • Many devices • Range of different devices • Also available with fingerprint reader!
Smart tokens • Becoming more popular in IT • Login • Screen lock • Can support mobility e.g. carry session information
Smart card applications • Example: Torinofacile http://www.torinofacile.it/ • Smart cards issued to citizens for payment of local tax, and access to information and services • Key problem: not many home PCs have smart card readers • digital certificates for access
Observations • Highest uptake by young, male, well-educated • Key benefit: access and payment out of office hours • High cost of user support (help desk, enquiry line) during start-up phase
Biometric authentication • Use physical or behavioural characteristic to identify or authenticate individual • Involves constructing a biometric template of the characteristic, and matching the characteristic against it • Has been promoted as providing “universal access”
Physical biometrics • Fingerprint • Hand geometry • Iris • Retina • Face recognition
Behavioural biometrics • Voice print • Dynamic Signature Recognition (DSR) • Typing pattern • Gait recognition
FAR vs. FRR • False acceptance rate (FAR) – accepting user who is not registered, or mistaking one registered user for another • False rejection rate (FRR) – rejecting registered user • High FRRs reduce usability • High FARs reduce security • Customer-based applications tend to raise FAR • Large database of templates makes it difficult to find acceptable FAR/FRR balance
Biometric applications • Public vs. commercial vs. private • Often seen as high security applications, but most successful applications are likely to be in • Convenience • Business process improvement
Fingerprint • Applications • Authentication (ID cards, login) • Access control (doors etc.) • Usability issues • High non-enrolment and FRR rates (up to 5%) • Manual workers & older people in particular • Resolution not good enough for many female Asian users • Smearing of glass plate (outside use virtually impossible) • Seen as “non-hygienic” by many users: self-cleaning equipment being developed
Hand geometry • Applications • Authentication (e.g. Disney Season Tickets) • Access Control • Usability • Easier to position hand than fingers (guides) • Less susceptible to small injuries • Hygiene again an issue
Iris recognition • Applications • Authentication (border control in airports for frequent travellers) • Usability issues • Better enrolment and recognition rates than fingerprint • Enrolment and recognition problems with some hard contact lenses, drooping eyelids • Can be used “standing up”, but adjusting users of different heights can be difficult
Face recognition • Applications • Authentication (e.g. passport) • Identification (e.g. people who are wanted in airports, crowds) • Usability • Sensitive to change in lighting conditions, movement in background, changes in make-up and hair • High rate of “false alarms”
Voice recognition • Applications • Speaker recognition (not speech recognition) on a set of pre-stored phrases • Popular for telephony-based interactions (home banking and insurance) • Used by some companies as “lie detector” (insurance claims) • Usability issues • Speaker training • Voice changes – colds etc. • Background noise
Dynamic Signature Recognition • Pro • Legally recognised as “Declaration of Will” • Natural interaction for most users • Applications • Electronic documents with signature: contracts, mortgage agreements • Anything that needs signing • Usability issues
Biometrics on smartcard • User carries template on card • Match biometrics against card
Usability and acceptance • Key benefits biometrics can bring • potential for reducing (mental) load of security • Improved security for individuals and organisations • Split perception in terms of benefits for society • Key issues • split perception in terms of perceived risks
Reducing load on users • Reduction of physical and/or mental load of security is key benefit • Can only be achieved if biometrics is • Properly engineered • Robust • Easy to install • Performance in day-to-day use • Integrated into the work process
End-user acceptance • Key: cost/benefit assessment • Benefits for individuals and organisations in daily use • Split view of benefits for society • Increased security for all • Only for convenience of government agencies • Split on perceived risks • For individual (economic, medical, privacy, self-determination) • For society (surveillance, shift of power/control)
Are biometrics the future of authentication? • Biometrics has huge potential, but requires • Careful analysis of users’ tasks and context of use • Careful selection & testing of technology, setting of acceptance/rejection thresholds performance requirements in daily use must be met • Best for regular users and applications • Systems must be robust, and contigency procedures for dealing with rejection
Knowledge-based authentication • Key assumption: password exists in two places only • System (encrypted) – password should not exist in clear text anywhere. • User’s head – password should never be written down or disclosed.
Password Authentication • Usually 2-step procedure: • Identification • Verification Username: uclcsmas Password: ************
Attacks on password systems • 3 types of attacks • Cracking attacks • Guessing attacks • Shoulder-surfing attacks • most password policies aim at preventing cracking attacks • Individual users often more concerned with guessing and surfing attacks
Rules governing password construction • password policies ( policies) • States how password mechanism is implemented • Password length • Password content • Frequency of change • Number of login attempts • Re-setting
Human Memory (1) Limited capacity of working memory (2) Items in storend in memory decay over time (3) Frequent/regular recall improves memorability of items (automaticity) (4) Unaided recall is harder than cued recall (5) Non-meaningful items are harder to recall than meaningful ones (6) Similar items compete and are easily confused (7) Items linger in memory – humans cannot “forget on demand”
Computer Passwords • Unaided recall • Strong passwords = non-meaningful items • Recall has to be 100% correct • No feedback on failure
Additional Factors • Proliferation of systems leads to large number of passwords and PINs • Many of these need to be changed frequently ( password policies) • Many similar items competing
Resulting Problems • Infrequently used passwords are easily forgotten (with frequent use, automaticity protects) • Recently changed passwords are forgotten or confused • Similar passwords on similar systems are easily confused
Password usage & problems Forgetting biggest problem - 56% especially for lightly used (1 per month) passwords