Authentication Mechanisms. 1) Token-based –Magnetic cards, smartcards, … 2) Biometrics...
-
Upload
randolph-gordon -
Category
Documents
-
view
223 -
download
0
Transcript of Authentication Mechanisms. 1) Token-based –Magnetic cards, smartcards, … 2) Biometrics...
Authentication Mechanisms
Authentication Mechanisms
1) Token-based– Magnetic cards, smartcards, …
2) Biometrics– Fingerprints, iris recognition, face recognition …
3) Knowledge-based– Passwords, PIN, questions, …
These may be combined in an authentication procedure.
Token-based authentication
Token-based authentication
• Pros– Lower memory load
• Cons– Higher cost– Can be lost or stolen – Will users remember token? Best if combined with
access_card or similar– Multiple tokens become a burden – often combined with password or PIN (replaces
user_id only)
Security token
• Identify legitimate users through possession of token
• Can be lost, stolen, passed on– Security risk– High cost
• Usually employed as part 2-step procedure, combined with PIN or password biometrics
2-Factor Token Authentication
• Time-based (e.g. Secureid)1. User_id
2. Passphrase + timecode
– Pros– Remote access
– Cons– Infrequent users forget syntax
Example: Securid
• Example: Securid• 3-step authentication
– Username
– Password
– Timecode
• Not cheap• Widely used in
financial industryhttp://www.rsasecurity.com/
USB security tokens
• Can be used to access– Many devices
– Range of different devices
– Also available with fingerprint reader!
Smart tokens
• Becoming more popular in IT– Login– Screen lock
• Can support mobility e.g. carry session information
Smart card applications
• Example: Torinofacile http://www.torinofacile.it/
• Smart cards issued to citizens for payment of local tax, and access to information and services
• Key problem: not many home PCs have smart card readers digital certificates for access
Observations
• Highest uptake by young, male, well-educated– Key benefit: access and payment out of office
hours
• High cost of user support (help desk, enquiry line) during start-up phase
Biometrics
Biometric authentication
• Use physical or behavioural characteristic to identify or authenticate individual
• Involves constructing a biometric template of the characteristic, and matching the characteristic against it
• Has been promoted as providing “universal access”
Physical biometrics
• Fingerprint
• Hand geometry
• Iris
• Retina
• Face recognition
Behavioural biometrics
• Voice print
• Dynamic Signature Recognition (DSR)
• Typing pattern
• Gait recognition
FAR vs. FRR
• False acceptance rate (FAR) – accepting user who is not registered, or mistaking one registered user for another
• False rejection rate (FRR) – rejecting registered user
• High FRRs reduce usability • High FARs reduce security
– Customer-based applications tend to raise FAR
• Large database of templates makes it difficult to find acceptable FAR/FRR balance
Biometric applications
• Public vs. commercial vs. private
• Often seen as high security applications, but most successful applications are likely to be in – Convenience– Business process improvement
Fingerprint
• Applications– Authentication (ID cards, login)– Access control (doors etc.)
• Usability issues– High non-enrolment and FRR rates (up to 5%)
• Manual workers & older people in particular• Resolution not good enough for many female Asian users• Smearing of glass plate (outside use virtually impossible)
– Seen as “non-hygienic” by many users: self-cleaning equipment being developed
Hand geometry
• Applications– Authentication (e.g. Disney Season Tickets)– Access Control
• Usability– Easier to position hand than fingers (guides)– Less susceptible to small injuries– Hygiene again an issue
Iris recognition
• Applications– Authentication (border control in airports for frequent
travellers)
• Usability issues– Better enrolment and recognition rates than fingerprint
– Enrolment and recognition problems with some hard contact lenses, drooping eyelids
– Can be used “standing up”, but adjusting users of different heights can be difficult
Face recognition
• Applications– Authentication (e.g. passport)– Identification (e.g. people who are wanted in
airports, crowds)
• Usability– Sensitive to change in lighting conditions,
movement in background, changes in make-up and hair
– High rate of “false alarms”
Voice recognition
• Applications– Speaker recognition (not speech recognition) on a set of
pre-stored phrases– Popular for telephony-based interactions (home banking
and insurance)– Used by some companies as “lie detector” (insurance
claims)
• Usability issues– Speaker training– Voice changes – colds etc.– Background noise
Dynamic Signature Recognition
• Pro– Legally recognised as “Declaration of Will”– Natural interaction for most users
• Applications– Electronic documents with signature: contracts,
mortgage agreements– Anything that needs signing
• Usability issues
Biometrics on smartcard
• User carries template on card
• Match biometrics against card
Usability and acceptance
- Key benefits biometrics can bring- potential for reducing (mental) load of security
- Improved security for individuals and organisations
- Split perception in terms of benefits for society
- Key issues- split perception in terms of perceived risks
Reducing load on users
- Reduction of physical and/or mental load of security is key benefit
- Can only be achieved if biometrics is- Properly engineered
- Robust
- Easy to install
- Performance in day-to-day use
- Integrated into the work process
End-user acceptance
• Key: cost/benefit assessment– Benefits for individuals and organisations in daily
use
– Split view of benefits for society• Increased security for all
• Only for convenience of government agencies
– Split on perceived risks• For individual (economic, medical, privacy, self-
determination)
• For society (surveillance, shift of power/control)
Are biometrics the future of authentication?
• Biometrics has huge potential, but requires– Careful analysis of users’ tasks and context of use
– Careful selection & testing of technology, setting of acceptance/rejection thresholds performance requirements in daily use must be met
– Best for regular users and applications
– Systems must be robust, and contigency procedures for dealing with rejection
Knowledge-based authentication
Knowledge-based authentication
• Key assumption: password exists in two places only
1) System (encrypted) – password should not exist in clear text anywhere.
2) User’s head – password should never be written down or disclosed.
Password Authentication
• Usually 2-step procedure:– Identification– Verification
Username: uclcsmasPassword: ************
Attacks on password systems
• 3 types of attacks1) Cracking attacks2) Guessing attacks3) Shoulder-surfing attacks
• most password policies aim at preventing cracking attacks
• Individual users often more concerned with guessing and surfing attacks
Rules governing password construction
• password policies ( policies)• States how password mechanism is
implemented– Password length– Password content– Frequency of change– Number of login attempts– Re-setting
How usable are passwords?
Human Memory
(1) Limited capacity of working memory(2) Items in storend in memory decay over time(3) Frequent/regular recall improves memorability
of items (automaticity)(4) Unaided recall is harder than cued recall(5) Non-meaningful items are harder to recall than
meaningful ones(6) Similar items compete and are easily confused(7) Items linger in memory – humans cannot “forget
on demand”
Computer Passwords
• Unaided recall
• Strong passwords = non-meaningful items
• Recall has to be 100% correct
• No feedback on failure
Additional Factors
• Proliferation of systems leads to large number of passwords and PINs
• Many of these need to be changed frequently ( password policies)
• Many similar items competing
Resulting Problems
• Infrequently used passwords are easily forgotten (with frequent use, automaticity protects)
• Recently changed passwords are forgotten or confused
• Similar passwords on similar systems are easily confused
Password usage & problems
0
10
20
30
40
50
60
70
Light Use Medium Use Heavy Use
Technical/Organisational
ForgettingConfusion
Forgetting biggest problem - 56% especially for lightly used (1 per month) passwords
User strategies for memory problems
• Moral: if you do not give users a strategy for managing their passwords/PINs, they will make up their own
1) Externalising passwords/PINs
2) Using same password/PIN across multiple applications
3) Not changing password unless forced to
• Usually on-the-spot decisions
Problems with PINs
Even heavily used (4-5 times a day) PINs are forgottenafter short periods of non-use (1 week)
Looking for PINs
• On the card• Elsewhere in wallet• Post-it stuck on phone• On/around the cash
dispenser• …• …• …
Causes of password login failure
• PW memory failure 52 %– confusion with old PW 37%– PW from other system 15%
• User ID wrong 20%
• Typo 12%– missing or additional chars– ENTER
Based on detailed password logs at UCL, Oct-Dec 1999
Memory load of Authentication Procedure
• Correct password AND user_id for specific system = triple memory load for users with many passwords
• Standardising user_id in organisations can help
Username: uclcsmasPassword: ************
Password Quality• Password content
– 28% of users’ passwords are identical– 68% use one way to construct of their passwords – 51% pw = word with number on the end
• Change – 90% + only change when forced– 45% change = increment number by 1
• Writing down – 30% write down all passwords – 32% write down infrequently used passwords
Surveys at BT and UCL in 1999 – other studies havefound very similar results.
Same passwords for many systems
“… the password you use to authenticate [yourself as] the customer of the electronic banking system […] is quite possibly known to a Mafia-operated porn site as well.”
Ross Anderson: Security Engineering
Same PIN for many applications
• Many users use same PIN across many applications (e.g. bank card and mobile phone)
• users often spontaneously disclose PIN used on a shared office or mobile phone
• Many people give card and PIN to others to fetch cash– Elderly people– Friday night, down the pub
• most bank fraud is committed by somebody close to victim (family member or colleague)
Exercise
Design an authentication mechanism for a telephone banking system.
How can we identify and authenticate users?
What are the physical/mental workload implications for customers?
What are the attacks?