Authentication Mechanisms

Authentication Mechanisms

1) Token-based– Magnetic cards, smartcards, …

2) Biometrics– Fingerprints, iris recognition, face recognition …

3) Knowledge-based– Passwords, PIN, questions, …

These may be combined in an authentication procedure.

Token-based authentication

Token-based authentication

• Pros– Lower memory load

• Cons– Higher cost– Can be lost or stolen – Will users remember token? Best if combined with

access_card or similar– Multiple tokens become a burden – often combined with password or PIN (replaces

user_id only)

Security token

• Identify legitimate users through possession of token

• Can be lost, stolen, passed on– Security risk– High cost

• Usually employed as part 2-step procedure, combined with PIN or password biometrics

2-Factor Token Authentication

• Time-based (e.g. Secureid)1. User_id

2. Passphrase + timecode

– Pros– Remote access

– Cons– Infrequent users forget syntax

Example: Securid

• Example: Securid• 3-step authentication

– Username

– Password

– Timecode

• Not cheap• Widely used in

financial industryhttp://www.rsasecurity.com/

USB security tokens

• Can be used to access– Many devices

– Range of different devices

– Also available with fingerprint reader!

Smart tokens

• Becoming more popular in IT– Login– Screen lock

• Can support mobility e.g. carry session information

Smart card applications

• Example: Torinofacile http://www.torinofacile.it/

• Smart cards issued to citizens for payment of local tax, and access to information and services

• Key problem: not many home PCs have smart card readers digital certificates for access

Observations

• Highest uptake by young, male, well-educated– Key benefit: access and payment out of office

hours

• High cost of user support (help desk, enquiry line) during start-up phase

Biometrics

Biometric authentication

• Use physical or behavioural characteristic to identify or authenticate individual

• Involves constructing a biometric template of the characteristic, and matching the characteristic against it

• Has been promoted as providing “universal access”

Physical biometrics

• Fingerprint

• Hand geometry

• Iris

• Retina

• Face recognition

Behavioural biometrics

• Voice print

• Dynamic Signature Recognition (DSR)

• Typing pattern

• Gait recognition

FAR vs. FRR

• False acceptance rate (FAR) – accepting user who is not registered, or mistaking one registered user for another

• False rejection rate (FRR) – rejecting registered user

• High FRRs reduce usability • High FARs reduce security

– Customer-based applications tend to raise FAR

• Large database of templates makes it difficult to find acceptable FAR/FRR balance

Biometric applications

• Public vs. commercial vs. private

• Often seen as high security applications, but most successful applications are likely to be in – Convenience– Business process improvement

Fingerprint

• Applications– Authentication (ID cards, login)– Access control (doors etc.)

• Usability issues– High non-enrolment and FRR rates (up to 5%)

• Manual workers & older people in particular• Resolution not good enough for many female Asian users• Smearing of glass plate (outside use virtually impossible)

– Seen as “non-hygienic” by many users: self-cleaning equipment being developed

Hand geometry

• Applications– Authentication (e.g. Disney Season Tickets)– Access Control

• Usability– Easier to position hand than fingers (guides)– Less susceptible to small injuries– Hygiene again an issue

Iris recognition

• Applications– Authentication (border control in airports for frequent

travellers)

• Usability issues– Better enrolment and recognition rates than fingerprint

– Enrolment and recognition problems with some hard contact lenses, drooping eyelids

– Can be used “standing up”, but adjusting users of different heights can be difficult

Face recognition

• Applications– Authentication (e.g. passport)– Identification (e.g. people who are wanted in

airports, crowds)

• Usability– Sensitive to change in lighting conditions,

movement in background, changes in make-up and hair

– High rate of “false alarms”

Voice recognition

• Applications– Speaker recognition (not speech recognition) on a set of

pre-stored phrases– Popular for telephony-based interactions (home banking

and insurance)– Used by some companies as “lie detector” (insurance

claims)

• Usability issues– Speaker training– Voice changes – colds etc.– Background noise

Dynamic Signature Recognition

• Pro– Legally recognised as “Declaration of Will”– Natural interaction for most users

• Applications– Electronic documents with signature: contracts,

mortgage agreements– Anything that needs signing

• Usability issues

Biometrics on smartcard

• User carries template on card

• Match biometrics against card

Usability and acceptance

- Key benefits biometrics can bring- potential for reducing (mental) load of security

- Improved security for individuals and organisations

- Split perception in terms of benefits for society

- Key issues- split perception in terms of perceived risks

Reducing load on users

- Reduction of physical and/or mental load of security is key benefit

- Can only be achieved if biometrics is- Properly engineered

- Robust

- Easy to install

- Performance in day-to-day use

- Integrated into the work process

End-user acceptance

• Key: cost/benefit assessment– Benefits for individuals and organisations in daily

use

– Split view of benefits for society• Increased security for all

• Only for convenience of government agencies

– Split on perceived risks• For individual (economic, medical, privacy, self-

determination)

• For society (surveillance, shift of power/control)

Are biometrics the future of authentication?

• Biometrics has huge potential, but requires– Careful analysis of users’ tasks and context of use

– Careful selection & testing of technology, setting of acceptance/rejection thresholds performance requirements in daily use must be met

– Best for regular users and applications

– Systems must be robust, and contigency procedures for dealing with rejection

Knowledge-based authentication

Knowledge-based authentication

• Key assumption: password exists in two places only

1) System (encrypted) – password should not exist in clear text anywhere.

2) User’s head – password should never be written down or disclosed.

Password Authentication

• Usually 2-step procedure:– Identification– Verification

Username: uclcsmasPassword: ************

Attacks on password systems

• 3 types of attacks1) Cracking attacks2) Guessing attacks3) Shoulder-surfing attacks

• most password policies aim at preventing cracking attacks

• Individual users often more concerned with guessing and surfing attacks

Rules governing password construction

• password policies ( policies)• States how password mechanism is

implemented– Password length– Password content– Frequency of change– Number of login attempts– Re-setting

How usable are passwords?

Human Memory

(1) Limited capacity of working memory(2) Items in storend in memory decay over time(3) Frequent/regular recall improves memorability

of items (automaticity)(4) Unaided recall is harder than cued recall(5) Non-meaningful items are harder to recall than

meaningful ones(6) Similar items compete and are easily confused(7) Items linger in memory – humans cannot “forget

on demand”

Computer Passwords

• Unaided recall

• Strong passwords = non-meaningful items

• Recall has to be 100% correct

• No feedback on failure

Additional Factors

• Proliferation of systems leads to large number of passwords and PINs

• Many of these need to be changed frequently ( password policies)

• Many similar items competing

Resulting Problems

• Infrequently used passwords are easily forgotten (with frequent use, automaticity protects)

• Recently changed passwords are forgotten or confused

• Similar passwords on similar systems are easily confused

Password usage & problems

0

10

20

30

40

50

60

70

Light Use Medium Use Heavy Use

Technical/Organisational

ForgettingConfusion

Forgetting biggest problem - 56% especially for lightly used (1 per month) passwords

User strategies for memory problems

• Moral: if you do not give users a strategy for managing their passwords/PINs, they will make up their own

1) Externalising passwords/PINs

2) Using same password/PIN across multiple applications

3) Not changing password unless forced to

• Usually on-the-spot decisions

Problems with PINs

Even heavily used (4-5 times a day) PINs are forgottenafter short periods of non-use (1 week)

Looking for PINs

• On the card• Elsewhere in wallet• Post-it stuck on phone• On/around the cash

dispenser• …• …• …

Causes of password login failure

• PW memory failure 52 %– confusion with old PW 37%– PW from other system 15%

• User ID wrong 20%

• Typo 12%– missing or additional chars– ENTER

Based on detailed password logs at UCL, Oct-Dec 1999

Memory load of Authentication Procedure

• Correct password AND user_id for specific system = triple memory load for users with many passwords

• Standardising user_id in organisations can help

Username: uclcsmasPassword: ************

Password Quality• Password content

– 28% of users’ passwords are identical– 68% use one way to construct of their passwords – 51% pw = word with number on the end

• Change – 90% + only change when forced– 45% change = increment number by 1

• Writing down – 30% write down all passwords – 32% write down infrequently used passwords

Surveys at BT and UCL in 1999 – other studies havefound very similar results.

Same passwords for many systems

“… the password you use to authenticate [yourself as] the customer of the electronic banking system […] is quite possibly known to a Mafia-operated porn site as well.”

Ross Anderson: Security Engineering

Same PIN for many applications

• Many users use same PIN across many applications (e.g. bank card and mobile phone)

• users often spontaneously disclose PIN used on a shared office or mobile phone

• Many people give card and PIN to others to fetch cash– Elderly people– Friday night, down the pub

• most bank fraud is committed by somebody close to victim (family member or colleague)

Exercise

Design an authentication mechanism for a telephone banking system.

How can we identify and authenticate users?

What are the physical/mental workload implications for customers?

What are the attacks?