1 / 60

Authentication Mechanisms

Authentication Mechanisms. Authentication Mechanisms. 1) Token-based Magnetic cards, smartcards, … 2) Biometrics Fingerprints, iris recognition, face recognition … 3) Knowledge-based Passwords, PIN, questions, … These may be combined in an authentication procedure.

hilde
Télécharger la présentation

Authentication Mechanisms

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Authentication Mechanisms

  2. Authentication Mechanisms 1) Token-based • Magnetic cards, smartcards, … 2) Biometrics • Fingerprints, iris recognition, face recognition … 3) Knowledge-based • Passwords, PIN, questions, … These may be combined in an authentication procedure.

  3. Token-based authentication

  4. Token-based authentication • Pros • Lower memory load • Cons • Higher cost • Can be lost or stolen • Will users remember token? Best if combined with access_card or similar • Multiple tokens become a burden • often combined with password or PIN (replaces user_id only)

  5. Security token • Identify legitimate users through possession of token • Can be lost, stolen, passed on • Security risk • High cost • Usually employed as part 2-step procedure, combined with • PIN or password • biometrics

  6. 2-Factor Token Authentication • Time-based (e.g. Secureid) • User_id • Passphrase + timecode • Pros • Remote access • Cons • Infrequent users forget syntax

  7. Example: Securid • Example: Securid • 3-step authentication • Username • Password • Timecode • Not cheap • Widely used in financial industry http://www.rsasecurity.com/

  8. USB security tokens • Can be used to access • Many devices • Range of different devices • Also available with fingerprint reader!

  9. Smart tokens • Becoming more popular in IT • Login • Screen lock • Can support mobility e.g. carry session information

  10. Smart card applications • Example: Torinofacile http://www.torinofacile.it/ • Smart cards issued to citizens for payment of local tax, and access to information and services • Key problem: not many home PCs have smart card readers •  digital certificates for access

  11. Observations • Highest uptake by young, male, well-educated • Key benefit: access and payment out of office hours • High cost of user support (help desk, enquiry line) during start-up phase

  12. Biometrics

  13. Biometric authentication • Use physical or behavioural characteristic to identify or authenticate individual • Involves constructing a biometric template of the characteristic, and matching the characteristic against it • Has been promoted as providing “universal access”

  14. Physical biometrics • Fingerprint • Hand geometry • Iris • Retina • Face recognition

  15. Behavioural biometrics • Voice print • Dynamic Signature Recognition (DSR) • Typing pattern • Gait recognition

  16. FAR vs. FRR • False acceptance rate (FAR) – accepting user who is not registered, or mistaking one registered user for another • False rejection rate (FRR) – rejecting registered user • High FRRs reduce usability • High FARs reduce security • Customer-based applications tend to raise FAR • Large database of templates makes it difficult to find acceptable FAR/FRR balance

  17. Biometric applications • Public vs. commercial vs. private • Often seen as high security applications, but most successful applications are likely to be in • Convenience • Business process improvement

  18. Fingerprint • Applications • Authentication (ID cards, login) • Access control (doors etc.) • Usability issues • High non-enrolment and FRR rates (up to 5%) • Manual workers & older people in particular • Resolution not good enough for many female Asian users • Smearing of glass plate (outside use virtually impossible) • Seen as “non-hygienic” by many users: self-cleaning equipment being developed

  19. Hand geometry • Applications • Authentication (e.g. Disney Season Tickets) • Access Control • Usability • Easier to position hand than fingers (guides) • Less susceptible to small injuries • Hygiene again an issue

  20. Iris recognition • Applications • Authentication (border control in airports for frequent travellers) • Usability issues • Better enrolment and recognition rates than fingerprint • Enrolment and recognition problems with some hard contact lenses, drooping eyelids • Can be used “standing up”, but adjusting users of different heights can be difficult

  21. Face recognition • Applications • Authentication (e.g. passport) • Identification (e.g. people who are wanted in airports, crowds) • Usability • Sensitive to change in lighting conditions, movement in background, changes in make-up and hair • High rate of “false alarms”

  22. Voice recognition • Applications • Speaker recognition (not speech recognition) on a set of pre-stored phrases • Popular for telephony-based interactions (home banking and insurance) • Used by some companies as “lie detector” (insurance claims) • Usability issues • Speaker training • Voice changes – colds etc. • Background noise

  23. Dynamic Signature Recognition • Pro • Legally recognised as “Declaration of Will” • Natural interaction for most users • Applications • Electronic documents with signature: contracts, mortgage agreements • Anything that needs signing • Usability issues

  24. Biometrics on smartcard • User carries template on card • Match biometrics against card

  25. Usability and acceptance • Key benefits biometrics can bring • potential for reducing (mental) load of security • Improved security for individuals and organisations • Split perception in terms of benefits for society • Key issues • split perception in terms of perceived risks

  26. Reducing load on users • Reduction of physical and/or mental load of security is key benefit • Can only be achieved if biometrics is • Properly engineered • Robust • Easy to install • Performance in day-to-day use • Integrated into the work process

  27. End-user acceptance • Key: cost/benefit assessment • Benefits for individuals and organisations in daily use • Split view of benefits for society • Increased security for all • Only for convenience of government agencies • Split on perceived risks • For individual (economic, medical, privacy, self-determination) • For society (surveillance, shift of power/control)

  28. Are biometrics the future of authentication? • Biometrics has huge potential, but requires • Careful analysis of users’ tasks and context of use • Careful selection & testing of technology, setting of acceptance/rejection thresholds performance requirements in daily use must be met • Best for regular users and applications • Systems must be robust, and contigency procedures for dealing with rejection

  29. Knowledge-based authentication

  30. Knowledge-based authentication • Key assumption: password exists in two places only • System (encrypted) – password should not exist in clear text anywhere. • User’s head – password should never be written down or disclosed.

  31. Password Authentication • Usually 2-step procedure: • Identification • Verification Username: uclcsmas Password: ************

  32. Attacks on password systems • 3 types of attacks • Cracking attacks • Guessing attacks • Shoulder-surfing attacks • most  password policies aim at preventing cracking attacks • Individual users often more concerned with guessing and surfing attacks

  33. Rules governing password construction • password policies ( policies) • States how password mechanism is implemented • Password length • Password content • Frequency of change • Number of login attempts • Re-setting

  34. How usable are passwords?

  35. Human Memory (1) Limited capacity of working memory (2) Items in storend in memory decay over time (3) Frequent/regular recall improves memorability of items (automaticity) (4) Unaided recall is harder than cued recall (5) Non-meaningful items are harder to recall than meaningful ones (6) Similar items compete and are easily confused (7) Items linger in memory – humans cannot “forget on demand”

  36. Computer Passwords • Unaided recall • Strong passwords = non-meaningful items • Recall has to be 100% correct • No feedback on failure

  37. Additional Factors • Proliferation of systems leads to large number of passwords and PINs • Many of these need to be changed frequently ( password policies) • Many similar items competing

  38. Resulting Problems • Infrequently used passwords are easily forgotten (with frequent use, automaticity protects) • Recently changed passwords are forgotten or confused • Similar passwords on similar systems are easily confused

  39. Password usage & problems Forgetting biggest problem - 56% especially for lightly used (1 per month) passwords

More Related