Section 6.5. Choosing a Mechanism

6.5. Choosing a Mechanism

To evaluate an authentication mechanism, it is useful to divide the selection criteria into four categories:

Critical

Used to disqualify mechanisms with an unacceptably large deficit.

Vital

Used to come up with a cumulative deficit for authentication mechanisms across these criteria, to identify candidates for use in the system.

Significant

Used to confirm the decision made by using the vital criteria only. If a chosen mechanism happens to have a maximal deficiency in a significant criterion, we should consider other options based on the vital criteria.

Incidental

These criteria are not important and usually would not be weighed as part of the decision-making process.

Clearly, different applications will put different criteria into different categories.

6.5.1. An Online Banking Example

Consider the case of a bank that wants to authenticate its customers for an online banking portal. Three approaches have been proposed:

Password approach

The bank has each customer choose a password in the branch office when an account is created.

TAN approach

The bank prints on the customer's monthly statement a set of Transaction Authorization Numbers (TANs). These TANs can each be used a single time to gain access to the bank's web site. Essentially, the TANs are a set of one-time passwords that may each be used once to log into the bank's web site.

Token approach

Customers who desire online access may purchase a security token with a changing PIN. The customer must type both his password and the PIN into his computer each time he wants to access the web site.

The bank can use the evaluation strategy presented in this chapter to decide between these three authentication strategies.

6.4.1.5 The critical criterion: accessibility

First, it is useful to see if any of the alternatives have such deficits that they must be disqualified. Because the bank does business with the public, it has both moral and potential legal requirements for inclusivity. Because the bank wants to make its online portal accessible to all of its customers, it needs to consider any special requirements.

Of the three proposed approaches, only the token approach has a significant inclusivity deficit: tokens with LCD screens cannot be used by people who are blind. This problem can be overcome through the use of USB tokens. The bank may want to substitute USB tokens for LCD tokens, or it may want to give customers the choice of using either token.

Both the TAN approach and the token approach have special requirements: the TAN approach requires that the user have a copy of his bank statement in order to engage in online banking, and the token approach requires that the user have his token. Although either might represent a significant deficit for an entertainment service that was designed to be used throughout the day, this deficit might be acceptable for an online banking portal that users might want to use only in the evening when they are at home.

6.4.1.6 The vital criterion: security

Vital to the bank's selection of an authentication mechanism will be the security that the mechanism provides. Of the three alternatives, the password approach offers the lowest amount of security. Because passwords must be disclosed in order to be used, they can be inadvertently shared with an attackerfor example, the password can be entered at the wrong web site. Passwords that are chosen by the user may be further compromised by being used at multiple web sites. Passwords are also susceptible to being broken through brute force or password-guessing attack. Thus, the bank will need to have software that detects such an attack and behaves accordingly.

The TAN approach has a different security deficit: because the TANs are printed on the customer's statement, any individual who is able to intercept the customer's paper mail will be given complete access to the customer's bank account. For this reason, the bank may wish to supplement the TANs with a password chosen by the user. This would be an example of two-factor authentication.

6.4.1.7 The significant criteria: memorability and cost

Memorability is a significant criterion to the bank because a high deficit will increase customer support costs. The password approach has a low memorability deficit because consumers have the ability to pick their own passwords. A scheme that requires users to change their passwords on a regular basis will increase this deficit. Such a scheme might be warranted, however, if there is a chance that a percentage of users will have their passwords compromised on a regular basis.

Neither the TAN approach nor the token approach has low memorability deficits: the user must both remember how to use the scheme and carry the TAN booklet or the token. Otherwise, however, there is no information that must be remembered. The token approach does place an additional cost on customers, who must purchase the token.

6.4.1.8 The incidental criterion: nothing

Because of the bank's scale of operation, in this example there are no incidental criteria. On the other hand, if the bank were a small private bank that offered service only to high-net-worth individuals, the cost of the authentication strategy might not be a factor.