Section 6.1. Authentication

6.1. Authentication

Security systems are designed to let authorized people in (the permission problem), and to keep unauthorized people out (the prevention problem^[2]). This involves three distinct steps: identification, authentication, and authorization.

^[2] B. Schneier, "Sensible Authentication," ACM Queue 1 (2004), 7478.

• Identification. The identification step asks a person to identify himselfusually by means of a token or an identification string such as an email address or account number.

• Authentication. Once the identification token has been tendered, the person will have to provide evidence of his identitythe authentication step.

• Authorization. Authorization allows an authenticated person to take a set of actions once permission has been granted.

People authenticate themselves by what they know (memometrics^[3]), by what they recognize (cognometrics), by what they hold, or by what they are (biometrics) (see Figure 6-1). In the case of the first three, the system and the person share a secret^[4] (the authentication key). At enrollment, the user and the system agree on what the secret is; at authentication time, the system determines whether the person being authenticated has possession of the pre-agreed secret. If the user proves knowledge of the secret, the system will authenticate her. In the case of biometrics, the system records a digital representation of some aspect of a person's physiology or behavior at enrollment, and this is confirmed at authentication time.

^[3] Nomenclature introduced by http://www.realuser.com/technology/.

^[4] R. E. Smith, Authentication: From Passwords to Public Keys (Reading, MA: Addison Wesley, 2002).

Figure 6-1. Authentication types

Many authentication scenarios can be strengthened through the use of public key cryptography . For example, a user can have a smart card that contains a public key and a matching private key. Instead of a password, the user's public key can be placed on file at the remote computer system. To authenticate the user, the remote computer sends the user a random challenge. The user signs the challenge with his private key and sends the result back to the remote server, which verifies the signature with the public key that is on file. In this way, the remote system can verify that the user has possession of the private key without ever having to receive it. Instead of having the public key on file at the remote system, the smart card can submit both the signed challenge and a public key certificate that has been signed by a third party. In this case, the use of public key technology is called PKI (public key infrastructure).

One way to think about authentication systems based on public key cryptography is that the user must authenticate himself to a local system (the smart card) through the use of a password, a biometrics, or mere possession. The card then authenticates itself to a remote system using public key cryptography. Because the remote system believes that the smart card is reliable, the remote system trusts the card's assertion that the subject has been properly authenticated. This is an example of transitive trust .

Figure 6-2 depicts the entities involved in the authentication process. At each stage of the process it is possible for an attacker to gain access to the authentication key. Cryptographic techniques can be used effectively to protect transmission of the key over the network, key handling at the server, and key storage in the file store. The real areas of vulnerability are the input mechanism and the user. In the case of knowledge-based authentication, the user has to keep a secret, something people are mostly not very good at doing. A secret can be told, discovered, or stolen if the user records it physically. Users may tell someone their secret either because they have been tricked or forced into doing so, or because they don't understand the possible consequences of sharing it. Even if the user does not reveal her key prior to authenticating, it is still possible for it to be discovered, either because the user can be observed during the key entry process (if she has chosen a secret that is easy to guess) or because the key may be duplicated by an attacker interfering with the input mechanism.

Figure 6-2. Entities involved in the authentication process

Clearly security cannot be solved in a purely technical way because the user forms an integral part of the system. The following subsections discuss the areas pertinent to a user-centered approach to authentication: accessibility barriers , human factors, security, and context and environment.

6.1.1. Accessibility Barriers

Particular authentication mechanisms can disenfranchise users based on disabilities or limitations they may have. Examples of accessibility barriers are:

• Physical. Some authentication mechanisms rely on the ability to use a mouse, which can severely affect users with a variety of physical disabilities.

• Cognitive. Examples of the kinds of disabilities to be considered are dyslexia, dyspraxia, or reduced memory skills. Dyslexia affects a user's ability to work with text, and dyspraxia affects the user's ability to remember and execute sequences of actions in the right order. Users with reduced memory skills may find it difficult to correctly recall a knowledge-based authentication key.

• Sensory. For example, authentication mechanisms that rely on visual acuity are a problem not only for blind users but also for aging users.

• Technical. For example, authentication mechanisms that require large amounts of data to be exchanged may be inconvenient for users accessing a system via modem. Likewise, those that require users to recognize graphical images may be inaccessible to users accessing a system via a small mobile device.

6.1.2. Human Factors

Because many authentication mechanisms require cognitive activity, it is important to consider human information-processing characteristics and memory limitations that will directly determine the success of any knowledge-based mechanism.

Figure 6-3 demonstrates how humans process the information they receive from their senses, which is interpreted in terms of previous experience. The information passes from the sensory short-term storage to primary memory if the person is paying attention. The information in primary memory will be transferred to long-term memory only by further processing and encoding. This processing usually entails the organization of the new information in terms of previously encoded information, or the categorization or other encoding of the new material. The quality of the encoding is vitally important because it has a direct effect on the ease with which a user remembers the item later. To remember the item the user has to have some "hooks" that he can use to extract the item againencoding links the new item to these hooks, which are usually called cues.

Figure 6-3. Memory and information processing

A nonmeaningful item can be learned effectively if the person puts some effort into learning it, but it will frequently decay within 30 days.^[5] Sometimes, however, an item can be made meaningful by linking it to a previously learned item, which has established hooks. An example of a meaningful item in authentication is the use of a well-established knowledge item, such as a family birthday, as a PIN. Another way of linking is the definition of a process that allows deduction of the item. An example of a deduction-based item is a user who has a scheme by which he uses the name of the first item he purchases from any e-commerce site as the password. For example, the first book he purchased from Amazon was Jane Eyre, so when he needs to log into Amazon in the future, he remembers that, and types JaneEyre as the password.

^[5] H. Ebbinghaus, Memory: A Contribution to Experimental Psychology (New York: Dover Publications, 1964). Translated by H. A. Ruger and C. E. Bussenius. Originally published 1885.

There are three ways that a person can remember an item:

• Uncued recall. With no assistance, it is up to the user to extract the item from memory, which is why a meaningful or deducible item with established hooks or processes makes things much easier.

• Cued recall. The person is given a cue and uses it to extract the item from memory. Cues, such as re-establishment of context, can support recall,^[6] making it easier to remember the stored item.

  ^[6] E. Tulving and S. Osler, "Effectiveness of Retrieval Cues in Memory for Words," Journal of Experimental Psychology 77 (1968), 593601.

• Recognition. The person is shown the item and then has to confirm whether this is the previously encoded item. This is the best possible cued-recall situation,^[7] but recognition must be used with caution in authentication because one has to factor in the effects of guessing.

  ^[7] M. Eagle and E. Leiter, "Recall and Recognition in Intentional and Incidental Learning," Journal of Experimental Psychology 68 (1964), 5863.

A stored item can be forgotten as a result of decay or fading, interference from other similar items in memory,^[8] or simply because it gets lostperhaps because it was not encoded in the person's memory with sufficient hooks to enable extraction when required. The first category of remembering makes forgetting much more likely. Computer users, only too aware of this, react by making authentication keys meaningful to ease remembering, which unfortunately increases predictability and compromises security. Predictability is exacerbated by the provision of cues so that in providing a cued recall or recognition-based authentication mechanism, one has to walk a fine line between helping the legitimate user to remember and giving an attacker enough cues to guess the key.

^[8] K. A. Ericsson and W. Kintsch, "Long-Term Working Memory," Psychological Review 102 (1995), 211245.

6.1.3. Security

The authentication mechanism must be commensurate with the access being provided. Thus, access to a safety-critical system requires a much stronger authenticator than noncritical access to a shared resource. The authentication mechanism will therefore either make or break the security system and should be chosen with due forethought to support the kind of security required by the data being protected or the access being provided.

6.1.4. Context and Environment

One also has to consider the effects of the environment. For example, some organizations have security policies that require regular renewal of knowledge-based authentication keys so that users have to repeatedly memorize new keys. This is often done to limit the damage that can be done by an impersonator if a key should be leaked, but the side effects of this policy are often far worse than the original problemusers react to forced changes by choosing predictable keys or by using the same key with a different suffix, to make it easier for them to remember the frequently changing key.

Another important factor is how often the user will use a system where he is authenticated by a knowledge-based key. If the system is used infrequently, it is even more important for the key to be memorable to counteract the inevitable decay problems of memory. One also has to take users' security motivation into account. Organizations can attempt to enforce good security practices, which should raise security awareness, but sometimes this can be counterproductive because users may simply become more inventive at getting around the system. Furthermore, overly restrictive policies can prevent users from averting disasters in unusual situations.^[9]

^[9] D. Povey, "Optimistic Security: A New Access Control Paradigm," Proceedings of the 1999 Workshop on New Security Paradigms (ACM Press, 2000), 4045.

Biometrics authentication mechanisms should be used with caution in an uncontrolled environment because of the potential for abuse of the mechanism, by attackers either masquerading or forcing legitimate users to authenticate to gain illegal access to the system.