6.2. Authentication MechanismsThis section discusses authentication mechanisms grouped according to whether they are based on what users are, what users know, what users recognize, or what users hold. 6.2.1. What the User IsBiometricsBiometrics mechanisms (Figure 6-4) fall into two distinct categories:
Biometrics, while appearing infallible, can actually suffer from some potentially insuperable flaws, depending on the actual biometrics. In the first place, they are easy to forge in an uncontrolled environment. For example, facial recognition systems can be fooled by a photograph of the individual held up to the cameraand in some cases, even by a drawing. They also present problems in terms of convenience because the user's biometrics has to be captured securely at enrollment and at each authentication attempt, potentially a time-consuming process that requires a controlled environment to ensure that people are not being forced to authenticate themselves for someone else's benefit. Biometrics are covered in more detail in Chapter 10. Figure 6-4. Biometrics6.2.2. What the User KnowsMemometricsThere are two types of passwords:
6.2.2.1 Random passwords (uncued recall)Currently, the most pervasive and popular authentication mechanism is the random password. Passwords have the potential to be very secure, but this potential is seldom realized in the real world, especially in an uncontrolled environment such as the Web. There is evidence that users remember passwords better if they choose them,[10] and even though the system-assigned password will probably be stronger, most systems allow users either to choose their own passwords or to change a system-assigned password. The reason is that users frequently will resort to writing down random passwords that are difficult to remember.
Unfortunately, many end users do not choose strong passwords.[11] This is primarily a result of their being overloaded with too many passwords and PINs to remember. They choose easily guessed passwords and reuse those passwords out of self-defense; it is the only way to cope in a world that places increasing burdens on users without any consideration given to the cumulative effects of similar demands being placed upon them by other security systems. (For further discussion of password memorability, see Chapter 7.)
An example of the use of a passphrase is demonstrated by Spector and Ginzberg.[12] Their approach compensates for differences in syntax to determine whether users remember the semantics of the passphrase at authentication, even if the user has forgotten the actual words used at enrollment. This is a good alternative to passwords because it addresses both the memorability and the predictability issues, but it does require special software and is potentially more time consuming at authentication than simple passwords.
6.2.2.2 Cultural passwords (cued recall)Cultural passwords rely on a deductive process to produce the required password. This contrasts with random passwords, where any word or phrase will do; it is up to the user to make it meaningful in some way. Cultural passwords will typically present the user with a challenge question and obtain, in response, an answer, which requires some thought (see Figure 6-5). The theory is that the user will have fewer problems recalling these passwords because the cultural password requires recall of an established fact or opinion. However, it is not a secret in the strict sense of the wordopinions will have been shared, as will facts about the user's life. The design of these systems is nontrivial, as can be seen from the discussion in Chapter 8. Figure 6-5. Example of recognition-based graphical password (VIP)Examples of this approach can be seen in the work of Zviran and Haga, who tested cognitive passwords in terms of memorability and predictability and found that they performed better than random passwords. Smith[13] proposes the use of word association during authentication, and Haskett[14] proposes the use of pass-algorithms where users respond to challenge questions based on the current algorithm, which is communicated to valid users only.
6.2.3. What the User RecognizesCognometricsThe idea of graphical authentication relies on the knowledge that visual memory is extremely powerful. Classic cognitive scientific studies have shown that humans have a vast, almost limitless memory for pictures,[15] and visual memory does not seem to be significantly affected by the general decline of cognitive capabilities associated with aging.[16]
Graphical codes are becoming increasingly popular in personal technology. Two main approaches can be identified, involving different types of skills:
6.2.3.1 Recognition-based systemsExample recognition-based systems are Passfaces ,[17] Déjà Vu ,[18] and the Visual Identification Protocol (VIP) .[19] They all follow the same paradigmidentify target images among distractorsbut use very different visual stimuli. Passfaces uses faces, Déjà Vu uses abstract art, and VIP uses simple representative images. The user clicks on a sequence of images in much the same way as she would click on a sequence of numbers on a PIN pad, as shown in Figure 6-6.
Figure 6-6. Example of cultural passwordsInitial results for many of these systems are encouraging, but evaluations suggest that design issues for this kind of authentication mechanism are not yet fully understood. Graphical passwords are discussed further in Chapter 9. 6.2.3.2 Position-based systemsThe original approach to graphical authentication relied on different types of position-based systems. In 1996, Blonder patented a graphical password that required the user to touch predetermined areas of an image in a fixed sequence for authentication.[20] Further work in this area, illustrated in Figure 6-7, can be seen in Draw-a-Secret by Jermyn et al.[21], which requires the user to reproduce a previously drawn picture, and Jiminy,[22] which requires the user to position a colored template onto an image with a grid superimposed over it in order to reveal a PIN or password.
Figure 6-7. Examples of drawing-based and position-based graphical passwords6.2.4. What the User HoldsAuthentication can be based on something the customer holds. Such an object is typically called a token. A good example of a token is the SecureID manufactured by RSA Security.[23] The token contains a lock and a secret key. The two are combined by a cryptographic function to produce a numeric code that is displayed on the token's LCD display. To authenticate herself, a SecureID user types the displayed number at a prompt. The authenticating server also knows the time of day and the secret stored in the user's token. The server performs the same cryptographic function. If the computed value matches the value that the user entered, the user is assumed to be in possession of the token.
Another good example is the Universal Serial Bus (USB) authentication token, which contains a smart card chip and a smart card reader. These devices typically contain a private key, a public key, and a certificate issued by a certification authority. The remote system issues a challenge to the token to verify that the user in fact has control of the matching private key. Next, the system consults a database to verify that the name on the certificate corresponds to an identity that is authorized to have access. The usability of these devices is discussed in Chapter 12. Tokens can be provided by either hardware or software devices. The hardware token has a lifetime battery and displays a security code on an LCD display. The software token runs on the user's personal machine, with the user's key being stored securely on the desktop computer rather than on the hardware token. Although such hardware devices offer security benefits over regular passwords, they do have some disadvantages. The devices have an associated cost, which may make them less viable than other mechanisms. The user also has to remember to carry the hardware token. If users have many relationships that require the use of hardware tokens , transporting all of these tokens may prove somewhat onerous. Furthermore, users need some way of remembering which token to use for different systems. Software tokens alleviate these problems by storing keys on the user's own computer, but this binds the user to that machine when accessing a particular system: software tokens are also less secure than hardware tokens, because the user's computer may be compromised. Finally, some token-based systems may require that the user remember a PIN, which has all the problems related to uncued recall discussed in the previous section. 6.2.5. Two-Factor AuthenticationThe chances of an erroneous positive authentication can be reduced by requiring that users perform multiple authentications with different systems in order to gain access. The most common strategy is known as two-factor authentication because it combines two systems. This allows each system to make up for the other's weakness. For example, token-based authentication systems are commonly combined with passwords. This protects the user against compromise by a lost token (because the attacker will not know the password) and compromise by a stolen password (because the attacker will not have the token). Two-factor authentication also complicates usability, because the user must now remember both her password and the token. While two-factor authentication works well against many kinds of security compromises, these systems can also be circumvented by a sufficiently motivated attacker. Against some kinds of attacks, two-factor authentication provides little increased security at all. For example, ATM machines use two-factor authentication: they require that a bank depositor both have an ATM card and know a password in order to withdraw money. But these two factors do not offer increased protection to a depositor who has been kidnapped and is forced at gunpoint to both hand over the ATM card and reveal the password. |