Section 6.2. Authentication Mechanisms | Security and Usability: Designing Secure Systems That People Can Use

6.2. Authentication Mechanisms

This section discusses authentication mechanisms grouped according to whether they are based on what users are, what users know, what users recognize, or what users hold.

6.2.1. What the User IsBiometrics

Biometrics mechanisms (Figure 6-4) fall into two distinct categories:

Behavioral biometrics. These can be based on mouse usage patterns, keystroke latencies or dynamics, or signature dynamics.
Physiological characteristics. These can be based on fingerprints, voice, iris or retina, vein pattern, face, hand, or finger geometry, or even ear shape.

Biometrics, while appearing infallible, can actually suffer from some potentially insuperable flaws, depending on the actual biometrics. In the first place, they are easy to forge in an uncontrolled environment. For example, facial recognition systems can be fooled by a photograph of the individual held up to the cameraand in some cases, even by a drawing.

They also present problems in terms of convenience because the user's biometrics has to be captured securely at enrollment and at each authentication attempt, potentially a time-consuming process that requires a controlled environment to ensure that people are not being forced to authenticate themselves for someone else's benefit.

Biometrics are covered in more detail in Chapter 10.

Figure 6-4. Biometrics

6.2.2. What the User KnowsMemometrics

There are two types of passwords:

Random. The random approach uses a random sequence of characters and digits (which may be generated randomly or selected by each user), and is called a password (if it is a word), a PIN (if it is composed only of digits), or a passphrase (if it consists of more than one word).
Cultural. The cultural approach relies on the memory of a concept or a phrase, and is sometimes also called a cognitive or a semantic password.

6.2.2.1 Random passwords (uncued recall)

Currently, the most pervasive and popular authentication mechanism is the random password. Passwords have the potential to be very secure, but this potential is seldom realized in the real world, especially in an uncontrolled environment such as the Web. There is evidence that users remember passwords better if they choose them,^[10] and even though the system-assigned password will probably be stronger, most systems allow users either to choose their own passwords or to change a system-assigned password. The reason is that users frequently will resort to writing down random passwords that are difficult to remember.

^[10] M. Zviran and W. J. Haga, "Cognitive Passwords: The Key to Easy Access Control," Computers and Security 9 (1990), 723736.

Unfortunately, many end users do not choose strong passwords.^[11] This is primarily a result of their being overloaded with too many passwords and PINs to remember. They choose easily guessed passwords and reuse those passwords out of self-defense; it is the only way to cope in a world that places increasing burdens on users without any consideration given to the cumulative effects of similar demands being placed upon them by other security systems. (For further discussion of password memorability, see Chapter 7.)

^[11] A. McCue, "Is Your Cat a Target for Password-Stealing Hackers?" Silicon.com (Aug. 11, 2004); http://software.silicon.com/security/0,39024655,39123066,00.htm.

An example of the use of a passphrase is demonstrated by Spector and Ginzberg.^[12] Their approach compensates for differences in syntax to determine whether users remember the semantics of the passphrase at authentication, even if the user has forgotten the actual words used at enrollment. This is a good alternative to passwords because it addresses both the memorability and the predictability issues, but it does require special software and is potentially more time consuming at authentication than simple passwords.

^[12] Y. Spector and J. Ginzberg, "Pass-SentenceA New Approach to Computer Code," Computers and Security 13 (1994), 145160.

6.2.2.2 Cultural passwords (cued recall)

Cultural passwords rely on a deductive process to produce the required password. This contrasts with random passwords, where any word or phrase will do; it is up to the user to make it meaningful in some way. Cultural passwords will typically present the user with a challenge question and obtain, in response, an answer, which requires some thought (see Figure 6-5). The theory is that the user will have fewer problems recalling these passwords because the cultural password requires recall of an established fact or opinion. However, it is not a secret in the strict sense of the wordopinions will have been shared, as will facts about the user's life. The design of these systems is nontrivial, as can be seen from the discussion in Chapter 8.

Figure 6-5. Example of recognition-based graphical password (VIP)

Examples of this approach can be seen in the work of Zviran and Haga, who tested cognitive passwords in terms of memorability and predictability and found that they performed better than random passwords. Smith^[13] proposes the use of word association during authentication, and Haskett^[14] proposes the use of pass-algorithms where users respond to challenge questions based on the current algorithm, which is communicated to valid users only.

^[13] S. Smith, "Authenticating Users by Word Association," Proceedings of the Human Factors Society31st Annual Meeting (1987), 135138.

^[14] J. A. Haskett, "Pass-Algorithms: A User Validation Scheme Based on Knowledge of Secret Algorithms," Communications of the ACM 27 (1984), 777781.

6.2.3. What the User RecognizesCognometrics

The idea of graphical authentication relies on the knowledge that visual memory is extremely powerful. Classic cognitive scientific studies have shown that humans have a vast, almost limitless memory for pictures,^[15] and visual memory does not seem to be significantly affected by the general decline of cognitive capabilities associated with aging.^[16]

^[15] A. Madigan, "Picture Memory," in J. C. Yuille (ed.), Imagery, Memory and Cognition: Essays in Honour of Allan Paivio (Erlbaum, 1983).

^[16] D. C. Park, "Aging and Memory: Mechanisms Underlying Age Differences in Performance," Proceedings of the 1997 World Congress of Gerontology (1997).

Graphical codes are becoming increasingly popular in personal technology. Two main approaches can be identified, involving different types of skills:

Recognition-based systems.These require the user to select target pictures among a set of distractors. This approach relies on pure visual memory, and exploits the ability to recognize previously seen visual objects among others.
Position-based systems. These require the user to identify target objects within an individual picture, or to draw a previously drawn object on a grid. This approach relies on both the visual and the spatial aspects of the visuo-spatial memory, and on precise movements.

6.2.3.1 Recognition-based systems

Example recognition-based systems are Passfaces ,^[17] Déjà Vu ,^[18] and the Visual Identification Protocol (VIP) .^[19] They all follow the same paradigmidentify target images among distractorsbut use very different visual stimuli. Passfaces uses faces, Déjà Vu uses abstract art, and VIP uses simple representative images. The user clicks on a sequence of images in much the same way as she would click on a sequence of numbers on a PIN pad, as shown in Figure 6-6.

^[17] S. Brostoff and A. Sasse, "Are Passfaces More Usable Than Passwords? A Field Trial Investigation," in People and Computers XIVUsability or Else! Proceedings of HCI 2000, S. McDonald (ed.), (Springer, 2000), 405424

^[18] R. Dhamija and A. Perrig, "Déjà Vu: A User Study Using Images for Authentication," Proceedings of USENIX 'Security Symposium (2000).

^[19] A. De Angeli, M. Coutts, L. Coventry, and G. I. Johnson, "VIP: A Visual Approach to User Authentication," Proceedings of the Working Conference on Advanced Visual Interfaces (AVI, 2002), 316323.

Figure 6-6. Example of cultural passwords

Initial results for many of these systems are encouraging, but evaluations suggest that design issues for this kind of authentication mechanism are not yet fully understood. Graphical passwords are discussed further in Chapter 9.

6.2.3.2 Position-based systems

The original approach to graphical authentication relied on different types of position-based systems. In 1996, Blonder patented a graphical password that required the user to touch predetermined areas of an image in a fixed sequence for authentication.^[20] Further work in this area, illustrated in Figure 6-7, can be seen in Draw-a-Secret by Jermyn et al.^[21], which requires the user to reproduce a previously drawn picture, and Jiminy,^[22] which requires the user to position a colored template onto an image with a grid superimposed over it in order to reveal a PIN or password.

^[20] G. E. Blonder, "Graphical Password," U.S. Patent 5559961, 1996.

^[21] I. Jermyn, A. Mayer, F. Monrose, M. K. Reuter, and A. D. Rubin, "The Design and Analysis of Graphical Passwords," Proceedings of the 9th USENIX Security Symposium (2000).

^[22] K. V. Renaud and A. De Angeli, "My password Is Here! Investigating Authentication Schemes Based on Visuo-Spatial Memory," Interacting with Computers (2005). To appear.

Figure 6-7. Examples of drawing-based and position-based graphical passwords

6.2.4. What the User Holds

Authentication can be based on something the customer holds. Such an object is typically called a token.

A good example of a token is the SecureID manufactured by RSA Security.^[23] The token contains a lock and a secret key. The two are combined by a cryptographic function to produce a numeric code that is displayed on the token's LCD display. To authenticate herself, a SecureID user types the displayed number at a prompt. The authenticating server also knows the time of day and the secret stored in the user's token. The server performs the same cryptographic function. If the computed value matches the value that the user entered, the user is assumed to be in possession of the token.

^[23] http://www.rsasecurity.com.

Another good example is the Universal Serial Bus (USB) authentication token, which contains a smart card chip and a smart card reader. These devices typically contain a private key, a public key, and a certificate issued by a certification authority. The remote system issues a challenge to the token to verify that the user in fact has control of the matching private key. Next, the system consults a database to verify that the name on the certificate corresponds to an identity that is authorized to have access. The usability of these devices is discussed in Chapter 12.

Tokens can be provided by either hardware or software devices. The hardware token has a lifetime battery and displays a security code on an LCD display. The software token runs on the user's personal machine, with the user's key being stored securely on the desktop computer rather than on the hardware token.

Although such hardware devices offer security benefits over regular passwords, they do have some disadvantages. The devices have an associated cost, which may make them less viable than other mechanisms. The user also has to remember to carry the hardware token. If users have many relationships that require the use of hardware tokens , transporting all of these tokens may prove somewhat onerous. Furthermore, users need some way of remembering which token to use for different systems. Software tokens alleviate these problems by storing keys on the user's own computer, but this binds the user to that machine when accessing a particular system: software tokens are also less secure than hardware tokens, because the user's computer may be compromised.

Finally, some token-based systems may require that the user remember a PIN, which has all the problems related to uncued recall discussed in the previous section.

6.2.5. Two-Factor Authentication

The chances of an erroneous positive authentication can be reduced by requiring that users perform multiple authentications with different systems in order to gain access. The most common strategy is known as two-factor authentication because it combines two systems. This allows each system to make up for the other's weakness.

For example, token-based authentication systems are commonly combined with passwords. This protects the user against compromise by a lost token (because the attacker will not know the password) and compromise by a stolen password (because the attacker will not have the token). Two-factor authentication also complicates usability, because the user must now remember both her password and the token.

While two-factor authentication works well against many kinds of security compromises, these systems can also be circumvented by a sufficiently motivated attacker. Against some kinds of attacks, two-factor authentication provides little increased security at all. For example, ATM machines use two-factor authentication: they require that a bank depositor both have an ATM card and know a password in order to withdraw money. But these two factors do not offer increased protection to a depositor who has been kidnapped and is forced at gunpoint to both hand over the ATM card and reveal the password.