There are several types of authentication methods. They are referred to as factors. A factor is an item or attribute that can be specifically linked to the user. Most authentication attri- butes fall into five main categories:
Something You Know: This includes any information committed to memory or in written form, such as passwords, PINs, the street you grew up on, your favorite teacher, or personal information such as your zip code or account number.
Something You Have: This includes credit cards, digital proximity cards, radio-frequency identification (RFID) devices, hardware tokens, photo ID badges, and smartphones for SMS/text messages.
Something You Are: This includes the use of a biometric system to verify the user’s physical characteristics such as fi ngerprints, palm scans, iris or retina scans, facial feature scans, key stroke dynamics, weight, or speech recognition.
Somewhere You are: This uses a geolocation or geotagging system to physically locate the user by recognizing the user access point or terminal, IP address, satellite triangulation, or cell towers in use.
Something You Do: This makes use of various traits exhibited by the individual. These traits include voice patterns, heart rhythms, handwriting analysis, and keyboard typing characteristics.
Something You Know
Something you know is the most common form of authentication. In most instances, the user enters a password. Passwords can prove to be the weakest type of authentication. The security practitioner may employ a number of techniques that increases the security of user passwords:
Never use default passwords.
Users, as well as network administrators, should not use the password that came from the factory. Passwords must be changed on all network hardware items. Users must never be allowed to use pass or password as a password.
Change passwords often.
Many organizations establish a password change period within a password policy document. This may be as often as every 30 days but should be no longer than every 90 days. Group Policy Manager is usually used to enforce password change policy.
Make passwords sufficiently strong.
Passwords should never be common dictionary words of any language, names, personal identification numbers, pet names, or anything that can easily be guessed. Passwords should be a minimum of seven characters in length and consist of upper and lowercase letters, numbers, and special characters.
Never write passwords down.
Frequently passwords are found around the user’s work area on sticky notes, note pads, diaries, or even books or papers. As a security practitio- ner, never make a password so complex that it forces the user to write it down and refer to the note.
Never tell your password to anyone.
One of the most popular social engineering attacks is a call from a tech department requesting the user’s password. Frequently, someone is away from the office and calls to ask a friend to access their system using their password. Or, a temporary employee is given the password of the permanent employee they are replacing.
Use audit tools to verify password strength
There are many third-party applications as well as operating system tools that allow the security practitioner to scan passwords and verify the strength by checking for special characters, password length, numbers, and duration on the system.
Something you know can also be a secondary authentication question. Many financial accounts require a username for identification, a password for initial authentica- tion, and then some personal information not likely known by many others. This additional personal information is usually in the form of several questions the user is asked upon account setup. Such questions might include mother’s maiden name, the street where you lived when you were 10 years old, your favorite teacher, the best man, and the city where you were married. The problem with this is that some of this information is readily available knowledge. Users should select questions and answers that are not easily publicly found, such as favorite teacher or best man.
Another form of something you know authentication is the use of CAPTCHA characters. CAPTCHA is the acronym for Completely Automated Public Turing test to tell Computers and Humans Apart. This is a challenge-and-response system featuring a set of numbers and letters in various shapes with varying backgrounds. The challenge is for the user to visually recognize the characters and knowingly retype them into a form. This tech- nique is used to determine if the user is a human or a machine. A machine may be able to break a user’s password, but it still would not be able to pass this test. The machine would not be able to visually read or recognize the shapes of the CAPTCHA characters.
Something You Have
Many people carry an ATM card, driver’s license, student ID, smartphone, credit card, or proximity card. Each of these can be used to establish authentication. For instance, if you are stopped by the police, you may verbally state your name, but a driver’s license or other identification issued by an authority such as a state department of motor vehicles or a university, in the case of a student ID, is used by the officer to establish if you are stating the correct name. This is an example of something you have.
Many corporate and federal employees are issued proximity keys or cards to access facilities. Specific data is embedded within the card. Although they are not internally pow- ered, they feature a type of antenna that receives a signal from a nearby receiver. This stimulates the card and provides sufficient energy for the card electronics to respond to the card reader and transmit information. This technique is also utilized on many toll roads across the country. A small device typically placed on the windshield responds to a signal transmitted toward the auto and the device responds with identification and authentication information allowing the toll authority to debit the person’s account.
Many businesses provide employees with a personal badge that has a name, ID number, and photo of the employee. Many of these badges also contain micro-electronics that allow the individual to access various doors within the facility. Most facilities log the entry and exit of individuals throughout the premises.
Another type of card is a smart card; in government organizations this might be referred to as a common access card (CAC). This type of card features circuitry that stores the user’s certificate. The certificate contains the user’s public key for authentication as well as encryption, although in this case it is primarily used for authentication. The card is usually placed into a card reader to be read. Since the card might be lost or stolen, a second authen- tication factor is usually required such as a biometric input, PIN, or password.
Something You Are
Something you are is a physical characteristic that is unique to you and your body. Biometrics is the science and technology of recognizing a user based upon their body. For instance, law enforcement can identify individuals by fingerprints, footprints, palm prints, blood samples, and DNA.
In business today, various biometric techniques are used to identify and authenticate individuals:
Fingerprints have been used for identification by law enforcement for many decades. A fingerprint is obtained by scanning one or more fi ngers several times. This digital finger print image is used to generate a finger image identifier record that can be used to compare with future scans. Fingerprint recognition in biometrics is one of the most widely used techniques now being used on laptops, tablets, and personal cell phones. In fingerscan technology, only the features extracted from the fingerprint are stored. This allows one to many rapid fingerprint data searches. In fingerprint technology, entire fingerprints are stored on a system, requiring large amounts of storage.
Iris and Retina Scans
Iris scans map the colored part of the eye, recording the unique color, patterns, and textures. A retina scan has proven to be extremely reliable, more reliable than using fi ngerprints and other biometric techniques. Retina scans are utilised by the government for access into sensitive locations and systems.
Similar to mapping points on a fingerprint, a facial scan records and traces various key points on the human face. Using measurements and placement of various features, a video or photograph of a face may be matched to facial signatures in a database.
Although not as popular as other biometrics, weight recognition has been utilized in mantraps to both authenticate an individual and alert authorities in the event of two persons in the mantrap, called “piggybacking.” Weight has also been used as alarm systems to warn if an intruder has placed weight on a room floor or object.
Palm Prints and Palm Geometry
This biometric method uses the physical palm geometry of the palm and fi ngers to uniquely verify an individual. In systems known as palm scans, a bright light is used to scan and map blood vessels within the hand to create a unique palm signature.
There are several challenging aspects to the use of biometrics. Any or all of these might be considered when implementing a biometric system:
Every biometric system must initially be set up with every user’s unique information. For instance, for a retina scan device, every user must submit to an initial scan.
Every biometric device is comparing a current reading or capture with a saved signature. In some cases, an error can occur that prohibits passage or allows passage when it should not occur.
Each user wanting access must submit to an acquisition of biometric information. This could be as simple as a fi ngerprint scan or palm scan or as complex as a retina scan or voice scan. Each scan requires an increment of time to acquire the sample informa- tion, and in each case the user must be present and wait during the scanning process.
Once the biometric sample has been acquired from the user, it must be compared to the stored sample signature in the system database. This requires a period of processing time during which the user remains waiting for access. Should the system malfunction or service be denied, access to the facility or resource might be denied.
In this type of database search, the acquired information scan is compared against stored signatures or data samples for a potential match. Only specific data points of the acquired sample information are compared against similar data points stored in the system to speed the sort. Errors may occur when not enough points match.
Every biometric system faces its own challenges processing information and making decisions to allow or deny access to the user. When specifying a biometric authentication system, various terms and considerations are used.
False Rejection Rate (FRR)
FRR is referred to as a Type I error. This is the percentage of time a biometric system rejects a known good user, thus not allowing access.
False Acceptance Rate (FAR)
FAR is referred to as a Type II error. This is the percentage of time a biometric system falsely identifies as good an unknown user, thus allowing access.
Crossover Error Rate (CER)
The CER is where the false rejection rate (FRR) and false acceptance rate (FAR) cross over. A lower CER indicates a better biometric authentication system.
Something You Do
Something you do is a trait that you have developed over the years. This trait is unique to you and has developed either through training, your upbringing, environment, or perhaps something unique to your body construction. Unique biometric scanning devices have been constructed to measure a variety of personal traits to be able to authenticate an individual. These traits are as follows:
This recognizes how the subject creates letters and words. The subject is requested to sign their name or to write out a specific group of words. Items tested may include pen pressure, direction of strokes, and points where the pen was lifted from the page. The scanning system then examines the result and matches specific test points with those saved in memory. Signature dynamics is the biometric factor of handwriting analysis.
Voice Pattern Recognition
This acquisition system requires the individual to speak a phrase into a recording device. This is the same phrase that was originally recorded and stored in memory. The system examines features such as inflection points, volume, speaking speed, and pauses. The stored voice phrase in the biometric system is referred to as a voiceprint.
Keystroke dynamics, also known as keyboard pattern recognition, recognizes how an individual types on the keyboard. Various biometric systems measure fl ight time and dwell time to generate a typing signature. The signature generally captures flight time, or the time a user takes between key depressions, and dwell time, which is the length of time a key is depressed. The results of using keystroke dynamics as a biometric recognition system are inconsistent because users’ typing methods change depending upon mood or environment.
Researchers have identified that each person’s heart beats in the unique pattern. This pattern may be detected with recognition software and used as a biometric authentication system. Typically this is achieved by the user wearing a wristband that monitors their heartbeat and its unique pattern and uses it to unlock phones, computers, and other nearby devices that belong to the user. This technique is somewhat similar to health and fitness trackers, with the current measurement of the user being compared to a stored signature for authentication purposes. Heart/pulse pattern recognition is a biometric authentication technique.
Somewhere You Are
Geolocation and geotagging are now used by many systems to identify where the user actually is located. Many software applications, retail stores, social media sites, and other systems ask for the user to allow themselves to be geolocated. Users may be identified and authenticated by their location. For instance, several major department stores are pushing ads out to cell phones as you walk through the store. You may receive a coupon on your phone as you drive past a coffee shop or another location. Major credit cards such as American Express will act on location anomalies when a charge is made in a foreign country if the user has no history of traveling to that country.
Published on Sat 02 March 2013 by Betty Perkins in Security with tag(s): factors authentication