Biometrics and secondary authentication. Victoria Cepeda March 11, 2015 Some slides adapted from Michelle Mazurek, Lorrie Cranor,Blase Ur, Chandrasekhar Bhagavatula and Stephen Siena
Authentication in simple terms • Positive verification of identity (man or machine) • Verification of a person’s claimed identity • Categories: • What you know • What you have • Who you are
Authentication Categories What you know • • Password • PIN What you have • • e-Token • ATM Cards Who you are • • Biometrics
Desired properties of Authentication Methods • Widely (universally) applicable • Easy to use • Easy to remember, match and change • Quick to use • Should be consistent over time • Hard to guess (large search space) • Can be revoked
What is Biometrics? • “Biometrics are automated methods of recognizing a person based on a physiological or behavioral characteristic.” – The Biometric Consortium • In other words: Characteristics of the human body can be used to identify or authenticate. Image from http://www.economist.com Image from http://www.sciencedaily.com
Types of Biometrics “Physiological” • Face • Iris • Fingerprint • Ear • Teeth • DNA • Heartbeat • Vein pattern • Hand and finger geometry
Types of Biometrics “Behavioral” • Gait • Keystrokes • Mouse movements • Voice • Signature
What is the goal of biometrics?
Biometrics Process new biometric sample is requested. No Signal Processing, Quality Biometric Feature Extraction, Transmission Sufficient? Data Collection Representation Yes Template Match database Database Yes Decision Confidence? No
Comparison between some biometric techniques
Performance Metrics False Rejection/Acceptance Errors: • FAR (False Acceptance Rate) : percent of invalid inputs that are incorrectly accepted. • FTA (Failure to acquire): occur when trying to enter new samples into a system for verification. • FTE (Fail to Enroll): This occurs if a person is unable to enroll in a system. • FNM (False non-match). A FNM occurs when a system rejects an authorized user. • FM (False match): A FM occurs when a system accepts an unauthorized user as an authorized user. • FRR (False Reject Rate) : percent of valid inputs that are incorrectly rejected. FRR is a percentage calculated from a combination of a system’s FTE, FTA, and FNM. • CER (Crossover Error Rate): The rate at which both the accept and reject errors are equal.
Performance Metrics Curve • The line labeled EER represents a balanced performance. • From the graph, it is easy to see that if the user comfort is increased, the false positive rate will increase.
Applications of Biometric System • Criminal identification • Internet banking • Attendance system • Airport, Bank security • PC login security • Prevents unauthorized access to private data • Financial transaction management
Challenges in Biometrics • Many biometrics are constantly changing • Every biometric is measured differently each time
Smartphone Biometrics • Both Google and Apple have introduced some form of biometric authentication on their smartphones • Potential Advantages – More secure – Easier unlocking of phone • Potential Problems – Do you want Google or Apple to have your biometrics at all times? • Both have been easily broken(Face unlock and Fingerprint unlock) • Google tried to fix it by adding a liveness checking option where they required a blink. (It doesn’t really help)
The brave new world of biometrics • University of California, Berkeley: researchers develop technology to access passwords with mind. • Defense Advanced Research Projects Agency (DARPA) : "password pill" or "electronic tattoo" that would serve as your personal ID.
Review: 3 Categories What you know • • Password • PIN What you have • • e-Token • Cards & badges Who you are • • Biometrics
Pros and Cons of each authentication method
Secondary authentication • Provides unambiguous identification of users by means of the combination of two or more different components. • Security questions: • Favorite athlete? • Where Barack Obama met his wife? • Jennifer Lawrence’s mother’s maiden Image from http://www.wikipedia.org
Types of secondary authentication • Two- (or multi-) factor authentication where secondary authentication is used in conjunction with primary authentication • Account reset where secondary authentication is used when the primary authentication is lost/ forgotten/invalidated
Types of secondary authentication • Which types of secondary authentication do you know? • Have you used any type of secondary authentication?
Secondary authentication methods • Answer challenge questions (both) • E-mail with key/link (both) • SMS with key/link (both) • Smartphone (both) • Identify your friends in photos (both) • Provide old passwords (reset) • Trusted 3rd party verification (reset) • Printed secrets or code book (two-factor) • USB dongle (two-factor) • Biometrics (two-factor)
Combining Authenticators
Why secondary authentication?
Matt Honan
“the very four digits that Amazon considers unimportant enough to display in the clear on the web are precisely the same ones that Apple considers”
Enter… Matt Cutts
1) Something you know 2) Something you have
“Authentication at Scale”(2013) • Google is investing in authentication using two-step verification via one-time passwords and public-key- based technology to achieve stronger user and device identification. • “Security and usability problems are intractable: it’s time to give up on elaborate password rules and look for something better”
“Authentication at Scale”(2013) • Account types: • Authentication methods: • routine (subscription), • Device-Centric Authorization • spokesperson(blog), • Two factors verification • sensitive(email) • Smartcard-Like USB Token • very high value transaction (cross- border monetary flow ) • Channel Bindings • Common Threats: • Server-Side Technology • Phishing, • Service Accounts and Delegation • reuse, • offline brute forcing, • easily guessed security questions and answers, • Malware infection
“It’s no secret” paper • 4 of the most popular webmail providers—AOL, Google, Microsoft, and Yahoo!—rely on personal questions as the secondary authentication secrets used to reset account passwords. • User study to measure reliability and security of the questions. • Findings: • 17% Acquaintances were able to guess the answers • 20% Users forgot answers after 6 months. • 13% answers could be guessed within 5 attempts
“It’s no secret” (2009) • What recruitment method was used for this study? • Do you think this method would introduce bias into the study? • What other method(s) would you have used to recruit subjects for a study like this?
“It’s no secret” (2009) • What recruitment method was used for this study? “Our recruiting team selected participants from a larger pool of potential participants they maintain for all studies at Microsoft.” • Do you think this method would introduce bias into the study? • What other method(s) would you have used to recruit subjects for a study like this?
It’s Not What You Know, But Who You Know. A social approach to last-resort authentication (2009) • Authentication system that employs social- authentication. • 3 experiments: • (1)reliably authenticate account holders, • (2) resist email attacks that target trustees by impersonating account holders, and • (3) resist phone-based attacks from individuals close to account holders.
It’s Not What You Know, But Who You Know. A social approach to last-resort authentication (2009) • Advantages of the approach? • Disadvantages of the approach?
It’s Not What You Know, But Who You Know. A social approach to last-resort authentication (2009) Advantages • Targeted Content - Websites can obtain a profile and social graph data in order to target personalized content to the user. This includes information such as name, email, hometown, interests, activities and friends. However, this can create issues for privacy, and result in a narrowing of the variety of views and options available on the internet. • Multiple Identities - better control their online identity • Registration Data - Many websites use the profile data returned from social login instead of having users manually enter their PII into web forms. This can potentially speed up the registration or sign-up process. • Pre-Validated Email - Identity providers who support email such as Google and Yahoo! can return the user’s email address to the 3rd party website preventing the user from supplying a fabricated email address during the registration process. • Account linking - Because social login can be used for authentication, many websites allow legacy users to link pre-existing site account with their social login account without forcing re- registration.
Recommend
More recommend
