Type 3 Authentication: Something you are
Biometrics. It is difficult for an individual to forget, misplace or lose control of that access ability. Care should be given to ensure appropriate accuracy and to address privacy issues.
Biometric Fairness, Psychological Comfort and Safety
Biometrics should not cause undue psychological stress to subjects or unwarranted privacy issues. Potential exchange of bodily fluid is a serious negative for any biometric control – retina scans, even finger print scanning. Passive controls such as iris scans may be preferable.
Biometric Enrollment and Throughput
- Enrollment – process of registering with a biometric system. A one time process that should take 2mins or less
- Throughput – process of authentication a biometric system (biometric response time). Typically 6-10seconds
Accuracy of Biometric Systems
False Reject Rate (FRR) – Type I Error
A false rejection occurs when an authorized subject is rejected by the biometric system as unauthorized.
False Accept Rate (FAR) – Type II Error
A false acceptance occurs when an unauthorized subject is accepted as valid. (FAR is worse than FRR)
Crossover Error Rate (CER)
The CER describes the point where the False Reject Rate and the false accept rate are equal. CER is also known as the Equal Error Rate (ERR)
Types of Biometric Controls
The data storing each person’s fingerprint must be of a small enough size to be used for authentication. This data is mathematical representation of finger print minutiae, specific details of fingerprint friction edges, which includes whorls, ridges, bifurcation and others.
Laser scan of the capillaries that feed the retina of the back of the eye. User needs to press their eye up to the last scanner eyecup and may raise privacy issue due to conditions such as diabetes and pregnancy can be determined. Due to need for proximity bodily fluids can be exchanged.
A passive biometric control using a camera to take a picture of the iris and then compares photos with the authentication. Benefits: high accuracy, passive scanning, and no exchange of bodily fluids.
Measurements are taken from specific points on the subject’s hands – length, width, thickness, surface area – stored in as little as 9 bytes.
Refers to how hard a person presses each key and the rhythm by which the keys are pressed. Cheap and effective (difficult to impersonate)
Measure the process by which someone signs his/her name. Measuring the subjects handwriting – time, pressure, loops, in the signature and beginning and ending points.
Measures the subject’s tone of voice while stating a specific sentence or phrase. Vulnerable to replay attacks. Other access controls such as requiring subject to speak random words, protecting against prerecorded phrases. People’s voices may change due to illness resulting in false rejection.
Passively taking a picture of a subject’s face and comparing that picture to a list stored in a database. High cost.
Someplace you are
Relies on location based access control such as GPS, IP address based geo-location or the physical location for a point of sale purchase. Used often in Credit card fraud detection.
Access Control Technologies
Centralized Access Control
Concentrates access control in one logical point for a system or organization. Can be used to provide Single Sign On (SSO) and provide AAA – Authentication, Authorization and Accountability.
Decentralized Access Control
Also known as distributed access model, allows each site to control over its data. It is risky due to differing access models, policies, and security.
Single Sign On (SSO)
Allows a single user to authenticate via centralized system and access multiple different systems.
- Improved User productivity
- Improved Developer Support
- Simplified administration
- Difficult to retrofit
- Unattended desktop – reduces some security risks but increases others
- Single point of attack. i.e. DoS
Session Management of Single Sign On
Due to unattended desktop security risk. SSO should always use two factor for authentication, but that still leaves the potential risk of malicious use of an existing session. Session timeouts and screensavers that automatically lock the workstation should be used. Users should be trained to lock their workstations when they leave their desk.