Chapter Preview
TopIntroduction
In the Information Systems, authentication involves, traditionally, sharing a secret with the authenticating entity and presenting it whenever a confirmation of the user’s identity is needed. In the digital era, that secret is commonly a username/password pair and/or, sometimes, a biometric feature, both presenting difficulties of different kinds. The traditional pair username/password is no longer enough to protect infrastructures, having known vulnerabilities regarding the user privacy and the confidentiality of information, and the biometrics has many issues related to ethical and social implications of its use (Magalhães & Santos, 2005).
Password vulnerabilities come from their misuse that, in turn, results from the fact that they need to be both easy to remember, therefore simple, and secure, therefore complex. Consequently, it is virtually impossible to come up with a “good” password (Wiedenbeck et al., 2005). On the other hand, once users have not yet completely realized the need for securing their authentication secrets, even fairly good passwords become a threat when the security policies (if at all existing) fail to be implemented. The results of an inquiry made by the authors in 2004 to sixty Information Technology (IT) professionals show that, even among those that have technical knowledge, the need for passwords security is underestimated (Magalhães et al., 2006). This is probably one of the reasons why the governments increased their investment in biometric technologies after the terrorist attack of 9/11 (IBG, 2003).
The use of biometric technologies to increase the security of a system has become a widely discussed subject but, while governments and corporations are pressing for a wither integration of these technologies with common security systems (like passports or identity cards), human rights associations are concerned with the ethical and social implications of its use. This situation creates a challenge to find biometric algorithms that are less intrusive, easier to use and more accurate.
The precision of a biometric technology is measured by its False Acceptance Rate (FAR), that measures the permeability of the algorithm to attacks, by its False Rejection Rate (FRR), that measures the resistance of the algorithm to accept a legitimate user, and by its Crossover Error Rate (CER), the point of interception of the FAR curve with the FRR curve that indicates the level of usability of the technology (Figure 1). For a biometric technology to be usable on a stand-alone base, its CER must be under 1%. As an algorithm gets more demanding, its FAR gets lower and its FRR gets higher; usually the administrator of the system can define a threshold and decide what will be the average FAR and FRR of the applied algorithm, according to the need for security – dependent of the risk evaluation and of the value of what is protected; also the threshold can be, in theory, defined by an Intrusion Detection System (software designed to identify situations of attack to the system).
Establishing the error rates of a biometric technology is a complex problem. Studies have been made to normalize their evaluation, but the fact is that the results are strongly dependent of the number of individuals involved in the process and, what is worst, of who is chosen. This means that, even with a large amount of data collected, the results can be very different if we change the evaluated group. The lack of trust in the precision evaluation methodologies and values is one of the reasons why the human rights associations are opposing to the generalization of use of biometric technologies and their acceptance as standards for authentication procedures (Privacy International, 2004). Even so, in an inquire made by epaynews (www.epaynews.com) 36% of the users stated that they would prefer to use biometric authentication when using credit cards, a value only comparable to the use of Personal Identification Numbers (PINs) and much higher than the 9% obtained by the signature.
Key Terms in this Chapter
Crossover Error Rate (CER): Authentication algorithms need to simultaneously minimize the permeability to intruders, therefore they have to be demanding, and to maximize the comfort level, therefore to be permissive. This contradiction is the base for the optimisation problem in authentication algorithms and the measure of success for the overall precision of an algorithm and of its usability is the Crossover Error Rate (CER), the error rate obtained at the threshold that provides the same False Acceptance Rate and False Rejection Rate.
Passgraph: The user’s secret code to access a system protected by a graphical authentication system. It is constituted by a sequence of points where the user must click in order to obtain a successful login.
Authentication: The process of verifying the identity alleged by a user that tries to gain access to a system.
False Rejection Rate (FRR): A measure of the comfort level of an authentication algorithm. It’s calculated by dividing the number of unsuccessful attempts made by the legitimate users, by the total number of legitimate login attempts.
Threshold: The variable that defines the level of tolerance of an algorithm. It can be set on a more demanding value, raising the False Rejection Rate and lowering the False Acceptance Rate, or it can be set on a less demanding error, lowering the False Rejection Rate and raising the False Acceptance Rate.
Keystroke Dynamics: A biometrical authentication algorithm that tries do define a user’s typing pattern and then verifies in each login attempt if the pattern exiting in the way the password was typed matches the user’s known pattern. Another application of Keystroke Dynamics, at least in theory, is the permanent monitoring of the user’s typing pattern in order to permanently verify if the user that is typing is the legitimate owner of the system’s account being used.
Collaborative Biometric Technology: An authentication biometric authentication technology that requires the user’s volunteer and intended participation in the process. It opposes to the stealth biometric technologies that can be used without the user’s consent.
Stealth Biometric Technology: An authentication biometric authentication technology that can be used without the user’s consent. It opposes to the collaborative biometric technologies that require the user’s volunteer and intended participation in the process.
Pointer Dynamics: A biometrical authentication algorithm that tries do define a user’s clicking pattern when he is selecting regions of an image, and then verifies in each login attempt if the pattern exiting in the way those regions were selected matches the user’s known pattern.
Identification: The process of discovering the identity of the user that tries to gain access to a system. It’s differs from authentication because in the identification process no identity is proposed to the system, while in authentication an identity is proposed and the system will only verify if that identity is plausible.
False Acceptance Rate (FAR): A measure of the permeability of an authentication algorithm. It’s calculated by dividing the number of intruder’s successful login attempts, by the total number of intruder’s login attempts.
Graphical Authentication System: A login system that verifies the user’s knowledge on specific images or parts of images to grant or deny him a successful login.
Cognitive Biometrics: Novel approach to user authentication and/or identification based in technologies and methods that measure signals generated directly or indirectly by human thought processes. The biological signals representative of the mental and emotional states of the user can be recorded using a variety of methods, such as the electroencephalogram (EEG), the electrocardiogram (ECG), the electrodermal response (EDR), eye trackers (pupilometry), and the electromyogram (EMG), among others.