Using Technology to Overcome the Password's Contradiction

Using Technology to Overcome the Password's Contradiction

Sérgio Tenreiro de Magalhães (Universidade Católica Portuguesa, Portugal), Kenneth Revett (University of Westminster, UK), Henrique M.D. Santos (Universidade do Minho, Portugal), Leonel Duarte dos Santos (Universidade do Minho, Portugal), André Oliveira (Universidade do Minho, Portugal) and César Ariza (Bogomovil Ltda, Portugal)
DOI: 10.4018/978-1-60566-132-2.ch024
OnDemand PDF Download:


The traditional approach to security has been the use of passwords. They provide the system with a barrier to access what was quite safe in the analogical world. The digital era provided the means to easily try thousands of passwords in a short period of time and now the password schema is no longer safe. Now it suffers of the password’s contradiction: the fact that it requires both simplicity and complexity to be usable and safe. Being so, new technologies are required that can preserve the easiness of use, but can provide stronger authentication processes. This chapter presents the latest advances in three technologies that can be used, unaided or together, to improve the safety of user/password schemas without significant changes in the protected information system architecture, despite the human factors that traditionally reduce the security of those systems. The presented technologies are Keystroke Dynamics, Graphical Authentication and Pointer Dynamic.
Chapter Preview

Background: Biometric Technologies

Biometric technologies are mainly used in both physical and logical access control (Luis-García et al., 2003) but they can also be used to assist in other tasks, some so unimaginable has helping to preserve several animal endangered species (Jewell et al., 2001). But the use of biometric technologies to increase the security of a system has become a widely discussed subject and, while governments and corporations are pressing for a whither integration of these technologies with common security systems (like passports or identity cards), human rights associations are concerned with the ethical and social implications of its use (Privacy International et al., 2004a; Privacy International et al., 2004b). This situation creates a challenge to find biometric algorithms that are less intrusive, easier to use and more accurate.

The precision of a biometric technology is measured by its False Acceptance Rate (FAR), that measures the permeability of the algorithm to attacks, by its False Rejection Rate (FRR), that measures the resistance of the algorithm to accept a legitimate user, and by its Crossover Error Rate (CER), the point of interception of the FAR curve with the FRR curve that indicates the level of usability of the technology, also known as Equal Error Rate (EER). As an algorithm gets more demanding, its FAR gets lower and its FRR gets higher (Figure 1); usually the administrator of the system can define a threshold and decide what will be the average FAR and FRR of the applied algorithm, according to the need for security – dependent of the risk evaluation and of the value of what is protected; also the threshold can be, in theory, defined by an Intrusion Detection System (software designed to identify situations of attack to the system).

Figure 1.

False rejection rate vs false acceptance rate and consequent equal error rate, also know as crossover error rate

Key Terms in this Chapter

Collaborative Biometric Technology: It’s an authentication biometric authentication technology that requires the user’s volunteer and intended participation in the process. It opposes to the stealth biometric technologies that can be used without the user’s consent.

Identification: It’s the process of discovering the identity of the user that tries to gain access to a system. It’s differs from authentication because in the identification process no identity is proposed to the system, while in authentication an identity is proposed and the system will only verify if that identity is plausible.

Threshold: It’s the variable that defines the level of tolerance of an algorithm. It can be set on a more demanding value, raising the False Rejection Rate and lowering the False Acceptance Rate, or it can be set on a less demanding error, lowering the False Rejection Rate and raising the False Acceptance Rate.

Keystroke Dynamics: It’s a biometrical authentication algorithm that tries do define a user’s typing pattern and then verifies in each login attempt if the pattern exiting in the way the password was typed matches the user’s known pattern. Another application of Keystroke Dynamics, at least in theory, is the permanent monitoring of the user’s typing pattern in order to permanently verify if the user that is typing is the legitimate owner of the system’s account being used.

Graphical Authentication System: It’s a login system that verifies the user’s knowledge on specific images or parts of images to grant or deny him a successful login.

Passgraph: It’s the user’s secret code to access a system protected by a graphical authentication system. It is constituted by a sequence of points where the user must click in order to obtain a successful login.

False Rejection Rate (FRR): This rate is a measure of the comfort level of an authentication algorithm. It’s calculated by dividing the number of unsuccessful attempts made by the legitimate users, by the total number of legitimate login attempts.

Stealth Biometric Technology: It’s an authentication biometric authentication technology that can be used without the user’s consent. It opposes to the collaborative biometric technologies that require the user’s volunteer and intended participation in the process.

Crossover Error Rate (CER): Authentication algorithms need to simultaneously minimize the permeability to intruders, therefore they have to be demanding, and to maximize the comfort level, therefore to be permissive. This contradiction is the base for the optimisation problem in authentication algorithms and the measure of success for the overall precision of an algorithm and of its usability is the Crossover Error Rate (CER), the error rate obtained at the threshold that provides the same False Acceptance Rate and False Rejection Rate.

Authentication: It’s the process of verifying the identity alleged by a user that tries to gain access to a system.

False Acceptance Rate (FAR): This rate is a measure of the permeability of an authentication algorithm. It’s calculated by dividing the number of intruder’s successful login attempts, by the total number of intruder’s login attempts.

Complete Chapter List

Search this Book:
Editorial Advisory Board
Table of Contents
John Walp
Manish Gupta, Raj Sharman
Chapter 1
C. Warren Axelrod
This chapter examines the impact of catastrophes on information security and suggests who might have responsibility for maintaining an appropriate... Sample PDF
Responsibilities and Liabilities with Respect to Catastrophes
Chapter 2
David Porter
This chapter discusses the latest developments in the shifting threat landscape and their impact on the world of information security. It describes... Sample PDF
The Complex New World of Information Security
Chapter 3
Ahmed Awad E. Ahmed
In recent years, many studies have highlighted the unprecedented growth in security threats from multiple and varied sources faced by corporate, as... Sample PDF
Employee Surveillance Based on Free Text Detection of Keystroke Dynamics
Chapter 4
Arunabha Mukhopadhyay, Samir Chatterjee, Debashis Saha, Ambuj Mahanti, Samir K. Sadhukhan
An online business organization spends millions of dollars on firewalls, anti-virus, intrusion detection systems, digital signature, and encryption... Sample PDF
E-Risk Insurance Product Design: A Copula Based Bayesian Belief Network Model
Chapter 5
Guoling Lao
E-commerce mode aggravates information asymmetry so that honesty-credit problems become more serious. This chapter discusses the honesty-credit... Sample PDF
E-Commerce Security and Honesty-Credit
Chapter 6
Zhixiong Zhang, Xinwen Zhang, Ravi Sandhu
This chapter addresses the problem that traditional role-base access control (RBAC) models do not scale up well for modeling security policies... Sample PDF
Towards a Scalable Role and Organization Based Access Control Model with Decentralized Security Administration
Chapter 7
Chandan Mazumdar
There has been an unprecedented thrust in employing Computers and Communication technologies in all walks of life. The systems enabled by... Sample PDF
Enterprise Information System Security: A Life-Cycle Approach
Chapter 8
Peter O. Orondo
Most companies would agree that securing their information assets is worth some investment. It is thus plausible to assume that low levels of IT... Sample PDF
An Alternative Model of Information Security Investment
Chapter 9
George O.M. Yee
The growth of the Internet is increasing the deployment of e-services in such areas as e-commerce, e-learning, and e-health. In parallel, the... Sample PDF
Avoiding Pitfalls in Policy-Based Privacy Management
Chapter 10
Supriya Singh
Enabling customers to influence the way they are represented in the bank’s databases, is one of the major personalization, responsiveness, and... Sample PDF
Privacy and Banking in Australia
Chapter 11
Madhusudhanan Chandrasekaran, Shambhu Upadhyaya
Phishing scams pose a serious threat to end-users and commercial institutions alike. E-mail continues to be the favorite vehicle to perpetrate such... Sample PDF
A Multistage Framework to Defend Against Phishing Attacks
Chapter 12
Ghita Kouadri Mostefaoui, Patrick Brézillon
In recent years, the security research community has been very active in proposing different techniques and algorithms to face the proliferating... Sample PDF
A New Approach to Reducing Social Engineering Impact
Chapter 13
Yang Wang
Privacy-enhancing technologies (PETs), which constitute a wide array of technical means for protecting users’ privacy, have gained considerable... Sample PDF
Privacy-Enhancing Technologies
Chapter 14
Douglas P. Twitchell
This chapter introduces and defines social engineering, a recognized threat to the security of information systems. It also introduces a taxonomy... Sample PDF
Social Engineering and its Countermeasures
Chapter 15
Tom S. Chan
Social networking has become one of the most popular applications on the Internet since the burst of the dot-com bubble. Apart from being a haven... Sample PDF
Social Networking Site: Opportunities and Security Challenges
Chapter 16
James W. Ragucci, Stefan A. Robila
Fraudulent e-mails, known as phishing attacks, have brought chaos across the digital world causing billions of dollars of damage. These attacks are... Sample PDF
Designing Antiphishing Education
Chapter 17
Serkan Ada
This chapter discusses the recent theories used in information security research studies. The chapter initially introduces the importance of the... Sample PDF
Theories Used in Information Security Research: Survey and Agenda
Chapter 18
Samuel Liles
Information assurance education is an interdisciplinary endeavor that only when taken as a holistic and inclusive educational activity can be... Sample PDF
Information Assurance and Security Curriculum Meeting the SIGITE Guidelines
Chapter 19
Gary Hinson
This chapter highlights the broad range of factors that are relevant to the design of information security awareness programs, primarily by... Sample PDF
Information Security Awareness
Chapter 20
Nick Pullman, Kevin Streff
Security training and awareness is often overlooked or not given sufficient focus in many organizations despite being a critical component of a... Sample PDF
Creating a Security Education, Training, and Awareness Program
Chapter 21
E. Kritzinger, S.H von Solms
This chapter introduces information security within the educational environments that utilize electronic resources. The education environment... Sample PDF
Information Security Within an E-Learning Environment
Chapter 22
Donald Murphy, Manish Gupta, H.R. Rao
We present five emerging areas in information security that are poised to bring the radical benefits to the information security practice and... Sample PDF
Research Notes on Emerging Areas of Conflict in Security
Chapter 23
C. Orhan Orgun
This chapter develops a linguistically robust encryption system, LunabeL, which converts a message into syntactically and semantically innocuous... Sample PDF
The Human Attack in Linguistic Steganography
Chapter 24
Sérgio Tenreiro de Magalhães, Kenneth Revett, Henrique M.D. Santos, Leonel Duarte dos Santos, André Oliveira, César Ariza
The traditional approach to security has been the use of passwords. They provide the system with a barrier to access what was quite safe in the... Sample PDF
Using Technology to Overcome the Password's Contradiction
Chapter 25
Antonio Cerone
Reducing the likelihood of human error in the use of interactive systems is increasingly important. Human errors could not only hinder the correct... Sample PDF
Formal Analysis of Security in Interactive Systems
Chapter 26
Tejaswini Herath
It is estimated that over 1 billion people now have access to the Internet. This unprecedented access and use of Internet by individuals around the... Sample PDF
Internet Crime: How Vulnerable Are You? Do Gender, Social Influence and Education play a Role in Vulnerability?
Chapter 27
Jarrod Trevathan
Shill bidding is where spurious bids are introduced into an auction to drive up the final price for the seller, thereby defrauding legitimate... Sample PDF
Detecting Shill Bidding in Online English Auctions
Chapter 28
Carsten Röcker, Carsten Magerkurth, Steve Hinske
In this chapter we present a novel concept for personalized privacy support on large public displays. In the first step, two formative evaluations... Sample PDF
Information Security at Large Public Displays
Chapter 29
Yuko Murayama, Carl Hauser, Natsuko Hikage, Basabi Chakraborty
The sense of security, identified with the Japanese term, Anshin, is identified as an important contributor to emotional trust. This viewpoint... Sample PDF
The Sense of Security and Trust
About the Contributors