Using Technology to Overcome the Password's Contradiction
Sérgio Tenreiro de Magalhães (Universidade Católica Portuguesa, Portugal), Kenneth Revett (University of Westminster, UK), Henrique M.D. Santos (Universidade do Minho, Portugal), Leonel Duarte dos Santos (Universidade do Minho, Portugal), André Oliveira (Universidade do Minho, Portugal) and César Ariza (Bogomovil Ltda, Portugal)
Copyright: © 2009
The traditional approach to security has been the use of passwords. They provide the system with a barrier to access what was quite safe in the analogical world. The digital era provided the means to easily try thousands of passwords in a short period of time and now the password schema is no longer safe. Now it suffers of the password’s contradiction: the fact that it requires both simplicity and complexity to be usable and safe. Being so, new technologies are required that can preserve the easiness of use, but can provide stronger authentication processes. This chapter presents the latest advances in three technologies that can be used, unaided or together, to improve the safety of user/password schemas without significant changes in the protected information system architecture, despite the human factors that traditionally reduce the security of those systems. The presented technologies are Keystroke Dynamics, Graphical Authentication and Pointer Dynamic.
Background: Biometric Technologies
Biometric technologies are mainly used in both physical and logical access control (Luis-García et al., 2003) but they can also be used to assist in other tasks, some so unimaginable has helping to preserve several animal endangered species (Jewell et al., 2001). But the use of biometric technologies to increase the security of a system has become a widely discussed subject and, while governments and corporations are pressing for a whither integration of these technologies with common security systems (like passports or identity cards), human rights associations are concerned with the ethical and social implications of its use (Privacy International et al., 2004a; Privacy International et al., 2004b). This situation creates a challenge to find biometric algorithms that are less intrusive, easier to use and more accurate.
The precision of a biometric technology is measured by its False Acceptance Rate (FAR), that measures the permeability of the algorithm to attacks, by its False Rejection Rate (FRR), that measures the resistance of the algorithm to accept a legitimate user, and by its Crossover Error Rate (CER), the point of interception of the FAR curve with the FRR curve that indicates the level of usability of the technology, also known as Equal Error Rate (EER). As an algorithm gets more demanding, its FAR gets lower and its FRR gets higher (Figure 1); usually the administrator of the system can define a threshold and decide what will be the average FAR and FRR of the applied algorithm, according to the need for security – dependent of the risk evaluation and of the value of what is protected; also the threshold can be, in theory, defined by an Intrusion Detection System (software designed to identify situations of attack to the system).
False rejection rate vs false acceptance rate and consequent equal error rate, also know as crossover error rate
Key Terms in this Chapter
Collaborative Biometric Technology: It’s an authentication biometric authentication technology that requires the user’s volunteer and intended participation in the process. It opposes to the stealth biometric technologies that can be used without the user’s consent.
Identification: It’s the process of discovering the identity of the user that tries to gain access to a system. It’s differs from authentication because in the identification process no identity is proposed to the system, while in authentication an identity is proposed and the system will only verify if that identity is plausible.
Threshold: It’s the variable that defines the level of tolerance of an algorithm. It can be set on a more demanding value, raising the False Rejection Rate and lowering the False Acceptance Rate, or it can be set on a less demanding error, lowering the False Rejection Rate and raising the False Acceptance Rate.
Keystroke Dynamics: It’s a biometrical authentication algorithm that tries do define a user’s typing pattern and then verifies in each login attempt if the pattern exiting in the way the password was typed matches the user’s known pattern. Another application of Keystroke Dynamics, at least in theory, is the permanent monitoring of the user’s typing pattern in order to permanently verify if the user that is typing is the legitimate owner of the system’s account being used.
Graphical Authentication System: It’s a login system that verifies the user’s knowledge on specific images or parts of images to grant or deny him a successful login.
Passgraph: It’s the user’s secret code to access a system protected by a graphical authentication system. It is constituted by a sequence of points where the user must click in order to obtain a successful login.
False Rejection Rate (FRR): This rate is a measure of the comfort level of an authentication algorithm. It’s calculated by dividing the number of unsuccessful attempts made by the legitimate users, by the total number of legitimate login attempts.
Stealth Biometric Technology: It’s an authentication biometric authentication technology that can be used without the user’s consent. It opposes to the collaborative biometric technologies that require the user’s volunteer and intended participation in the process.
Crossover Error Rate (CER): Authentication algorithms need to simultaneously minimize the permeability to intruders, therefore they have to be demanding, and to maximize the comfort level, therefore to be permissive. This contradiction is the base for the optimisation problem in authentication algorithms and the measure of success for the overall precision of an algorithm and of its usability is the Crossover Error Rate (CER), the error rate obtained at the threshold that provides the same False Acceptance Rate and False Rejection Rate.
Authentication: It’s the process of verifying the identity alleged by a user that tries to gain access to a system.
False Acceptance Rate (FAR): This rate is a measure of the permeability of an authentication algorithm. It’s calculated by dividing the number of intruder’s successful login attempts, by the total number of intruder’s login attempts.
Complete Chapter List
Manish Gupta, Raj Sharman
C. Warren Axelrod
Ahmed Awad E. Ahmed
Arunabha Mukhopadhyay, Samir Chatterjee, Debashis Saha, Ambuj Mahanti, Samir K. Sadhukhan
Zhixiong Zhang, Xinwen Zhang, Ravi Sandhu
Madhusudhanan Chandrasekaran, Shambhu Upadhyaya
Ghita Kouadri Mostefaoui, Patrick Brézillon
Douglas P. Twitchell
James W. Ragucci, Stefan A. Robila
Nick Pullman, Kevin Streff
E. Kritzinger, S.H von Solms
Donald Murphy, Manish Gupta, H.R. Rao
Sérgio Tenreiro de Magalhães, Kenneth Revett, Henrique M.D. Santos, Leonel Duarte dos Santos, André Oliveira, César Ariza
Carsten Röcker, Carsten Magerkurth, Steve Hinske
Yuko Murayama, Carl Hauser, Natsuko Hikage, Basabi Chakraborty