1

Figure 2-8: Access Cards

Magnetic Stripe Cards

Smart Cards Have a microprocessor and RAM

More sophisticated than mag stripe cards

Release only selected information to different access devices

2

Figure 2-8: Access Cards

Tokens Small device with constantly-changing password

Or device that can plug into USB port or another port

RFIDs (Radio-Frequency IDs) Can be detected and tested without physical contact

Allows easier access; used in Tokyo subways

New

New

3

Figure 2-8: Access Cards

Card Cancellation Requires a central system

PINs Personal Identification Numbers

Short: about 4 digits

Can be short because attempts are manual (10,000 combinations to try with 4 digits)

Should not choose obvious combinations (1111, 1234) or important dates

Provide two-factor authentication

4

Figure 2-9: Biometric Authentication

Biometric Authentication

Authentication based on body measurements and motions

Because you always bring your body with you

Biometric Systems (Figure 2-10)

Enrollment

Later access attempts

Acceptance or rejection

5

Figure 2-10: Biometric Authentication System

1. Initial Enrollment

2. Subsequent Access

User LeeScanning

ApplicantScanning

Template DatabaseBrown 10010010Lee 01101001Chun 00111011Hirota 1101110… …

3. Match IndexDecision Criterion(Close Enough?)

Processing(Key Feature Extraction)

A=01, B=101, C=001

User LeeTemplate

(01101001)

UserAccess Data(01111001)

Processing(Key Feature Extraction)

A=01, B=111, C=001

6

Figure 2-9: Biometric Authentication

Verification Versus Identification

Verification: Are applicants who they claim to be? (compare with single template)

Identification: Who is the applicant? (compare with all templates)

More difficult than verification

Verification is good for replacing passwords in logins

Identification is good for door access and other situations where entering a name would be difficult

7

Figure 2-9: Biometric Authentication

Precision

False acceptance rates (FARs): Percentage of unauthorized people allowed in

Person falsely accepted as member of a group

Person allowed through a door who should be allowed through it

Very bad for security

8

Figure 2-9: Biometric Authentication

Precision

False rejection rates (FRRs): Percentage of authorized people rejected

Valid person denied door access or server login

Can be reduced by allowing multiple access attempts

High FRRs will harm user acceptance

9

Figure 2-9: Biometric Authentication

Precision

Vendor claims for FARs and FRRs tend to be exaggerated because they often perform tests under ideal circumstances

For instance, having only small numbers of users in the database

For instance, by using perfect lighting, extremely clean readers, and other conditions rarely seen in the real world

10

Figure 2-9: Biometric Authentication

User Acceptance is Crucial Strong user resistance can kill a system

Fingerprint recognition may have a criminal connotation

Some methods are difficult to use, such as Iris recognition, which requires the eye to be lined up carefully.

These require a disciplined group

11

Figure 2-9: Biometric Authentication

Biometric Methods Fingerprint recognition

Simple, inexpensive, well-proven

Weak security: can be defeated fairly easily with copies

Useful in modest-security areas

Face recognition Can be put in public places for surreptitious

identification (identification without citizen or employee knowledge). More later.

12

Figure 2-9: Biometric Authentication

Biometric Methods Iris recognition

Pattern in colored part of eye

Very low FARs

Somewhat difficult to use: must line up eye exactly or will be rejected

High FRR if eye is not lined up correctly can harm acceptance Hand geometry: shape of hand

Voice recognition High error rates Easy to fool with recordings

13

Figure 2-9: Biometric Authentication

Biometric Methods

Keystroke recognition Rhythm of typing Normally restricted to passwords Ongoing during session could allow

continuous authentication

Signature recognition Pattern and writing dynamics

14

Figure 2-9: Biometric Authentication

Biometric Standards

Almost no standardization

Worst for user data (fingerprint feature databases)

Get locked into single vendors

15

Figure 2-9: Biometric Authentication

Can Biometrics be Fooled?

Airport face recognition mostly has false positives

4-week trial of face recognition at Palm Beach International Airport

Only 250 volunteers in the user database (unrealistically small)

Volunteers were scanned 958 times during the trial

Only recognized 455 times!

Recognition rate fell if wore glasses (especially tinted), looked away

Would be worse with larger database

Would be worse if photographs were not good

16

Figure 2-9: Biometric Authentication Can Biometrics be Fooled?

DOD Tests indicate poor acceptance rates when subjects were not attempting to evade

270-person test

Face recognition recognized person only 51 percent of time

Iris recognition only recognized 94 percent of the time.

Other research has shown that evasion is often successful for some methods

German c’t magazine fooled most face and fingerprint recognition systems

Prof. Matsumoto fooled fingerprint scanners 80 percent of the time with a gelatin finger created from a latent (invisible to the naked eye) print on a drinking glass