User authentication

1
User authentication

• How do we know that someone really is who they
  claim to be?

2

• In the days of yore (typically, the era of your
  grandparents) a handshake was good enough to back
  up a deal a persons reputation was developed
  over time as he or she became known in the
  community however, as a community becomes
  larger, and distance greater, it becomes
  necessary to provide formal documents that
  vouchsafe identity and character.

3
Documentary proof of identity

• The usual documents include
• Birth certificate
• Drivers license (or alternative)
• Passport
• Along with others college id, credit card, even
  utility bills!
• (What is needed to open a bank account now?)

4

• How reliable are such documents, in and of
  themselves? In the aggregate?
• consider, if you were so inclined, how could
  you build an alternate identity?

5

• The Internet community is too large for people
  to know everyone else directly, and on-line
  identities such as ImAGoodGuy can be changed
  readily the face-to-face methods arent
  available here to ascertain who someone is, how
  reliable they are, and what level of privilege is
  available to them.

6

• The primary means to ascertain identity on
  computing systems is by means of a user ID and
  associated password or Personal Identification
  Number (PIN).

7

• A login to a network computer account requires an
  ID and password, as does a dial-up session to an
  Internet Service Provider. Need some cash from
  an ATM? This, too, requires a card (with an
  account number) and associated password.

8

• The use of passwords as the sole means of
  regulating access is a notoriously weak method of
  authentication. People choose passwords that are
  easy to remember, which generally means that they
  choose words or names that are familiar. This
  practice restricts the range of passwords to a
  fraction of what is possible, and by choosing
  passwords that might be found in a dictionary
  they become much more vulnerable to the most
  common techniques of computer hacking.

9
Improving password security

• Disallow dictionary-based passwords
• Require combinations of upper and lower case
  letters
• Include non-alphabetic characters
• Require a minimum of, say, eight characters in
  a password, as short passwords are easier to
  crack
• Limit the number of unsuccessful login attempts

10

• Implement a password expiration program such
  that passwords expire at intervals (perhaps every
  thirty days, or even every day or after each
  transaction)
• Implement challenge and response strategies
  that require users to periodically reenter
  passwords (either the original or second-level
  personal data) during active secure sessions

11

• Ensure that passwords are encrypted for
  transmission across networks
• Implement a physical security inspection process
  that prevents post-it problems and related
  physical security leaks

12

• Given that the password mechanism is so common,
  protecting everything from our computer files to
  our bank accounts, it is easy to overlook the
  fact that passwords dont authenticate users at
  all they merely indicate that someone knows the
  password! There is no actual verification that
  the person entering the code really is the person
  that they claim to be.

13

• This is a staggering realization. Our most
  common method of user authentication does not
  really authenticate the users!

14
Biometrics

• Situations and environments requiring high levels
  of security now rely on biometric methods to
  verify identity, with statistically higher levels
  of confidence methods include fingerprinting,
  hand-scans, voice prints, retina scans, even DNA
  data.

15

• Not all such techniques migrate readily to the
  Internet environment why not?
• Whatever method is chosen for the authentication
  of users, it should be relatively non-obtrusive,
  and, ideally, transparent to the user unless
  the hassle factor is part of the security
  strategy!

16
Online biometrics

• One approach that is quite intriguing is that of
  keystroke dynamics. Consider that a weakness
  with the existing password system is that anyone
  can type in a correct password and gain admission
  to the system.
• Suppose, however, that the way that you type
  your password is also retained every time you log
  in how long it takes to enter the password, the
  duration of each keystroke, and the delay between
  successive keystrokes.

17

• Initially, the system is loose, allowing some
  variability in the entry, but as time goes on the
  data establishes a tighter range of acceptable
  patterns, and in so doing increases the
  probability that the person entering the password
  is the same one, every time. The user might
  never know that the system is in place, at least
  until the usual pattern is broken and the login
  rejected.

18

• Early research suggests that keyboard dynamics,
  that is, the way that a user enters a password,
  can be more discriminating than the use of
  fingerprinting!
• Similarly, graphical passwords have the same
  characteristics. Suppose that the authentication
  process requires that you physically write or
  draw your password. It would be difficult for a
  person to replicate someone elses drawing, and
  even more difficult to draw it in the same way,
  with the identical sequence of pen strokes and
  flourishes.

19

• the use of biometric techniques and the resulting
  stronger authentication associated with their use
  would prevent now-routine practices such as
  checking the e-mail of a co-worker while
  traveling, but then there are other, more
  reliable and accountable methods involving shared
  access privileges that would re-enable that sort
  of activity.

20

• There is also the problem that any type of remote
  authentication has certain risks of
  man-in-the-middle sniffing and related replay
  attacks, such that prior login attempts might be
  captured and successfully resubmitted, but these
  too can be addressed using other methods
  involving time stamps and sequencing information.
•  

21

• And theres always the possibility that if the
  biometric patterns are too rigidly enforced, an
  extra cup of coffee on the way to work might
  prevent a user from accessing his or her own
  account.

22

• The need for user authentication commensurately
  increases as the degree to which users access
  privileged information or conduct financial
  transactions increases. A solution that requires
  a high level of confidence in the user
  authentication process will likely use several
  techniques in concert, so as to raise the
  probability of accurate authentication as close
  to 100 as is possible.

23

• An interesting early paper on user authentication
  through keystroke analysis is Fabian Monrose and
  Avi Rubin. Authentication via keystroke dynamics.
  In Proceedings of the 4th ACM Conference on
  Computer and Communications Security, pages
  48-56, April 1997.

24

• Graphical passwords are explored in I. Jermyn,
  A. Mayer, F. Monrose, M. Reiter, A. Rubin, "The
  Design and Analysis of Graphical Passwords," In
  Proceedings of the 8th USENIX Security Symposium,
  Washington, D.C., August 1999.