Authentication Technologies Authentication Mechanisms Something you know Something

Authentication Technologies • Authentication Mechanisms – Something you know – Something you have – Something you are • Features – Authenticator & Base secret – Verifier – Verification Procedure 1

What you know • Password/PIN – Authenticator & verifier – String comparison – Hashing? – Risks? 2

What you have • Smart/Swipe cards • Large base secret • Risks? – Compared to Passwords? 3

What you are: Biometrics • Identification: – Who are you? – Template/model comparison – “One-to-many” search – Choose most likely • Verification – Is this you? – Template/model measure – “One-to-one” search – Thresholding 4

Subversion • “As a general rule, if an authentification system is made by humans, it can be defeated by humans” • Multifactor Authentication? • Next: Risks & Attacks 5

Risks • Masquerade • Multiple Identities • Identity Theft 6

Attacks • Trial and Error – Passwords – Cards – Biometrics • Replication • Theft • Digital Spoofing 7

Vulnerability • Average attack space – Number of attacks to have 50% chance of succes • False Acceptance Rate (FAR/FMR) – Percentage of successful attacks by imposter 8

Defences • Trial and Error – Increase size of base secret – Limit guesses – Biometrics • Tighten match criterion • False Rejection Rate (FRR/FNMR) • Replication – Liveness test? • Theft – Add PINs or biometrics • Digital Spoofing – Cryptography 9

Deployment Issues • Enrolment – Establish the verifier – Security concerns? – Self-enrollment – Supervised enrolment • Maintenance – Password aging • Human memory! – Physical change • Revocation 10

Operational Problems • Forgetting Passwords – Cost of reset • Loss or aging of devices • Injury to biometric traits – Use redundancy 11

Economics • Software • Hardware • Enrollment costs – Administrator – User • Per-use cost • Maintenance costs • System downtime costs • Revocation costs 12