Enforcing Digital Security via User Authentication
All working environments today should ensure proper user access and permissions. To achieve this, they have to employ an authentication, i.e. a process of confirming someone’s identity. By making the user tell the secret that only the registered user should know, he proves his identity. Authentication is used to verify the user’s identity, to control access to the resources, to prevent unauthorized users from accessing the system, and to store system logs about users activities.
There are two basic modes of authentication:
- Verification: tries to answer the question, “Is the claimant the person who he or she claims to be?” The user declares his identity and the system checks it by comparing the biometric information obtained by the user with a record for the claimed identity stored in the system (for example, in a database). It is a one-to-one comparison.
- Identification: tries to answer the following question: “Is the person an enrolled user and who is he/she?”. The user firstly provides his/her biometric information and the system compares his/her biometric data with templates stored in the system database. It is a one-to-many comparison.
There are 3 basic authentication methods:
- Something we know (password, key sequence etc.)
- Something we have (token, smartcard etc.)
- Something we are (biometrics – fingerprints, eye scan etc.)
The authentication methods that are based on tokens and knowledge objects do not consist of any built-in (genetic) attribute of the person in order to make personal identification and therefore they have a number of disadvantages. Sometimes, people can lose their token or smartcard, and can forget the chosen passwords. Passwords and tokens can also be stolen by an impostor. Biometric methods are implicitly more reliable and do not suffer from these disadvantages. However, they do have other disadvantages.
When we talk about authentication methods based on the concept “something we are”, we think about biometrics. Biometric authentication is a process of analysis of someone’s physical characteristics, or behavioral aspects, in order to prove the person’s identity. A well-known concept for biometrics is the use of fingerprints for personal identification. Many police departments in the world use the fingerprints for personal identification and for checking purposes for many years afterwards.
The phrase biometrics comes from the Greek language: bio (= life) and metric (= to measure). Biometrics measure biological characteristics and makes a statistical analysis of them. In IT, biometrics means tools for measuring and analyzing human body characteristics for authentication purposes. The Biometrics Consortium defines biometrics as: “automatically recognizing a person using distinguishing traits”.
A good biometric method should possess the following properties:
- Broadness: almost all people in the target population should have the characteristic.
- Exclusiveness: the characteristic of each person should be unique, i.e. the biometric feature of each individual in the population should be different from that of every other individual.
- Stability: the characteristic should neither change with time, nor allow mutation.
All physiological or behavioral characteristics that have these properties can be used for personal identification. In order to be applied for automated personal verification, the biometric feature needs to have an additional property:
• Collect-ability: it should be possible to measure the characteristic quantitatively.
There are also other facts to be considered when a biometric system is being developed:
- Performance: the methods should be accurate, fast, with low memory requirements.
- Acceptability: the point to which people are prepared to accept a given biometric system in their daily lives.
- Fault discovery: how easy can a biometric system uncover the potential false (fraud) users?
The biometric authentication can be considered in the following 2 categories:
- Physical characteristics recognition – PCR, which is based on some physical feature, such as a fingerprint, eye-scan, or facial geometry for identification and authentication.
- Behavioral characteristic recognition – BCR, which is based on some dynamic characteristics, such as keyboard typing, writing, or a hand signature.
In practice, PCR is more frequently applied than BCR.
Common biometric technologies are:
- Fingerprint biometrics – fingerprint recognition
- Eye biometrics – iris and retinal scanning
- Face biometrics – face recognition using visible or infrared light (called facial thermography)
- Hand geometry biometrics – also finger geometry
- Signature biometrics – signature recognition
- Voice biometrics – speaker recognition
Other – less commonly used biometric technologies are:
- Vein recognition: vein pattern on the back of the hand.
- Keystroke dynamics: rhythm patterns such as time between keystrokes, hold times, finger placement, and applied pressure on the keys.
- Palm-print: third approach to hand identification.
- Gait recognition: people are recognized by the way they walk.
- Body odor measurement: automated methods for odor measurements are required in industrial processes and other applications.
- Ear shape: possesses the property required from a biometric identifier.
- DNA recognition: used for authentication in criminal cases.