| 
  • If you are citizen of an European Union member nation, you may not use this service unless you are at least 16 years old.

  • You already know Dokkio is an AI-powered assistant to organize & manage your digital files & messages. Very soon, Dokkio will support Outlook as well as One Drive. Check it out today!

View
 

Authentication technologies

This version was saved 17 years, 5 months ago View current version     Page history
Saved by PBworks
on November 5, 2006 at 6:32:56 pm
 

Authentication.

 

AUTHORIZATION. RECOGNITION. VERIFICATION. IDENTIFICATION. SCREENING.

 


 

The definition for authentication is: „The process of establishing the validity of the user attempting to gain access to a system.” or "The process of identifying an individual, usually based on a username and password. In security systems, authentication is distinct from authorization, which is the process of giving individuals access to system objects based on their identity. Authentication merely ensures that the individual is who he or she claims to be, but says nothing about the access rights of the individual" (16).

 

Authorization is: "The process of granting or denying access to a network resource. Most computer security systems are based on a two-step process. The first stage is authentication, which ensures that a user is who he or she claims to be. The second stage is authorization, which allows the user access to various resources based on the user's identity." For the purpose of this review on data authentication, a "subject" is the identity attempting to access a device, and an "object" is the device. (16).

 

Recognition is a generic term, and does not necessarily imply either verification or identification. All biometric systems perform “recognition” to “again know” a person who has been previously enrolled. Verification is a task where the biometric system attempts to confirm an individual’s claimed identity by comparing a submitted sample to one or more previously enrolled templates.

Identification is a task where the biometric system attempts to determine the identity of an individual. A biometric is collected and compared to all the templates in a database. Identification is “closed-set” if the person is known to exist in the database. In “open-set” identification, sometimes referred to as a “watchlist,” the person is not guaranteed to exist in the database. The system must determine whether the person is in the database.

 

An individual can be identified and authenticated by what he knows (password), or by what he owns (smart card) or by his human characteristics (biometrics). Unlike a password or a PIN, a biometric trait cannot be lost, stolen or recreated.

 

ACCESS MANAGEMENT.

 

In a number of countries there have been numerous attempts on authentication: INTERNET2 in the USA- is a consortium of 207 universities working to develop advanced network applications and technologies.

In UK the previous JANET that served around 50 sites with line speeds of 9.6 kbit/s evolved into the JANET IP Service, SuperJanet, SuperJanet II and Super Janet III. Athens also was initially deployed in the higher education sector in 1996 and has firmly established itself as the de facto standard for secure access management to web-based services for the UK education and health sectors.

 

The Shibboleth (developed by INTERNET2) architecture defines a way of exchanging information between an organization and a provider of digital resources (such as data, video, documents, etc). In the Shibboleth model, the organization exchange the information into a secure manner, authenticate the user and provide information about the user. The information about user is called attribute information.

Organizations that use Shibboleth to access resources must join or create a federation. A federation creates a "circle of trust" for organizations that want to access a set of resources. Each federation has its own criteria for organizations that want to join it, and defined levels of trust for access to the set of resources.

The Shibboleth project has established two federations, InQueue and InCommon. InQueue enables organisations to test their Shibboleth implementation, while InCommon is for production use.

Other federations include the Swiss SWITCH AAI, EDINA SDSS and the Eduserv test and production federations.

 

AAI- Authentication and Authorization Infrastructure (AAI)

 

AAI uses a federated approach, insofar as each party controls the steps relevant to it: universities register and authenticate their members and resource owners define their access rules. All parties involved profit by a standards-based AAI 19.

 

 

 

The authentication and authorization infrastructure (AAI) planned in the years 2002-2003 and proven and tested in pilot projects has gone live. Over 100'000 users of the universities of Berne, Geneva, Lausanne, Lucerne and Zurich as well as the ETH Zurich are in a position to authenticate within AAI by means of their user accounts. This opens up entirely new possibilities for resource owners to authenticate these members of the universities and to grant them, if authorized,access to the resources – without having to register and administrate users themselves.

 

Some example resources

As operator of the central AAI components, SWITCH (The Swiss Education and Research Network) is experienced in AAI-enabling different types of resources.

 

A) Apache, IIS Web server or Tomcat

AAI components can be added to Web servers by standard procedures.

SWITCH provides a detailed installation and configuration guides. On request, SWITCH also carries out ready-to-use integrations of web-sites.

B) WebCT

The e-learning platform WebCT Vista of the Swiss Virtual Campus (SVC) is being integrated with AAI. The registration of individual users of the universities mentioned above is thus no longer necessary.

SWITCH supports providers of courses on the SVC platform with the specific configuration of their authorization concept or helps operators to integrate their own WebCT platforms with AAI.

C) Web-based applications

There are portal and proxy solutions for Web applications which cannot be integrated directly with the AAI.

SWITCH has a tool box which helps integrating such „black box“ applications.

 

Uportal is another open source portal technology being adopted mostly in the U.S, but with an increasing number of adoptive institutions in the U.K. Uportal offers:

• Single sign-on

• Opportunities for personalisation

• Open source

• Campus web including chat, forums and survey

• Integration with assessment technologies such as ASAP and QuestionMark Perception.

 

THE USE OF BIOMETRICS.

 

What Is Biometrics?

 

Biometrics are automated methods of recognizing a person based on a physiological or behavioral characteristic 1. Biometric recognition technology relies upon the physical characteristics of an individual, such as fingerprints, voiceprint, pattern of the iris of the eye and facial pattern, in identifying an individual, offering positive identification that is difficult to counterfeit. Examples of physiological biometric features include height, weight, body odor, the shape of the hand, the pattern of veins, retina or iris, the face and the patterns on the skin of thumbs or fingers (fingerprints). Examples of behavioral biometrics are voice patterns, signature and keystroke sequences and gait (the body movement while walking).

 

The term “biometrics” is derived from the Greek words “bio” (life) and “metrics” (to measure). Automated biometric systems have only become available over the last few decades, due to significant advances in the field of computer processing.

 

Biometric technologies are becoming the foundation of an extensive array of highly secure identification and personal verification solutions. As the level of security breaches and transaction fraud increases, the need for highly secure identification and personal verification technologies is becoming apparent.

 

According to the Biometrics Catalog 7 “Biometrics” is a general term used alternatively to describe a characteristic or a process.

 

As a characteristic:

1. A measurable biological (anatomical and physiological) and behavioral characteristic that can be used for automated recognition.

 

As a process:

2. Automated methods of recognizing an individual based on measurable biological (anatomical and physiological) and behavioral characteristics.

 

Some biometric systems permit more than one attempt to identify or verify an individual.

Some biometric features are persistent over time while others change. All biometric features are deemed ‘unique’ but some are less ‘distinct’ than others and thus less useful for automated identification purposes. The distinctiveness of any biometric feature depends also on the effectiveness of the sampling technique used to measure it, as well as the efficiency of the matching process used to declare a ‘match’ between two samples. Biometric identification is a technique that uses biometric features to identify human beings. Biometrics are used to strongly link a stored identity to the physical person this represents. Since a person’s biometric features are a part of his or her body, they will always be with that person where ever he/she goes and available to prove his or her identity. Biometric technologies may be used in three ways: (a) to verify that people are who they claim to be, (b) to discover the identity of unknown people, and (c) to screen people against a watch-list.

 

Jain A. states that the evaluation whether a particular body characteristic is suitable for biometric use can be done on the following seven criteria 11 identified by the author as being the seven pillars of Biometric Wisdom:

Universality. All human beings are endowed with the same physical characteristics - such as fingers, iris, face, DNA – which can be used for identification.

Distinctiveness. For each person these characteristics are unique, and thus constitute a distinguishing feature.

Permanence. These characteristics remain largely unchanged throughout a person's life.

Collect ability. A person's unique physical characteristics need to be collected in a reasonably easy fashion for quick identification.

Performance. The degree of accuracy of identification must be quite high before the system can be operational.

Acceptability. Applications will not be successful if the public offers strong and continuous resistance to biometrics.

Resistance to Circumvention.

In order to provide added security, a system needs to be harder to circumvent than existing identity management systems.

 

Biometric Application Types

 

In functional terms the current uses of biometrics can be categorised under the following headings: verification, identification and screening. Another potential use of biometrics, though not yet in a mature state of development, is biometric encryption.

 

Verification (1-to-1 matching)

Verification is a test to ensure whether person X is really who he or she claims to be. Two types of verification can be envisaged: with centralised storage or distributed storage.

 

a) Verification with centralised storage

If a centralised database exists (produced once at enrolment and updated with each additional user) where all biometric data and the associated identities are stored, the biometric sample of the claimed identity is retrieved from the database. This is then compared to the live sample provided by person X, resulting in a match or a non-match.

Two types of error are possible for verification: (i) a false match (person X is not who he claims to be but the system erroneously accepts him, i.e. acceptance of an impostor; also known as false positive) and (ii) a false reject (person X is who he claims to be but the system fails to make the match, i.e. rejection of a legitimate person; also known as false negative). The matching can be done locally on the device temporarily storing the acquired sample or remotely by the hardware that stores the sample acquired during enrolment. False rejects will cause unnecessary inconvenience to innocent individuals whereas false matches are more insidious as they allow a fraudulent individual to pass, but the mistake goes unnoticed by the system.

b) Verification with distributed storage

If the biometric data is stored in a memory device that is carried by the individual, for example a smart card or a chip integrated into an identity document, person X will provide a live biometric sample and this will be compared to the biometric data stored on the memory device. This can be done either by the verification system which retrieves person X’s biometric data from the memory device and compares them to the live sample, or by the memory device itself, if it is sufficiently sophisticated to perform the verification. The identity details are either stored on the memory device or written on the accompanying documents e.g. in the case of a passport, identity information might be printed next to the chip. If the verification process succeeds, then person X is confirmed to be the valid bearer of the identification documents.

As before, false acceptance and false rejection errors are possible. In addition, there is the possibility that the documentation or the memory device are fraudulent or have been tampered with.

 

Identification (1-to-many matching)

Identification is used to discover the identity of an individual when the identity is unknown (the user makes no claim of identity). Contrary to verification, for the process of identification a central database is necessary that holds records for all people known to the system; without a database of records, the process of identification is not possible.

When person X comes to be identified, he provides a live biometric sample, e.g. a fingerprint is taken or the iris is scanned. The data is processed and the resulting biometric template is compared against all the entries in the database to find a match (or a list of possible matches). The system then returns as a response either the match (or list of possible matches) it has found, or that there is no match against the enrolled population. Identification may result in one of two types of error described previously: i.e. a false match or a false reject. Since the system checks against a database of enrolled templates or full images, the maintenance of the integrity of the database is essential in protecting individuals from identity theft.

 

Screening

The third type of process is screening, which makes use of a database or watch-list. A watch-list contains data of individuals to be apprehended or excluded. A record on the watch-list may contain only biometric data for a wanted individual or may also have identity information, depending on what is known. Everyone who passes the screening process provides a biometric sample, which is checked for matches against the watch-list. The key feature of a watch-list is that people are not on the whole identified; they will only be identified if they appear on the list. If there is no match the person passes through and their biometric sample should in principle be discarded. In the case of a match, a human operator decides on further action. Screening can take place overtly, for example at border control or covertly, such as scanning a crowd with the use of security cameras.

 

 

Factors Of Authentication.

 

There are several types of authentication, one of the most commonly used is a password or personal identification number (PIN). This is known as single factor authentication -- something the subject knows. One of the most secure authentication processes would use a combination of factors such as something the subject knows (password, pass phrase, or PIN), something they have (smartcard, token, or tag) and something they are (fingerprint, handwriting, iris, or retina scan, and so on) 15.

 

Other behind-the-scenes authentication techniques used are digital certificates and digital signatures. Pretty Good Privacy (PGP) uses keys and digital signatures to enable authentication of e-mail messages to ensure that they came from whom they said they did. Likewise, secure Web sites use digital certificates to let the subject know that they are whom they say they are and that they can be trusted.

 

The key difference of biometrics to other digital identifiers, such as passwords, PINs or credit cards is that biometrics cannot be lost or forgotten; since biometric measurements are part of the body, they will always be present when needed. Moreover, the process of identification is automated or semi-automated. In some cases this automation mimics something humans do in everyday life (face or voice recognition), but for most technologies automation is necessary because humans alone would not be able to distinguish different individuals (iris recognition, hand patterns).

 

Biometrics is not only a fascinating pattern recognition research problem but, if carefully used, could also be an enabling technology with the potential to make our society safer, reduce fraud and lead to user convenience (user friendly man-machine interface) by broadly providing the following three functionalities:

(a) Positive Identification (“Is this person truly known to the system?”).

Commercial applications such as computer network logon, electronic data security, ATMs, credit card purchases, physical access control, cellular phones, PDAs, medical records management, and distance learning are sample authentication applications. Authentication applications are typically cost sensitive with a strong incentive for being userfriendly.

(b) Large Scale Identification (“Is this person in the database?”). Typical large-scale identification applications include welfare-disbursement, national ID cards, border control, voter ID cards, driver’s license, criminal investigation, corpse identification, parenthood determination, missing children identification, etc. These large-scale identification applications require a large sustainable throughput with as little human supervision as possible.

(c) Screening (“Is this a wanted person?”)

 

WHY DO WE NEED IT

and why use biometrics in education?

 

It is easy to understand the need for biometrics if you've ever forgot or left your network password on your computer. Aside from what's known as "logical" use—using a finger scan or another type of technology to determine if a user is allowed to access information—biometrics can also give appropriate people access to a school building or area.

Biometrics isn't just for inside walls, either. Banks are looking at the technology to replace cards and PINs at ATMs. There's potential for using biometrics to verify payment in online purchases.

 

There is an increasing need to find a way to solve user identification issues and cut costs for password administration. In educational institution the students found it difficult to remember passwords, or occasionally they borrow user names and passwords belonging to other students—and misused them.

With the fingerprint readers in place at the Kvarnby School’s workstations 24, problems with forgotten or misused passwords have practically been eliminated. Now all 450 students and teachers are logging on to the computers using their fingerprint, which has not only made the login routines easier, but also saves valuable classroom time—up to 50% on a 40 min lesson.

After extensive research, the IT group decided that a fingerprint based solution for login would eliminate the identification problems. Precise Biometrics distributor, Data Construction, provided the login solution at the Kvarnby School and made it possible for the IT administrators to be sure that people were who they claimed to be. Students did not have to remember passwords any longer, or worry about someone misusing their login ID.

 

There are many reasons to consider this form of personal identification. For each reason, authenticating ourselves by who we are and not what we know, what we carry, or how we choose to identify ourselves (i.e. PINs, passwords, smart card security token) solves and simplifies these issues. Some of the most justifications for biometric use in identity 20:

• Passwords are expensive. Aberdeen Group research finds that depending on company size, the labor costs per user per year for configuring and maintaining password systems is $100 – $350. We forget passwords and frequently have passwords set up granularly -- program by program.

• Passwords are overwhelming. Simply put, we have so many of them that we cannot remember them all. Our saturation of these secrets increases the likelihood that we do not properly protect them. How many truly random constructs of words, numbers, and even punctuation can a human really remember before jeopardizing the whole security strategy by writing stuff down?

• Applications demand it. This will increase traceability of nefarious individuals or stolen identities.

• It increases financial accountability. Used with some applications, like government assistance programs, biometrics could help eliminate instances of identity fraud. This is the ultimate identifier for a government issued credit card or a low income assistance program.

• It improves physical security. We are now more sensitive than ever about the need to ensure that physical premises are safeguarded at point of entry. Knowing exactly who is coming into our buildings is indispensable. Biometrics can provide ubiquitous building entry identifiers – at least for pre-approved people.

• It reduces paper. In many cases, traditional forms of verification generate boatloads of paper. Furthermore, other instances of authentication like notaries often rely solely on paper to document an event. Biometrics combined with other automation can eliminate our sole reliance on a paper trail for a given transaction or event.

 

The function of a biometric authentication system is to facilitate controlled access to applications, networks, personal computers (PCs), and physical facilities. A biometric authentication system is essentially a method of establishing a person’s identity by comparing the binary code of a uniquely specific biological or physical characteristic to the binary code of an electronically stored characteristic called a biometric template. The defining factor for implementing a biometric authentication system is that it cannot fall prey to hackers; it can’t be shared, lost, or guessed. Simply put, a biometric authentication system is an efficient way to replace the traditional password based authentication system 8.

Therefore, it is reasonable to conclude that PCs, cell phones, and other wireless (mobile) devices would be the first mass-market products to incorporate biometrics. Compared with desktop units, notebooks and other mobile devices are more subject to theft, tampering, been lost and has a shorter lifespan of usefulness (as technology rapidly evolves).

Today, most information-technology (IT) managers would probably pay a modest premium for an easy-to-use alternative to password protection of such machines. But, many of these managers expect to wait several years before they consider widespread deployment of biometrics on desktop.

 

Many individuals, have a high regard for the need to protect information and facilities. To many of them, a well-thought-out biometrics program will be a logical improvement to existing security procedures. The threat posed by weaknesses in the current programs and the importance of biometrics to solving this problem will be the basis of decisions made by policymakers and legal counsel with regard to the structure of the program, the importance of enforcing compliance, and the extent of accommodations for legitimate individual concerns.

 

If, in the near future, major computer manufacturers, software developers, and Internet providers embrace biometrics for computer and network access, this commercial development might influence Although experimentation is generally welcome, the education should have a biometric policy in place that will, at a minimum, address sociocultural concerns 26.

 

BIOMETRIC APPLICATIONS

 

Most biometric applications fall into one of nine general categories:

• Financial services (e.g., ATMs and kiosks).

• Immigration and border control (e.g., points of entry, precleared frequent travelers, passport and visa issuance, asylum cases).

• Social services (e.g., fraud prevention in entitlement programs).

• Health care (e.g., security measure for privacy of medical records).

• Physical access control (e.g., institutional, government, and residential).

• Time and attendance (e.g., replacement of time punchcard).

• Computer security (e.g., personal computer access, network access, Internet use, e-commerce, e-mail, encryption).

• Telecommunications (e.g., mobile phones, call center technology, phone cards, televised shopping).

• Law enforcement (e.g., criminal investigation, national ID, driver’s license, correctional institutions/prisons, home confinement, smart gun).

 

A large scale application in Europe is EURODAC for asylum requests. EURODAC is an EU wide database (AFIS) set up to check the fingerprints of asylum seekers against the records of

other EU countries. Using fingerprint recognition to secure physical access is another popular application. Moreover, embedding of fingerprint readers in electronic devices opens up a whole range of digital applications that are based on online authentication.

 

The Integrated Automated Fingerprint Identification System, more commonly known as IAFIS, is one of the largest biometric database in the world. It is a US national fingerprint and criminal history system maintained by the Federal Bureau of Investigation (FBI).

 

Fingerprint scanning is also being used to arrange secure access to schools and schools premises such as cafeterias and libraries.

450 users at the Kvarnby School were provided with biometrics and other schools within the Stockholm school system are now considering implementing the same fulfilling solution. This solution came up because the schools needed to find an easy-to-use solution that saved classroom time and could be installed, operated and maintained without becoming a major drain on the school’s budget.

 

With the embedding of fingerprint scanners in electronic devices, online authentication (replacement of passwords, PINs, etc) becomes possible for a whole range of applications including electronic payments.

 

At EU level, the Council of European Ministers adopted the Regulation on mandatory facial images and fingerprints in EU passports at its meeting in Brussels on 13 December 2004. This Regulation applies to passports and travel documents issued by Member States (excluding Ireland, the UK and Denmark). After the Regulation is published in the Official Journal passports issued will have to contain a facial image within 18 months, and fingerprints within three years. Also a Committee will be set up by the European Commission with representatives from 22 Member States to decide on the details such as how many fingerprints are to be taken, the equipment needed and the costs.

 

THE BIOMETRIC SYSTEM.

 

Biometric identification works generally in four stages: enrolment, storage, acquisition and matching. Features extracted during enrolment and acquisition stages are often transformed (through a non-reversible process) into templates in an effort to facilitate the storage and matching processes. Templates contain less data than the original sample, are usually manufacturer-dependent and are therefore not generally interoperable with those of other manufacturers. Templates or full samples thus acquired may then be held in storage that is either centralised (e.g. in a database) or decentralised (e.g. on a smart card). As a consequence of the statistical nature of the acquisition and matching stages, biometric systems are never 100% accurate. There are two kinds of possible errors: a false match, and a false non-match. These errors vary from one biometric technology to another and depend on the threshold used to determine a ‘match’. This threshold is set by the operators depending on the application.

 

The four stages corespond to the six basic steps of a generic biometric system 2:

1. Sample acquisition: first the collection of the biometric data must be done using the appropriate sensor; for example an image capture in the case of iris recognition or a saliva sample for DNA.

2. Feature extraction: this step performs the transformation from sample into template. In general, the template is numeric data. (This step can be omitted if full images are used).

3. Quality verification: this step establishes a reference image or template by

repeating the two first operations as many times as needed so as to ensure that the system has captured and recognised the data correctly.

4. Storage of reference template: this step registers the reference template.

Several storage mediums are possible (see the following section) and the choice depends on the requirements of the application;

5. Matching: this step compares the real-time input data from an individual against the reference template(s) or image(s);

6. Decision: this step uses the result of the matching step to declare a result, in accordance with application-dependent criteria (e.g. decision threshold). E.g. for a verification task the result would say whether the user claiming an identity should be authenticated.

 

BRIEF PRESENTATION OF BIOMETRIC MODALITIES

and their applications, advantages and disadvantages.

 

Of the many possible biometrics, this chapter presents contact and contactless biometric technologies as well as the emerging and multiple biometric solutions with their advantages and disadvantages. Many biometric authentication technologies have been deployed or pilot-tested in applications in the public and private sectors. These are fingerprint, hand/finger geometry, facial recognition, voice recognition, iris scan, retinal scan, dynamic signature verification, and keystroke dynamics.

 

Contact Biometric Technologies

 

Fingerprint

 

The fingerprint biometric is an automated digital version of the old ink-and-paper method used for more than a century for identification, primarily by law enforcement agencies.

Among all the biometric techniques, fingerprint-based identification is the oldest method which has been successfully used in numerous applications. Everyone is known to have unique fingerprints. A fingerprint is made of a series of ridges and furrows on the surface of the finger. The uniqueness of a fingerprint can be determined by the pattern of ridges and furrows as well as the minutiae points. Minutiae points are local ridge characteristics that occur at either a ridge bifurcation or a ridge ending 18.

The biometric device involves a user placing his finger on a platen for the fingerprint to be read. The minutiae are then extracted by the vendor’s particular algorithm to create a template. Fingerprint biometrics have three main application arenas: large-scale Automated Finger Imaging Systems (AFIS) for law enforcement uses, fraud prevention in entitlement programs, and access control for facilities or computers.

 

 

Picture writing of a hand with ridge patterns was discovered in Nova Scotia. In ancient Babylon, fingerprints were used on clay tablets for business transactions. In ancient China, thumb prints were found on clay seals (17).

 

Comments (0)

You don't have permission to comment on this page.