Biometrics Authentication Part II

Abstract

As security threat represents a big issue within any organization that implements systems’ regulations and authentications for their users and business partners, implementing a biometric authentication to protect information, data, and help to comply with regulations could be a better solution for system security, and systems protection. Biometric authentication is a reliable method of identifying and authenticating users, since the authentication method relies on the uniqueness of each individual. For example, using the fingerprints as a method of authentication for gaining access to a network, users will scan their finger, and once the identity is verified, the authentication becomes valid, and users can access their desktop to access the network and the applications (Kay, 2005).  

Biometric authentication is used to identify individuals to gain access to systems or applications by measuring individual’s aspect of uniqueness where the individual’s anatomy is used to identify such uniqueness (e.g. hand geometry, fingerprint, and eye scan such as retinal or iris). Other biometrics that is used in information security for managing identities and access are including behavioural measurements such as voice pitch, typing rate for personal signatures (Clemmer, 2010).     

Evaluating authentications within any organization requires for any organization to give a closer look to many issues and factors involved such technologies such as the scalability and the complexity of such technology, how users within such organization can adopt such technology, the cost involved to implement such technology. That said; the implementation of the biometric authentication should be limited to high security required for sensitive information and applications within any organization (Shirey, 2010). 

Biometric authentication methods & future methods

Shirey (2010) explained that as key card or password is used for authentication, biometric authentication can do the same thing using the physical or behavioural characteristics to authenticate individuals to login and access systems and applications. Some of these methods are:

 

  • Fingerprints and hand Geometry – It’s the most common method of the biometric authentication, where it provides high accuracy, easy to implement, and low cost. It’s also possible to use the image of the finger instead of the actual fingerprints which makes it easy to be forged.
  • Voice Recognition – The method relies on the voice pattern to authenticate individuals. The technology is a user friendly, however, changing the voice due to sinus congestion, cold or anxiety can produce a false negatives results. Also, the technology requires a lot of the disk space, and it requires more time to access the systems.
  • Eye Scans – Retinal and iris scan can be used for authentication, and it provides accuracy where physical contact to the scanner is required. The technology has two problems to implement: user’s safety, cleanliness, the user must focus in particular point in the scanner and hold, and low-intensity light might affect the results.
  • Facial Recognition – The technology looks for the different parts of the face for authentication such as the location, and shape of the eyes and the nose, cheekbones and the side of the mouth.
  • Signature Dynamics and Typing Patterns – The technology looks for patterns in writing pressures at different points in the signature, and the writing speed.
  • Fingerprint Biometric Authentication via the Internet (BioWeb) – The technology is using an embedded object in the web page that can check the validation where the object is called on the interface of fingerprint reader attached to the individual’s computer. The coded fingerprint then sent to the server for the validation and authenticating the user to gain access (Eyenetwatch.com , 2010).
  • Heartbeat Biometric Authentication – The technology is capable to identify the individually unique information of the individual heartbeats, storing and utilizing this data as a broad range of user authentication (Idesia, n.d.). 
  • Infrared hand vein pattern biometric – The technology using the shape of the finger vein and infrared is used to make the skin tissue transparent, and highly visible to recognize the veins in the finger (Badawi, 2007).

Biometric Pros and Cons

Zorz (2010) explained that in theory biometric authentication is great way of authentication since users don’t have to remember passwords to access the network and applications. However there are more issues involved around this technology that might limit its use; and some of these issues are:

 

  • Biometric authentication based on the uniqueness in the human anatomy that everyone possesses for identification, however, such biological uniqueness attributes can change over time. For example, individual injures their finger may change the fingerprint features, and becomes hard to match, and the same can happen with a retinal changes.
  • Problems can be created within the authentications systems when the frequency of false positives and false negatives are high and not calibrated correctly to reduce these factors, and also getting inaccurate initial reading can cause identity problems.
  • With biometric authentication, identifications are very difficult to be impersonated or hacked especially when the authentication involved certain galvanic response and temperature, and the actual strength of such systems is the uniqueness of the individuals.
  • The cost of such authentication is coming down, and as such; it makes the out-of-reach cost of such devices to be more affordable to be available for many businesses to implement.
  • The deployment of such technology involves collecting biometric data (creating the biometric templates) which can be a big task to take for any organization, and since most of the common biometric authentications used these days are relying on retinal scanners, fingerprint readers or other biometric device, that will be attached to the user’s PC, the cost of IT resources to deploy, and maintain biometric readers is huge challenge within any organization.
  • Having one method of authentication is not an easy thing to change since once it is compromised, nothing can be done to require a new one (e.g. fingerprint).
  • Current scanners used by the biometric technology (biometric reader) don’t distinguish between a real fingerprint, and artificial one which makes the biometric solution can’t be the primary method of authentication.
  • A combined solution of authentication (e.g. fingerprint and pass-code) might be an effective solution for biometric solution, since biometric authentication is difficult to recover if it was compromised.
  • Twenty years ago, biometric authentication were slow, expensive and intrusive, however since such authentication were mainly used for sensitive data and mainframes, and, for few number of user the technology was workable, and now such method of authentication is inexpensive and easy to implement (Kay, 2005).

Biometric Attacks

Biometrics measure unique behavioural characteristics and unique physical individuals are used for recognition or authenticate their identity to provide access to the networks and applications. However, stolen biometric or cracked system presents a problem, since in such case users must be excluded from the system. While stolen smart cards or passwords can be reissued or changed, biometric data is there to stay forever or to be excluded from the authentication system, and users are no longer can be authenticated by such technique. Such incidents can raise security risks and cost, for example, a voice recognition authentication can be forged via voice recording; a face can be copied using a photograph, and fingerprint can be duplicated by different forging methods. In addition to the security issues described; static biometric can be intolerant of changes that might happen to the physical data used by biometric authentication method such as changes of the user’s voice or appearance changes (Damousis and  Bekiaris, 2008).

Spoofing attack on the biometric system by using artificial features such as photographs, fingerprints and others represents a security problem, and as such; aliveness checks are required to prevent such attacks of the authentication system. Also, identity theft in biometric systems is common especially on a single biometric feature and as such; it is required to implement two or more biometrics features to authenticate users. Such solution will create more reliable and applicable biometric authentication systems (Damousis and  Bekiaris, 2008).

Higgins (2009) explained that a Vietnamese researcher was able to crack the biometric authentication on Toshiba laptops and Lenovo Asus by spoofing the system with a photo of the authorized user, and also by using brute-force hacking using different fake facial images where the mechanism used by the vendors didn’t meet the security requirements to prevent such attack. The attacker in this case was able to adjust the angle of the phoney photo and the lighting angle to gain access to the system.

Conclusion

Biometric are used to identify people by measuring some unique features of the individual’s anatomy (e.g. fingerprints, or hand geometry) or with the unique behaviour (e.g. handwritten signature) or a combination of both. With such unique features of any individual; such features can be used as a method of authentication that can guarantee that the access to the information or systems is given to the authorized individual (Shirey, 2010).

Biometric systems have been built to automate the recognition of individual’s identity to validate authentication and provide system accesses. Some of the methods that are used are: Fingerprint authentication, Iris authentication (i.e. Eye signature), and voiceprint authentication. With such authentication methods, error rate between false accept rate and false reject rate are fluctuating from one method to another. With the increase of the popularity of such methods for authentication, the risk of forgery is unattended operation, and must be considered in the system design. Most of the biometric authentication methods are used to deterring intrudes rather than identifying them (Shirey, 2010).

Finally, Clemmer (2010) explained that before implementing such technologies within any businesses as a method of authentication; it is imperative to identify cost justifications by imposing many questions such as:

 

  • Why the businesses are in need to such technology as an additional factor of authentication?
  • What are the values of the information that businesses are trying to protect by implementing such technology?
  • What other cost factors (hidden cost behind such technologies) that are involved in implementing such technology within any organization (e.g. training, and changing the business process)?
  • Is the business implementing such technologies because it’s cool or because it’s a valued method of protection?

 

References

Badawi, M (2007) Biometric authentication using fast correlation of near infrared hand vein patterns [Online]. Available from: http://business.highbeam.com/436125/article-1G1-167253901/biometric-authentication-using-fast-correlation-near (Accessed: 04 December 2010).

Clemmer, L. (2010) What Is Biometric Authentication? [Online]. Available from: http://www.brighthub.com/computing/smb-security/articles/41217.aspx (Accessed: 04 December 2010).

Damousis, I. & Bekiaris, E. (2008) Unobtrusive Multimodal biometric Authentication [Online]. Available from: http://www.hindawi.com/journals/asp/2008/265767.html (Accessed: 04 December 2010).

Eyenetwatch.com (2010) Fingerprint Biometric Authentication via the Internet [Online]. Available from: http://www.eyenetwatch.com/Biowebserver/fingerprint_authentication.htm (Accessed: 04 December 2010).

Higgins, K. (2009) Researchers Hack Faces in Biometric Facial Authentication Systems [Online]. Available from: http://www.darkreading.com/security/vulnerabilities/213901113/index.html (Accessed: 04 December 2010).

Idesia (n.d.) In touch with your heart: Biometric Authentication [Online]. Available from: http://www.idesia-biometrics.com/applications/index.html (Accessed: 04 December 2010).

Kay, R. (2005) QuickStudy: Biometric authentication [Online]. Available from: http://www.computerworld.com/s/article/100772/Biometric_Authentication?taxonomyId=17&pageNumber=1 (Accessed: 04 December 2010).

Shirey, W. (2010) Types of Biometric Authentication [Online]. Available from: http://www.ehow.com/list_6760517_types-biometric-authentication.html (Accessed: 04 December 2010).

Zorz, Z. (2010) Pros and Cons of biometric authentication [Online]. Available from: http://www.net-security.org/secworld.php?id=8922 (Accessed: 04 December 2010).

 

 

 

 

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: