The user authentication subsystem is the most important component of a corporate information security system, and its importance can hardly be overestimated. The authentication subsystem confirms the identity of the information system user and therefore must be reliable and adequate, that is, it must eliminate all access granting errors.
Existing authentication methods vary in reliability, and, as a rule, the price of systems increases sharply with increasing security, which requires risk analysis and assessment of the economic feasibility of certain security measures when choosing authentication means. Recently, however, the balance of power in the efficiency of the authentication methods used is changing.
Authentication tools can be divided into three groups (factors) according to the principles used: the you know principle, which underlies password authentication methods; the you have principle, where authentication is performed using magnetic cards, tokens and other devices; and the you are principle, which uses personal characteristics of a user (fingerprint, retina structure, etc.). Strong authentication systems use 2 or more factors when authenticating users.
Today, the means of authentication of the first group (you know) are the most cost-effective, but also the least reliable. A user’s password can be spied, intercepted in a communication channel, or simply hacked. If the security policy requires the use of complex passwords, users have difficulty remembering them, and it is not uncommon to have paper sheets with passwords written on them in the most prominent place (for example, attached to the monitor).
The consequences are especially dangerous in single sign-on systems, where an employee uses a single password to authenticate and work with many corporate applications and information sources. Often, without realizing the importance of authentication, employees practice giving their own passwords to their colleagues. It is worth noting here that the authentication procedure is closely related to other information security (IS) processes, such as monitoring activities on the system, and when investigating an incident without strict user identification, it is often very difficult to determine the cause of the incident.
Strong authentication systems built on the you know and you have factor provide more opportunities for enhanced security. For example, the operation of tokens that generate one-time passwords without having a connection to the protected system is very difficult to forge, and the password itself cannot be reused.
Examples include RSA SecureID and Vasco Digipass devices. The most interesting applications for these devices are in areas such as e-commerce, including online banking, or to protect key security users (information system administrators and executives). These devices can be used to perform authentication when accessing remotely from a workplace with a low level of trust, e.g. when working at an Internet café. But this method of authentication is not without its disadvantages – for example, a token can be given along with the PIN to another user. From this point of view, more rigorous authentication is provided by means based on biometric methods, interest in which is now actively growing, not least due to the gradual reduction in their cost.
Biometric identification systems currently available or under development include access systems by fingerprint, odor, DNA, ear shape, facial geometry, facial skin temperature, keyboard handwriting, palm print, palm vein pattern, retinal structure, iris pattern, signature and voice.
This biometric technology is likely to be the most widely used in the future. The advantages of fingerprint access means are ease of use, convenience and reliability. The whole process of identification is carried out fairly quickly and does not require much effort from users. The probability of error in identifying the user is much lower in comparison with other biometric methods. In addition, the fingerprint identification device is quite compact – similar systems smaller than a deck of cards are already being produced.
Use to identify hand geometry
The method is now used in more than 8,000 organizations, including the Colombian Parliament, San Francisco International Airport, hospitals and immigration services. The benefits of palm geometry identification are comparable to fingerprint authentication in terms of reliability, although the palm print reader takes up more space. The most successful device, the Handkey, scans both the inside and the side of the hand.
The advantage of iris scanning is that the iris spot pattern is on the surface of the eye, and no special effort is required from the user – in fact, a video image of the eye can be captured from a meter away, making it possible to use such scanners in ATMs.
Identifying parameters can be scanned and coded, including in people with impaired vision but intact iris. Cataract damage to the lens of the eye, which is behind the iris, also does not affect the iris scanning process in any way.
Retinal scans are performed using low intensity infrared light directed through the pupil to the blood vessels at the back of the eye. Retinal scanners have become very common in top-secret access control systems because these authentication tools have one of the lowest rates of denial of access to registered users and a near-zero rate of mistaken access. However, an eye disease such as cataracts can adversely affect the quality of the resulting image and increase the likelihood of errors.
Identification by facial features (by facial geometry)
One of the fastest growing trends in the biometrics industry. This method is closest to how people identify each other, and that is its appeal. The development of this direction is associated with the rapid growth of multimedia video technology. However, most developers are still experiencing difficulties in achieving a high level of performance of such devices. Nevertheless, we can expect the appearance in the near future of special identification devices based on facial features in the halls of airports for protection against terrorists, etc.
Based on the data in the table, two of the most popular technologies today are biometric identification using fingerprint and iris.[/DATAENCODE
Contrary to popular belief that fingerprint scanners are not difficult to fool, it should be noted that the leading manufacturers of fingerprint scanning devices have now created a combination of hardware and software that is resistant to tampering and dummies. And for iris-based biometric identification systems, the cost of creating a dummy is comparable to the cost of total system ownership. Thus, the occurrence of errors of the second kind (i.e., granting access to an unauthorized person) is virtually eliminated.
Of course, there are also problems. Under the influence of some factors, the biological features by which a person is identified can change. For example, deformation of the papillary pattern during cuts and burns is possible. That is why the frequency of errors of the first kind (denial of access to a person who has the right to it) when using one-factor identification in biometric systems is rather high. The solution to this problem is the use of multi-factor authentication systems that identify an individual by several factors at once, such as fingerprint, palm geometry and palm vein pattern.
In this case, the probability of first-order errors is dramatically reduced, and the overall degree of system reliability increases in proportion to the number of factors used. As a factor accelerating the development of biometric means of authentication, it is necessary to note a significant reduction in the cost of scanning devices. For instance, the cost of some fingerprint scanners has already come down to $50. This fact suggests that in the near future the cost of fingerprint scanners will be commensurate (if not less) with the cost of tokens.
Considering the market for biometric identification systems, three main directions of their use can be distinguished: civil identification systems, access control and management systems, and timekeeping systems. Today, analysts predict a serious development of all three areas and, in particular, of civil identification systems due to the start of the Russian Biometric Passport project in Kaliningrad and Kaliningrad Region. This gave a strong impulse for the development of biometric industry in Russia – the cost of devices is going down, reliability is increasing, and the level of maturity in society necessary for mass acceptance of the technology is rising. As for the global biometric identification market, analysts predict its growth to $4 billion in 2007
The development of biometric identification market and cheaper technologies will allow to use these tools in companies’ information security solutions as well as in corporate timekeeping systems (especially to control business processes that require strict personalization and personal responsibility).
Thus, we can confidently state (as our own experience in building integrated security systems confirms) that biometric identification as such will become the basis for the future enterprise information security infrastructure and will also be used in many application solutions.
cc department store