The user authentication subsystem is the most important component of the corporate information security system, and its importance can hardly be overestimated. The authentication subsystem confirms the identity of the user of the information system and therefore must be reliable and adequate, that is, exclude all errors in providing access.
The existing methods of authentication differ in the degree of reliability, and, as a rule, with the strengthening of protection, the price of systems increases sharply, which requires risk analysis when choosing means of authentication and assessing the economic feasibility of applying certain protection measures. Recently, however, the "balance of power" in the field of the effectiveness of the applied authentication methods is changing.
Authentication tools can be divided into three groups ("factors") according to applicable principles: the "you know" principle underlying password authentication methods; the "you have" principle, when authentication is carried out using magnetic cards, tokens and other devices; and the principle of "who you are", using the personal properties of the user (fingerprint, structure of the retina, etc.). Strong authentication systems use 2 or more factors to authenticate users.
Today, the first group of authentication means ("you know") are the most economical in cost, but at the same time the least reliable. The user's password can be spied on, intercepted in the communication channel, and simply picked up. If the security policy requires the use of complex passwords, it is difficult for users to remember them, and often paper sheets with passwords appear in the most prominent place (for example, they are attached to a monitor).
The consequences are especially dangerous in systems that use the principle of "single sign-on" (single sign-on), when an employee uses a single password to authenticate and work with many corporate applications and information sources. Often, without realizing the importance of authentication, employees practice sharing their personal passwords with colleagues. It is worth noting here that the authentication procedure is closely related to other processes in the information security (IS) system, for example, with monitoring of actions in the system, and when investigating an incident, without a strong user identification, it is often very difficult to establish the cause of the incident.
Strong authentication systems built on the "you know" and "you have" factors provide more options for enhancing security. For example, the operation of tokens that generate one-time passwords without being connected to the protected system is very difficult to forge, and the password itself cannot be reused.
Examples include RSA SecureID and Vasco Digipass devices. The most interesting application of these devices is in such areas as e-commerce, including Internet banking, or for organizing the protection of key users in terms of security (information system administrators and managers). These devices can be used to authenticate remotely from a workstation that has a low level of trust, such as an Internet cafe. But this method of authentication is also not without its drawbacks - a token, for example, can be transferred along with a PIN to another user. From this point of view, stronger authentication is provided by means based on biometric methods, the interest in which is now actively growing, which is not least due to the gradual decrease in their cost.
Biometric identification systems currently available or under development include fingerprint, odor, DNA, ear shape, face geometry, facial skin temperature, keyboard handwriting, palm print, palm vein pattern, retinal structure, pattern iris, signature and voice.
Fingerprint authentication
This biometric technology is likely to be the most widely used in the future. The advantages of fingerprint credentials are ease of use, convenience and reliability. The entire identification process is carried out fairly quickly and does not require much effort from users. The probability of user identification error is much lower compared to other biometric methods. In addition, the fingerprint identification device is quite compact - currently such systems are already produced in size smaller than a deck of cards.
Use to identify hand geometry
This method is now used in more than 8,000 organizations, including the Colombian Parliament, San Francisco International Airport, hospitals and immigration services. The benefits of fingerprint identification are comparable to fingerprint authentication in terms of reliability, although the palmprint reader takes up more space. The most successful device, the Handkey, scans both the inside and the side of the hand.
Iris Authentication
The advantage of iris scanning is that the iris spot pattern is on the surface of the eye, and no special effort is required from the user - in fact, a video image of the eye can be captured at a distance of a meter, which makes it possible to use such scanners in ATMs ...
Identifying parameters can be scanned and encoded, including in people with impaired vision, but the iris is intact. Cataract - damage to the lens of the eye, which is located behind the iris, also in no way affects the process of scanning the iris.
Retina Authentication
The retinal scan uses low-intensity infrared light directed through the pupil to the blood vessels at the back of the eye. Retinal scanners have become widespread in top-secret access control systems, as these authentication tools have one of the lowest denied access rates for registered users and almost zero erroneous access rates. However, eye diseases such as cataracts can adversely affect the quality of the resulting image and increase the likelihood of errors.
Identification by facial features (by face geometry)
One of the fastest growing areas in the biometric industry. This method is closest to how people identify each other, and this is its appeal. The development of this direction is associated with the rapid growth of multimedia video technologies. However, most developers still struggle to achieve a high level of performance for such devices. Nevertheless, we can expect the appearance in the near future of special devices for identifying a person by facial features in airport lounges to protect against terrorists, etc.
Based on the data given in the table, two technologies that are most in demand today can be distinguished - this is biometric identification with using the papillary pattern of the finger (print) and the iris of the eye.
Contrary to popular belief that it is not difficult to "trick" a fingerprint scanner, it should be noted that the leading manufacturers of fingerprint scanning devices have now managed to create a combination of hardware and software that is resistant to fakes and dummies. And for biometric identification systems based on the iris of the eye, the cost of creating a "dummy" is comparable to the cost of total system ownership. Thus, the occurrence of "errors of the second kind" (that is, granting access to a person who does not have the right to do so) is practically excluded.
Of course, there are also problems. Under the influence of some factors, the biological characteristics by which a person is identified may change. For example, the deformation of the papillary pattern is possible with cuts and burns. Therefore, the frequency of occurrence of "errors of the first kind" (denial of access to a person who has the right to do so) when using one-factor identification in biometric systems is quite high. The solution to this problem is the use of multifactor authentication systems that identify a person using several factors at once, for example, by fingerprint, palm geometry and palm vein pattern.
In this case, the probability of "errors of the first kind" decreases sharply, and the overall degree of system reliability increases in proportion to the number of factors used. As a factor accelerating the development of biometric means of authentication, it is necessary to note a significant reduction in the cost of scanning devices. For example, the cost of some fingerprint scanners has already dropped to $ 50. This fact allows us to assert that in the near future the cost of fingerprint scanners will be commensurate (if not less) with the cost of tokens.
Considering the market of biometric identification systems, there are three main areas of their use: civil identification systems, access control and management systems, and time attendance systems. Today, analysts predict a serious development of all three areas and, in particular, of civil identification systems in connection with the launch of the "Russian biometric passport" project in Kaliningrad and the Kaliningrad region. This served as a powerful impetus for the development of the biometric industry in Russia - the cost of devices is decreasing, reliability is increasing, and the level of maturity of society required for mass adoption of technology is increasing. As for the global biometric identification market, analysts predict its growth to $ 4 billion in 2007.
The development of the biometric identification market and the cheapening of technologies will make it possible to use these tools both in information security solutions for companies and in corporate time attendance systems (especially for controlling business processes that require strict personalization and personal responsibility).
Thus, we can say with a high degree of confidence (this is confirmed by our own experience in creating complex information security systems) that biometric identification as such will form the basis of the future information security infrastructure of an enterprise, and will also be used in many applied solutions.
The existing methods of authentication differ in the degree of reliability, and, as a rule, with the strengthening of protection, the price of systems increases sharply, which requires risk analysis when choosing means of authentication and assessing the economic feasibility of applying certain protection measures. Recently, however, the "balance of power" in the field of the effectiveness of the applied authentication methods is changing.
Authentication tools can be divided into three groups ("factors") according to applicable principles: the "you know" principle underlying password authentication methods; the "you have" principle, when authentication is carried out using magnetic cards, tokens and other devices; and the principle of "who you are", using the personal properties of the user (fingerprint, structure of the retina, etc.). Strong authentication systems use 2 or more factors to authenticate users.
Today, the first group of authentication means ("you know") are the most economical in cost, but at the same time the least reliable. The user's password can be spied on, intercepted in the communication channel, and simply picked up. If the security policy requires the use of complex passwords, it is difficult for users to remember them, and often paper sheets with passwords appear in the most prominent place (for example, they are attached to a monitor).
The consequences are especially dangerous in systems that use the principle of "single sign-on" (single sign-on), when an employee uses a single password to authenticate and work with many corporate applications and information sources. Often, without realizing the importance of authentication, employees practice sharing their personal passwords with colleagues. It is worth noting here that the authentication procedure is closely related to other processes in the information security (IS) system, for example, with monitoring of actions in the system, and when investigating an incident, without a strong user identification, it is often very difficult to establish the cause of the incident.
Strong authentication systems built on the "you know" and "you have" factors provide more options for enhancing security. For example, the operation of tokens that generate one-time passwords without being connected to the protected system is very difficult to forge, and the password itself cannot be reused.
Examples include RSA SecureID and Vasco Digipass devices. The most interesting application of these devices is in such areas as e-commerce, including Internet banking, or for organizing the protection of key users in terms of security (information system administrators and managers). These devices can be used to authenticate remotely from a workstation that has a low level of trust, such as an Internet cafe. But this method of authentication is also not without its drawbacks - a token, for example, can be transferred along with a PIN to another user. From this point of view, stronger authentication is provided by means based on biometric methods, the interest in which is now actively growing, which is not least due to the gradual decrease in their cost.
Biometric identification systems currently available or under development include fingerprint, odor, DNA, ear shape, face geometry, facial skin temperature, keyboard handwriting, palm print, palm vein pattern, retinal structure, pattern iris, signature and voice.
Fingerprint authentication
This biometric technology is likely to be the most widely used in the future. The advantages of fingerprint credentials are ease of use, convenience and reliability. The entire identification process is carried out fairly quickly and does not require much effort from users. The probability of user identification error is much lower compared to other biometric methods. In addition, the fingerprint identification device is quite compact - currently such systems are already produced in size smaller than a deck of cards.
Use to identify hand geometry
This method is now used in more than 8,000 organizations, including the Colombian Parliament, San Francisco International Airport, hospitals and immigration services. The benefits of fingerprint identification are comparable to fingerprint authentication in terms of reliability, although the palmprint reader takes up more space. The most successful device, the Handkey, scans both the inside and the side of the hand.
Iris Authentication
The advantage of iris scanning is that the iris spot pattern is on the surface of the eye, and no special effort is required from the user - in fact, a video image of the eye can be captured at a distance of a meter, which makes it possible to use such scanners in ATMs ...
Identifying parameters can be scanned and encoded, including in people with impaired vision, but the iris is intact. Cataract - damage to the lens of the eye, which is located behind the iris, also in no way affects the process of scanning the iris.
Retina Authentication
The retinal scan uses low-intensity infrared light directed through the pupil to the blood vessels at the back of the eye. Retinal scanners have become widespread in top-secret access control systems, as these authentication tools have one of the lowest denied access rates for registered users and almost zero erroneous access rates. However, eye diseases such as cataracts can adversely affect the quality of the resulting image and increase the likelihood of errors.
Identification by facial features (by face geometry)
One of the fastest growing areas in the biometric industry. This method is closest to how people identify each other, and this is its appeal. The development of this direction is associated with the rapid growth of multimedia video technologies. However, most developers still struggle to achieve a high level of performance for such devices. Nevertheless, we can expect the appearance in the near future of special devices for identifying a person by facial features in airport lounges to protect against terrorists, etc.
Based on the data given in the table, two technologies that are most in demand today can be distinguished - this is biometric identification with using the papillary pattern of the finger (print) and the iris of the eye.
Contrary to popular belief that it is not difficult to "trick" a fingerprint scanner, it should be noted that the leading manufacturers of fingerprint scanning devices have now managed to create a combination of hardware and software that is resistant to fakes and dummies. And for biometric identification systems based on the iris of the eye, the cost of creating a "dummy" is comparable to the cost of total system ownership. Thus, the occurrence of "errors of the second kind" (that is, granting access to a person who does not have the right to do so) is practically excluded.
Of course, there are also problems. Under the influence of some factors, the biological characteristics by which a person is identified may change. For example, the deformation of the papillary pattern is possible with cuts and burns. Therefore, the frequency of occurrence of "errors of the first kind" (denial of access to a person who has the right to do so) when using one-factor identification in biometric systems is quite high. The solution to this problem is the use of multifactor authentication systems that identify a person using several factors at once, for example, by fingerprint, palm geometry and palm vein pattern.
In this case, the probability of "errors of the first kind" decreases sharply, and the overall degree of system reliability increases in proportion to the number of factors used. As a factor accelerating the development of biometric means of authentication, it is necessary to note a significant reduction in the cost of scanning devices. For example, the cost of some fingerprint scanners has already dropped to $ 50. This fact allows us to assert that in the near future the cost of fingerprint scanners will be commensurate (if not less) with the cost of tokens.
Considering the market of biometric identification systems, there are three main areas of their use: civil identification systems, access control and management systems, and time attendance systems. Today, analysts predict a serious development of all three areas and, in particular, of civil identification systems in connection with the launch of the "Russian biometric passport" project in Kaliningrad and the Kaliningrad region. This served as a powerful impetus for the development of the biometric industry in Russia - the cost of devices is decreasing, reliability is increasing, and the level of maturity of society required for mass adoption of technology is increasing. As for the global biometric identification market, analysts predict its growth to $ 4 billion in 2007.
The development of the biometric identification market and the cheapening of technologies will make it possible to use these tools both in information security solutions for companies and in corporate time attendance systems (especially for controlling business processes that require strict personalization and personal responsibility).
Thus, we can say with a high degree of confidence (this is confirmed by our own experience in creating complex information security systems) that biometric identification as such will form the basis of the future information security infrastructure of an enterprise, and will also be used in many applied solutions.
