Chapter 2 - Identification and Authentication

Question 1

What is identification?

Answer 1

The claim of what someone or something is.

Question 2

What is authentication?

Answer 2

Establishes whether this claim is true. We can see such processes taking place on a daily basis in a wide variety of ways.

Question 3

What is identity verification?

Answer 3

Is a step between identification and authentication, in which the identity is verified in some way. This is a step better than just a claim, but not an authentication. For example, a driver’s license is an identity verification, to help in showing the name given is true.

Question 4

What else is identity verification used in, besides in personal interactions?

Answer 4

Computer systems. In many cases, such as when we send an email, the identity we provide is taken to be true, without any additional steps taken to authenticate us.

Question 5

What are authentication factors?

Answer 5

There are several methods we can use, with each category referred to as a factor. Within each factor, there are a number of possible methods we can use.

Question 6

What is the benefit of using more factors?

Answer 6

When attemting to authenticate a claim, the more we use, the more positive our results will be.

Question 7

What are the five factors?

Answer 7

Something you know

Something you are

Something you have

Something you do

Where you are

Question 8

This factor is very common.

It can include passwords, PINS, passphrases, etc.

Which one is it?

Answer 8

Something you know

Question 9

This factor includes an item or device, although this factor can extend into some logical concepts as well. We can see such factors in general use in the form of ATM cards, state of federally issued identity cards, or software based security tokens.

Which is it?

Answer 9

Something you have: A factor generally based on the physical possession of an item or device.

Question 10

This factor can be based on simple attributes, such as height, weight, hair color, or eye color.

More reliable methods include fingerprints, iris or retina patterns, or facial characteristics.

Answer 10

Something you are: A factor based on the relatively unique physical attributes of an individual.

Question 11

What are biometrics?

Answer 11

Another name for “something you are”.

Question 12

What factor is based on physical presence at a location or locations?

Answer 12

Where you are: A geographically based authentication factor. This factor operates differently than the other factors, as its method of authentication depends on the person being authenticated being present at a particular location.

Question 13

What method is based on actions or behaviours of an individual?

Answer 13

Something you do, sometimes considered a variation of something you are, is a factor based on actions or behaviours.

This includes a person’s gait, measurement of multiple factors in his or her handwriting, the time delay between keystrokes as he or she types a pass phrase, or similar factors.

Question 14

What is multifactor authentication?

Answer 14

Uses one or more of the factors we discussed in the preceding section. This practice is also referred to in some cases, as two-factor authentication.

Question 15

What is mutual authentication?

Answer 15

Refers to an authentication mechanism in which both parties authenticate each other.

in the standard process, which is a one-way authentication, the client authenticates to the server to prove that it is the party that should be accessing the resources the server provides.

In mutual authentication, not only does the client authenticate to the server, but the server authenticates to the client as well.

Digital certificates are often used to accomplish mutual authentication.

Question 16

Without mutual authentication, what do we leave ourselves open to?

Answer 16

Impersonation attacks, often referred to as “man-in-the-middle” attacks. In these, the attacker inserts himself between the client and the server and impersonates the server to the client, and the client to the server.

This becomes considerably more difficult when mutual authentication is in place.

Question 17

Reversing the process of verifying an identity with biometrics, we can do what?

Answer 17

We can use biometrics as a method of identification.

Question 18

When using biometrics as a method of identification or verification, we need to do what beforehand?

Answer 18

We must put the user through the enrollment process. This involves recording the chosen biometric characteristic from the user, so that it can be later matched in the system.

Question 19

What are the seven characteristics of biometric factors?

Answer 19

Universality
Uniqueness
Permanence
Collectability
Performance
Acceptability
Circumvention

Question 20

The biometric factor characteristic “universality” is defined by what?

Answer 20

Universality stipulates that we should be able to find our chosen biometric characteristic in the majority of people we expect to enroll in the system.

For example, use of a fingerprint may be hindered if someone does not have a particular finger anymore.

Question 21

The biometric factor characteristic “uniqueness” is defined by what?

Answer 21

Uniqueness is a measure of how unique a particular characteristic is among individuals. For example, if we choose to use height or weight as a biometric identifier, we would stand a very good chance of finding several people in any given group who are of the same height or weight.

Question 22

What is permanence?

Answer 22

Permanence is a characteristic of a biometric factor:

Permanence tests show how well a particular characteristic resists change over time and with advancing age. If we choose a factor that can easily vary, such as height, weight, or hand geometry, we will eventually find ourselves in the position of not being able to authenticate a legitimate user.

Question 23

What is collectability?

Answer 23

Collectability is a characteristic of a biometric factor:

Collectability measures how easy it is to aquire a characteristic with which we can later authenticate a user. Most commonly used biometrics, such as fingerprints, are relatively easy to acquire, and this is one reason they are in common use. If we choose a characteristic that is more difficult to acquire, such as a footprint, the user will need to remove his show and sock in order to enroll.

Question 24

What is performance?

Answer 24

Is a characteristic of biometric factors:

Performance is a set of metrics that judge how well a given system functions. Such factors include speed, accuracy, and error rate. We will discuss the performance of biometric systems at greater length later in this section.

Question 25

What is acceptability?

Answer 25

Acceptability is a characteristic of a biometric factor:

A measure of how acceptable the particular characteristic is to the users of the system. in general, systems that are slow, difficult to use, or awkward to use are less likely to be acceptable to the user. Systems that require users to remove their clothes, touch devices that have been repeatedly used by others, or provide tissue or bodily fluids will likely not enjoy a high degree of acceptability.

Question 26

What is circumvention?

Answer 26

Circumvention is a characteristic of a biometric factor:

Circumvention describes the ease with which a system can be tricked by a falsified biometric identifier. The classic example of a circumvention attack against the fingerprint as a biometric identifier is found in the “gummy finger”. In this type of attack, a fingerprint is lifted from the surface, potentially in a covert fashion, and is used to create a mold with which the attacker can cast a positive image of the fingerprint in gelatin.

Question 27

What do we use to measure performance of a biometric system?

Answer 27

False acceptance rate FAR

False Rejection Rate FRR

Equal Error Rate EER

Question 28

What is a False Acceptance Rate?

Answer 28

Occurs when we accept a user whom we should actually have rejected. This type of issue is also referred to as a false positive.

Question 29

What is a False Rejection Rate?

Answer 29

Is a problem of rejecting a legitimate user when we should have accepted her. This type of issue if commonly known outside the biometrics world as a false negative.

Question 30

What is an Equal Error Rate?

Answer 30

What we try to achieve with biometric systems is a balance between false positives and false negatives, this is found in ERR, which is the intersection of FRR and FAR.

Question 31

What are the issues found in biometric systems?

Answer 31

Biometrics can be easily forged.

Privacy issues

False biometrics left in systems.

Question 32

What is a hardware token?

Answer 32

A standard hardware token is a small device, typically in the general form factor of a credit card or keychain fob. The simplest hardware tokens look identical to a USB flash drive and contain a small amount of storage holding a certificate or unique identifier, and are often called dongles. More complex hardware tokens incorporate LCD displays, as shown in Figure 2.4, keypads for entering passwords, biometric readers, wireless devices, and additional features to enhance security.

Hardware tokens represent the something you have authentication factor.

Question 33

If we are using an identity card as the basis for our authentication scheme, what steps might we add to the process in order to allow us to move to multifactor authentication?

Answer 33

Different factors are: (1) something you know, (2) something you are,
(3) something you have, (4) something you do, and (5) the place you are.
So the answers might be:
– identity card (factor-3) and pin numbers (factor-1)
– identity card (factor-3) and different types of biometrics (factor-2 or factor-4)
– identity card (factor-3) and location information (factor-5)
– or any combination of the above.

Question 34

If we are using an 8-character password that contains only lowercase characters, would increasing the length to 10 characters represent any significant increase in strength?

Answer 34

For this question, it should be discucsed that the strength of the password increases
as one increases the number of characters. However this is not a significant increase
because it is just one dimension, i.e. we only play with the number of characters. To
make it significantly stronger, we need to bring in other dimensions such as the case used
(lower case vs upper case), the use of not only letters but numbers and/or symbols etc

Question 35

What factors might we use when implementing a multifactor authentication scheme for users who are logging on to workstations that are in a secure environment and are used by more than one person?

Answer 35

For this question, look for some creativity in terms of the 5 factors used. Again the
factors are: (1) something you know, (2) something you are, (3) something you have, (4)
something you do, and (5) the place you are.

Question 36

If we are developing a multifactor authentication system for an environment where we might find larger-than-average numbers of disabled or injured users, such as a hospital, which authentication factors might we want to use or avoid? Why?

Answer 36

: For this question, again look for some creativity in terms of the 5 factors used.
There should be a good discussion of what to avoid in terms of factors. Of course this
should depend on the unique solution presented.