Problems of biometric methods in Authentication and Authorization InfrastructuresFor this, known forms of AAIs have to be checked whether their architectures permit the use ofbiometrics. Based on this research, changes in their architectures can be ma<strong>de</strong> for achieving areference mo<strong>de</strong>l of a biometric AAI.5. ConclusionsIn or<strong>de</strong>r to become a large-scale solution to the increased number of passwords, AAIs have toprovi<strong>de</strong> both security and comfort in use. While comfort is achieved through flexibility in theauthentication process and the user centric approach of i<strong>de</strong>nt<strong>ific</strong>ation provi<strong>de</strong>d by AAIs,biometrics (such as typing behavior) can provi<strong>de</strong> the extra security necessary for theauthentication process.While researching the architecture and spec<strong>ific</strong> problem of biometric AAIs, new knowledge an<strong>din</strong>formation will be gathered. It is therefore relevant for this knowledge to be implemented in theform of a prototype of biometric AAI, based on the elaborated reference mo<strong>de</strong>l. An easy to usebiometric method in this case is typing behavior as it does not require special sensors andtherefore it can be easily implemented as an enhanced security mechanism for passwordprotected AAIs.This prototype of a biometric AAI is currently un<strong>de</strong>r <strong>de</strong>veloped at the University of Regensburg.It uses the patented method of typing recognition Psylock [1] in combination with the popularopen source AAI OpenID [9]. The research topics mentioned are consi<strong>de</strong>red during theimplementation process. First tests have confirmed the aforementioned issues and brought upother research topics, like the use of three factor authentication (password, biometrics andtoken), fall-back mechanisms (loss of one authentication factor), trust management (can theparties involved be trusted) and policy based biometric authorization (e.g. access granted todifferent areas, <strong>de</strong>pen<strong>din</strong>g of the reached match score).References[1] Bartmann, D., Bartmann, D. jr., “Method of user i<strong>de</strong>ntity ver<strong>ific</strong>ation by means of akeyboard”, German patent, Nr. 196 31 484, 1997.[2] Bartmann, D.; Breu, C.: “Suitability of the biometric feature of typing behavior for userauthentication” (German), Aachen 2004, 321-341.[3] Bartmann, D., Bakdi, I., Achatz, M., “On the Design of an Authentication System Based onKeystroke Dynamics Using a Pre<strong>de</strong>fined Input Text”, International Journal of InformationSecurity and Privacy 1 (2007), Nr. 2, 1–12.[4] Hess, A.; Humm, B., Voß, M.: “Rules for high quality service oriented architectures”(German edition), Springer-Verlag, 2006.[5] Korman, D.; Rubin A., “Risks of the Passport Single Signon Protocol”, Computer Networks,Elsevier Science Press, volume 33, 51-58, 2000.[6] Krafzig, D.; Banke, K.; Slama, D.: “Enterprise SOA”, Prentice Hall Professional TechnicalReference, 2005.[7] Lopez, J.; Oppliger, R., Pernul, G.: “Authentication and authorisation infrastructures (AAIs):a comparative survey”, Computers&Security 23, 578-590, 2004.[8] Monrose, F.; Reiter, M.; Wetzel, S.: “Password har<strong>de</strong>ning based on keystroke dynamics”,International Journal of Information Security, 69-83, 2002.[9] OpenID, http://openid.net/, retrieved 01.03.2008.20
Problems of biometric methods in Authentication and Authorization Infrastructures[10] Peacock, A.; Ke, X.; Wilkerson, M.: “Typing Patterns: A Key to User I<strong>de</strong>nt<strong>ific</strong>ation”, IEEESecurity and Privacy, No. 5, Vol. 2, (2004) 40-47.[11] Ratha, N. K.; Connell, J. H.; Bolle, R. M.: “Enhancing security and privacy in biometricsbasedauthentication systems”, IBM Systems Journal, Volume 40, Number 3, 2001.[12] Schläger, C.; Sojer, M.; Muschall, B.; Pernul, G.: „Attribute-Based Authentication andAuthorisation Infrastructures for E-Commerce Provi<strong>de</strong>rs“, pp 132-141 Springer-Verlag, 2006.[13] Spillane, R. J.: “Keyboard apparatus for personal i<strong>de</strong>nt<strong>ific</strong>ation”, IBM Technical DisclosureBulletin, Bd. 17, Nr. 11, (1975) 3346.[14] Stein, L.; Stewart John, “WWW Security FAQ”, 2003, http://www.w3.org/Security/Faq/wwwsf1.html, retrieved 01.03.2008.[15] Syverson, P.: “A Taxonomy of Replay Attacks”, Procee<strong>din</strong>gs of the Computer SecurityFoundations Workshop VII, Franconia NH, 1994, IEEE CS Press (Los Alamitos, 1994).21