Usability and Security

More documents

Recommendations

Info

Security aspects:• Confidentiality: in this aspect the property that information is not made available to unauthorizedindividuals is important. When a token gets lots or stolen, the risk of unauthorized individualsgetting access to a building increases. In the case of an OTP, an unauthorized user would stillrequire the key fob and userid to obtain remote access. This aspect is therefore considered whenusing OTP;• Integrity: in this aspect the property of safeguarding the accuracy and completeness of assets isimportant. When a token gets lots or stolen, the risk of unauthorized individuals getting access to abuilding increases. In the case of an OTP, an unauthorized user would still require the key fob anduserid to obtain remote access. This aspect is therefore considered when using OTP;• Availability: in this aspect the property of being accessible and usable upon demand by anauthorized user, in this case getting access to a building or remote access is important. When atoken gets lots or stolen, the risk of unauthorized individuals getting access to a building increases.In the case of an OTP, an unauthorized user would still require the key fob and userid to obtainremote access. This aspect is therefore considered when using OTP.In this paragraph we have seen that tokens are primarily used as a one factor authentication process forphysical domains, e.g. swipe cards for door access. It is considered to be a weak mechanism as a validtoken can be been stolen and does not prove ownership. OTP such as the SecurID is one way ofsignificantly reducing the risk of using passwords. The chance of someone stealing or fraudulentlyobtaining the key fob and knowing the user's id to successfully masquerade as the identity is consideredunlikely to happen. The table below illustrates the results of our classification based upon the analysesperformed in this paragraph:AspectsUsabilitySecurityTypes of tokensEffectiveness Efficiency Satisfaction Level Confidentiality Integrity Availability LevelToken X X X High LowOTP Token X X High X X X HighTable 4: Token levels3.3.4 BiometricsIn this paragraph the biometric authentication mechanism will come up for discussion. We will discusshandprint, fingerprint, retina, Iris and face as biometric-based authentication. We have selected only thesetypes of biometric authentication mechanisms as they are most commonly researched.Biometrics are automated methods of identity verification or identification based on the principle ofmeasurable physiological or behavioral characteristics such as fingerprints, hand, the patterns of retinas,veins, Irises and faces. Behavioral biometrics techniques include those based on voice, signature andtyping behavior. These biometrics approaches follow a similar operation: a digital template is createdduring an enrollment process; the template is stored in a database or in some cases on the chip of a card.On attempted verification, the relevant template is extracted and compared with the data input, say in theform of a fingerprint, or an acquired Iris image, for positive identification. Each technique has its own18
unique set of advantages and disadvantages. Cost, size, and method of use often dictate applicability toany given situation.Fingerprints, retinal scanning and Iris scanning are the only biometrics types that can accurately identifyan individual. Biometrics technologies have a wide range of accuracy, reliability, and usability. Thus,despite the difficulty in comparing biometrics, they will always have some comparable accuracy versususability balance that can be compared with other technologies 34 . With regards to the security aspectsaround biometrics; incorporating biometrics techniques into the organizations security architecture mayincrease information security by means of eliminating the ability of sharing passwords and making itmuch more difficult to counterfeit or steal the security key. The specific level of security provided by adevice also depends on the number of “reference points,” which are the individual metrics taken in eachscan 35 . According to Purnell & Marks, Iris scanners capture 200+ reference points while fingerprintreaders typically capture around 80. Furthermore, the effectiveness of the reference points also depends onthe algorithms used. More reference points can mean more false negative identifications 35 . This meansusing better accuracy might result in rejecting the right individual. While more reference pointstheoretically mean a better “signature,” it can also mean that there are more chances for failure in thesecondary scan. In relation to this, if the individual using the device is not positioned in a correct way,then the scanner may not pick up each reference point properly. The individual sensitivity settings on adevice control whether it will error the side of caution (rejection) or convenience (acceptance) 35 . Theaccuracy of many biometric systems is still not high enough for some applications e.g. negativeidentification or matching against a very large database 36 . Facial recognition systems are often used tocreate a manageable subset of possible identities, but must be scrutinized by a human observer. Thus,facial systems may not be suitable for real-time identification 37 .The actual performance of these devices is typically measured in terms of two measures 34 :• False accept rates (FAR). The likelihood that the wrong person will be able to access the system;• False reject rates (FRR). The likelihood that a legitimate person will be denied access.Setting the sensitivity too high can result in too many False Rejection Rate (FRR) and setting it too lowcan increase the False Acceptance Rate (FAR) 35 . Reported values for FAR and FRR are usually based ontheoretical calculations performed with clean, high-quality data, instead on actual observations and realworldperformance 34 . The realized performance may not be as good as the predicted performance.Performance estimates are often far more impressive than actual performance 38 . Many systems do not liveup to expectations because they prove unable to cope with the enormous variations among largepopulations, or fail to take into account people’s needs and behaviors 39 .Regarding the usability aspects around biometrics; various biometric sensors require more or lessinvolvement of the users. An important aspect is the nature of the signatures collected that impact the easeof enrollment and implementation of the equipment 35 .19
Page 1 and 2: Usability and SecurityUniversity: V
Page 3 and 4: ACKNOWLEDGMENTSThis thesis covers t
Page 5 and 6: IntroductionThe developments in Inf
Page 7 and 8: idging the gap between theory and p
Page 9 and 10: 2.1.3 Usability componentsIn order
Page 11 and 12: custom approach 12 . An example of
Page 13: put usability and security amongst
Page 16 and 17: Security aspects:• Confidentialit
Page 18 and 19: ambiguous. Controlled answers offer
Page 20 and 21: 3.3.3 TokensIn this paragraph the t
Page 24 and 25: The strengths, weaknesses and usabi
Page 26 and 27: conclude that the most efficient bi
Page 28 and 29: e guessed, which results in a low s
Page 30 and 31: To answer our main research questio
Page 32 and 33: AppendixInterview with Martin Wijnm
Page 34 and 35: Sources1 ISO 9241-11, Part 11: Guid

Usability and Security

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?