Identity-based security

Last updated

Identity-based security is a type of security that focuses on access to digital information or services based on the authenticated identity of an entity. [1] It ensures that the users and services of these digital resources are entitled to what they receive. The most common form of identity-based security involves the login of an account with a username and password. However, recent technology has evolved into fingerprinting or facial recognition. [2]

Contents

While most forms of identity-based security are secure and reliable, none of them are perfect and each contains its own flaws and issues. [3]

History

The earliest forms of Identity-based security was introduced in the 1960s by computer scientist Fernando Corbató. [4] During this time, Corbató invented computer passwords to prevent users from going through other people's files, a problem evident in his Compatible Time-Sharing System (C.T.S.S.), which allowed multiple users access to a computer concurrently. [5] Fingerprinting however, although not digital when first introduced, dates back even further to the 2nd and 3rd century, with King Hammurabi sealing contracts through his fingerprints in ancient Babylon. [6] Evidence of fingerprinting was also discovered in ancient China as a method of identification in official courts and documents. It was then introduced in the U.S. during the early 20th century through prison systems as a method of identification. [7] On the other hand, facial recognition was developed in the 1960s, funded by American intelligence agencies and the military. [8]

Types of identity-based security

Account Login

The most common form of Identity-based security is password authentication involving the login of an online account. Most of the largest digital corporations rely on this form of security, such as Facebook, Google, and Amazon. Account logins are easy to register, difficult to compromise, and offer a simple solution to identity-based digital services.

Fingerprint

Fingerprint biometric authentication is another type of identity-based security. It is considered to be one of the most secure forms of identification due to its reliability and accessibility, in addition to it being extremely hard to fake. Fingerprints are also unique for every person, lasting a lifetime without significant change. Currently, fingerprint biometric authentication are most commonly used in police stations, security industries, as well as smart-phones.

Facial Recognition

Facial recognition operates by first capturing an image of the face. Then, a computer algorithm determines the distinctiveness of the face, including but not limited to eye location, shape of chin, or distance from the nose. The algorithm then converts this information into a database, with each set of data having enough detail to distinguish one face from another. [9]

Controversies and issues

Account Login

A problem of this form of security is the tendency for consumers to forget their passwords. On average, an individual is registered to 25 online accounts requiring a password, and most individuals vary passwords for each account. [10] According to a study by Mastercard and the University of Oxford, "about a third of online purchases are abandoned at checkout because consumers cannot remember their passwords." [11] If the consumer does forget their password, they will usually have to request a password reset sent to their linked email account, further delaying the purchasing process. According to an article published by Phys Org, 18.75% of consumers abandon checkout due to password reset issues. [12]

When individuals set a uniform password across all online platforms, this makes the login process much simpler and hard to forget. However, by doing so, it introduces another issue where a security breach in one account will lead to similar breaches in all remaining accounts, jeopardizing their online security. [13] This makes the solution to remembering all passwords much harder to achieve.[ citation needed ]

Fingerprint

While fingerprinting is generally considered to be secure and reliable, the physical condition of one's finger during the scan can drastically affect its results. For example, physical injuries, differing displacement, and skin conditions can all lead to faulty and unreliable biometric information that may deny one's authorization.[ citation needed ]

Another issue with fingerprinting is known as the biometric sensor attack. In such an attack, a fake finger or a print of the finger is used in replacement to fool the sensors and grant authentication to unauthorized personnel. [14]

Facial Recognition

Facial recognition relies on the face of an individual to identify and grant access to products, services, or information. However, it can be fraudulent due to limitations in technology (lighting, image resolution) as well as changes in facial structures over time.

There are two types of failure for facial recognition tests. [15] The first is a false positive, where the database matches the image with a data set but not the data set of the actual user's image. The other type of failure is a false negative, where the database fails to recognize the face of the correct user. Both types of failure have trade-offs with accessibility and security, which make the percentage of each type of error significant. For instance, a facial recognition on a smart-phone would much rather have instances of false negatives rather than false positives since it is more optimal for you to take several tries logging in rather than randomly granting a stranger access to your phone.

While in ideal conditions with perfect lighting, positioning, and camera placement, facial recognition technology can be as accurate as 99.97%. However, such conditions are extremely rare and therefore unrealistic. In a study conducted by the National Institute of Standards and Technology (NIST), video-recorded facial recognition accuracy ranged from 94.4% to 36% depending on camera placement as well as the nature of the setting. [16]

Aside from the technical deficiencies of Facial Recognition, racial bias has also emerged as a controversial subject. A federal study in 2019 concluded that facial recognition systems falsely identified Black and Asian faces 10 to 100 times more often than White faces. [17]

See also

Related Research Articles

<span class="mw-page-title-main">Authentication</span> Act of proving an assertion, often the identity of a computer system user

Authentication is the act of proving an assertion, such as the identity of a computer system user. In contrast with identification, the act of indicating a person or thing's identity, authentication is the process of verifying that identity. It might involve validating personal identity documents, verifying the authenticity of a website with a digital certificate, determining the age of an artifact by carbon dating, or ensuring that a product or document is not counterfeit.

Biometrics are body measurements and calculations related to human characteristics. Biometric authentication is used in computer science as a form of identification and access control. It is also used to identify individuals in groups that are under surveillance.

<span class="mw-page-title-main">Iris recognition</span> Method of biometric identification

Iris recognition is an automated method of biometric identification that uses mathematical pattern-recognition techniques on video images of one or both of the irises of an individual's eyes, whose complex patterns are unique, stable, and can be seen from some distance. The discriminating powers of all biometric technologies depend on the amount of entropy they are able to encode and use in matching. Iris recognition is exceptional in this regard, enabling the avoidance of "collisions" even in cross-comparisons across massive populations. Its major limitation is that image acquisition from distances greater than a meter or two, or without cooperation, can be very difficult. However, the technology is in development and iris recognition can be accomplished from even up to 10 meters away or in a live camera feed.

Single sign-on (SSO) is an authentication scheme that allows a user to log in with a single ID to any of several related, yet independent, software systems.

<span class="mw-page-title-main">Electronic identification</span> Digital proof of identity

An electronic identification ("eID") is a digital solution for proof of identity of citizens or organizations. They can be used to view to access benefits or services provided by government authorities, banks or other companies, for mobile payments, etc. Apart from online authentication and login, many electronic identity services also give users the option to sign electronic documents with a digital signature.

Logical security consists of software safeguards for an organization's systems, including user identification and password access, authenticating, access rights and authority levels. These measures are to ensure that only authorized users are able to perform actions or access information in a network or a workstation. It is a subset of computer security.

Self-service password reset (SSPR) is defined as any process or technology that allows users who have either forgotten their password or triggered an intruder lockout to authenticate with an alternate factor, and repair their own problem, without calling the help desk. It is a common feature in identity management software and often bundled in the same software package as a password synchronization capability.

Living in the intersection of cryptography and psychology, password psychology is the study of what makes passwords or cryptographic keys easy to remember or guess.

In computer security, shoulder surfing is a type of social engineering technique used to obtain information such as personal identification numbers (PINs), passwords and other confidential data by looking over the victim's shoulder. Unauthorized users watch the keystrokes inputted on a device or listen to sensitive information being spoken, which is also known as eavesdropping.

Keystroke dynamics, keystroke biometrics, typing dynamics, andtyping biometrics refer to the detailed timing information that describes each key press related event that occurs when a user types on a keyboard.

Electronic authentication is the process of establishing confidence in user identities electronically presented to an information system. Digital authentication, or e-authentication, may be used synonymously when referring to the authentication process that confirms or certifies a person's identity and works. When used in conjunction with an electronic signature, it can provide evidence of whether data received has been tampered with after being signed by its original sender. Electronic authentication can reduce the risk of fraud and identity theft by verifying that a person is who they say they are when performing transactions online.

Password fatigue is the feeling experienced by many people who are required to remember an excessive number of passwords as part of their daily routine, such as to log in to a computer at work, undo a bicycle lock or conduct banking from an automated teller machine. The concept is also known as password chaos, or more broadly as identity chaos.

Multi-factor authentication is an electronic authentication method in which a user is granted access to a website or application only after successfully presenting two or more pieces of evidence to an authentication mechanism. MFA protects personal data—which may include personal identification or financial assets—from being accessed by an unauthorized third party that may have been able to discover, for example, a single password.

A whole new range of techniques has been developed to identify people since the 1960s from the measurement and analysis of parts of their bodies to DNA profiles. Forms of identification are used to ensure that citizens are eligible for rights to benefits and to vote without fear of impersonation while private individuals have used seals and signatures for centuries to lay claim to real and personal estate. Generally, the amount of proof of identity that is required to gain access to something is proportionate to the value of what is being sought. It is estimated that only 4% of online transactions use methods other than simple passwords. Security of systems resources generally follows a three-step process of identification, authentication and authorization. Today, a high level of trust is as critical to eCommerce transactions as it is to traditional face-to-face transactions.

<span class="mw-page-title-main">Smudge attack</span> Discerning a password via screen smudges

A smudge attack is an information extraction attack that discerns the password input of a touchscreen device such as a cell phone or tablet computer from fingerprint smudges. A team of researchers at the University of Pennsylvania were the first to investigate this type of attack in 2010. An attack occurs when an unauthorized user is in possession or is nearby the device of interest. The attacker relies on detecting the oily smudges produced and left behind by the user's fingers to find the pattern or code needed to access the device and its contents. Simple cameras, lights, fingerprint powder, and image processing software can be used to capture the fingerprint deposits created when the user unlocks their device. Under proper lighting and camera settings, the finger smudges can be easily detected, and the heaviest smudges can be used to infer the most frequent input swipes or taps from the user.

<span class="mw-page-title-main">Biometric device</span> Identification and authentication device

A biometric device is a security identification and authentication device. Such devices use automated methods of verifying or recognising the identity of a living person based on a physiological or behavioral characteristic. These characteristics include fingerprints, facial images, iris and voice recognition.

ID.me is an American online identity network company that allows people to provide proof of their legal identity online. ID.me digital credentials can be used to access government services, healthcare logins, or discounts from retailers. The company is based in McLean, Virginia.

Biometric tokenization is the process of substituting a stored biometric template with a non-sensitive equivalent, called a token, that lacks extrinsic or exploitable meaning or value. The process combines the biometrics with public-key cryptography to enable the use of a stored biometric template for secure or strong authentication to applications or other systems without presenting the template in its original, replicable form.

Passwordless authentication is an authentication method in which a user can log in to a computer system without the entering a password or any other knowledge-based secret. In most common implementations users are asked to enter their public identifier and then complete the authentication process by providing a secure proof of identity through a registered device or token.

Identity replacement technology is any technology that is used to cover up all or parts of a person's identity, either in real life or virtually. This can include face masks, face authentication technology, and deepfakes on the Internet that spread fake editing of videos and images. Face replacement and identity masking are used by either criminals or law-abiding citizens. Identity replacement tech, when operated on by criminals, leads to heists or robbery activities. Law-abiding citizens utilize identity replacement technology to prevent government or various entities from tracking private information such as locations, social connections, and daily behaviors.

References

  1. "identity-based access control - Glossary | CSRC". csrc.nist.gov. Retrieved 2020-11-27.
  2. Dastbaz, Mohammad; Halpin, Edward; Wright, Steve (2013). "Emerging Technologies and the Human Rights Challenge of Rapidly Expanding State Surveillance Capacities". Strategic Intelligence Management. pp. 108–118. doi:10.1016/B978-0-12-407191-9.00010-7. ISBN   9780124071919.
  3. Pot, Justin. "Perfect Computer Security Is a Myth. But It's Still Important". How-To Geek. Retrieved 2020-12-06.
  4. "Computer password inventor dies aged 93". BBC News. 2019-07-15. Retrieved 2020-11-20.
  5. Yang, Yi; Yeo, Kheng Cher; Azam, Sami; Karim, Asif; Ahammad, Ronju; Mahmud, Rakib (2020). "Empirical Study of Password Strength Meter Design". 2020 5th International Conference on Communication and Electronics Systems (ICCES). pp. 436–442. doi:10.1109/ICCES48766.2020.9137964. ISBN   978-1-7281-5371-1. S2CID   220568597.
  6. "The History of Fingerprinting". Crime+Investigation UK. 2018-05-06. Retrieved 2020-11-20.
  7. "History of Fingerprints". www.crimescene-forensics.com. Retrieved 2020-12-06.
  8. "Facial Recognition". Bloomberg.com. 2019-05-23. Retrieved 2020-11-20.
  9. Sample, Ian (2019-07-29). "What is facial recognition - and how sinister is it?". The Guardian. ISSN   0261-3077 . Retrieved 2020-12-06.
  10. Yıldırım, M.; Mackie, I. (1 December 2019). "Encouraging users to improve password security and memorability". International Journal of Information Security. 18 (6): 741–759. doi: 10.1007/s10207-019-00429-y . S2CID   108292833.
  11. Johnson, Tim (June 16, 2017). "Forgot your password? You have too many and stores are losing business over it". Impact 2020.
  12. "When customers forget their passwords, business suffers". phys.org. Retrieved 2020-10-29.
  13. Schroers, Jessica (4 May 2019). "I have a Facebook account, therefore I am – authentication with social networks". International Review of Law, Computers & Technology. 33 (2): 211–223. doi:10.1080/13600869.2018.1475895. S2CID   65110549.
  14. Ali, Media Abdul Razak (2011). "Design of an Online authentication protocol using both fingerprint identification and identity based cryptography". Al-Nahrain Journal for Engineering Sciences. 14 (2): 199–204.
  15. "Face Recognition". Electronic Frontier Foundation. 2017-10-24. Retrieved 2020-12-06.
  16. "How Accurate are Facial Recognition Systems – and Why Does It Matter?". www.csis.org. Retrieved 2020-12-06.
  17. "Despite past denials, LAPD has used facial recognition software 30,000 times in last decade, records show". Los Angeles Times. 2020-09-21. Retrieved 2020-12-06.