An orbicular thinking on authentication systems
University of Central Lancashire
BSc (Hons) Computing (Year 3)
2. How authentication systems work?. 2
2.1.2 Hashing. 3
2.1.3 Salting. 3
2.2 Biometrics. 4
2.2.1 Fingerprints. 4
3.Strenghts and weaknesses. 4
4.Threads and potential attacks. 5
4.1.1 Brute force
4.1.2 Phishing. 6
4.1.3 Forgery. 6
4.1.4 Physical harm.. 6
5.Passwords vs Biometrics. 7
Human verification is the
security task which responsibility is to confine access to computer systems and
physical locations only to those with authorization. This is attained by
equipping legal users with passwords or by using biometrics. However, due to
human boundaries these are often used feebly, thus weakening security or they
are secure but so inconvenient as to be avoided. This report describes means for
authentication as well as their weaknesses and strengths. Furthermore, there is
an explanation on the potential attacks that can be executed against each
system and subsequently a comparison by core attributes on the two
authentication systems. Lastly a recommendation one of these systems is made
for use in a business.
A distinct feature which represents our human
race for ages, is that every individual can identify each other according to
their numerous physical characteristics. We can identify individuals by their
face when we see them or by their voice when we speak them. Verification in
computer has been customarily based on
password and pins. In the 21st century because of the significant
improvement of the technology, is very difficult for an individual or a
business to undergird and rely to those security measures. Besides that, passwords
are often forgotten or disclosed so it is essential to make a transition into
trustworthy security measures. To achieve reliable identification, it should be
used something that typifies only the given person. Biometrics propose methods
of identification or verification on the principle of measurable physiological
or behavioral characteristics. This paper gives an overview of two
authentication systems, analyze and compare them. Additionally, describe the
potential threads of each system and advocate one of these system for use in a
How authentication systems work?
An operating system bases its
security features on knowing who the user is. The operating system can allow an
administrator to change specific computer settings, but it may reject so to
other users. The method that a user verifies who claims to be is called
authentication. Currently there are many methods for authentication such as
presentation of official documents (ID card, passport), password authentication
biometrics and more. In cryptography, a shared secret is a piece of data that
is known only by the parties involved (e.g. user-computer). The most common forms of shared secrets are
passwords and PINs. However shared
secrets are sometimes not safe as they can be stolen. That’s the reason why
there are other two popular components that can be used for authentication such
as something the user has (e.g. keys or tokens) and something the user is (e.g.
biometrics). “Bio” refers to the physiological
qualities that are measured, while “metrics” refers to the measurable
analysis that provides a positive identification of a unique person. Biometrics
are ahead widespread use in the business world as means to make the workplace more
secure and effective. Biometric technology promises almost infallible security
for different aspects and computer systems. Biometrics use physical or
behavioral characteristics of humans. Behavioral characteristics refer to the
habit of a person rather than physical characteristics
Figure 1.0 (Woodward, 1997) Biometric man
In the beginning when computers first
founded passwords were stored in a database as a text. When a user wanted to
sign-in, a “doorkeeper” application would ask for the password. It would take
whatever the user typed and check if it was equal to whatever had stored in the
database. If equality was found, then the user granted access. As the
technology developed in a rapid pace, malicious hackers started gaining
unauthorized access to systems. Eventually developers and administrators came
up with the solution that was the password hashing
Hashing algorithm works like a machine that
generates a value that has specific number of digits from a string or text by
using a formula. The formula is used in such way that is unlikely some other
text will produce again same hash value. However, hashes are not the ideal
solution to the problem as hackers found a way to “break” hashing by using
rainbow tables. A rainbow table is a list of all possible plaintext variations
of encrypted passwords specific to a given hash algorithm. As soon as the
attacker gains access to a password database, the password cracker makes a
comparison of the precompiled list of hashes to hashed passwords in the database.
The rainbow table links text possibilities with each of those hashes, which the
attacker can exploit to access the network. To help defend against these kinds of attacks, developers and
administrators came up with a method called salting passwords.
Salting is the addition of a
unique, random string of characters known only to the site to each password
before it is hashed, typically this “salt” is placed in front of each password.
The use of unique salts means that common passwords shared by multiple users
aren’t immediately revealed when one such
hashed password is identified.
Figure 2.0 Password
Hashing and Salting
Biometrics devices and specifically
fingerprint devices use a scanner to get an image of the finger and the scanner
needs to resolve if the pattern of ridges matches with the pattern of ridges in
pre-scanned images. Specific characteristics which are unique to every
fingerprint are saved as mathematical representation. The algorithm that is
saved cannot reconverted into an image so it’s hard to duplicate your
3.0 How fingerprint system works
Fingerprint identification is possibly
the oldest of all the biometric methods. Fingerprints were used already in China
as a means of positively identifying a person as an author of the
document. In early 70’s a study was commissioned
to compare various biometric technologies used for identification. This study
concluded that the fingerprint technologies had the greatest potential to
produce the best identification accuracy. Nowadays after various modern
advances and big cost reductions fingerprint systems can be available and
affordable by almost everyone.
Figure 4.0 Figure
demonstrates the types of fingerprints
A vital matter that every gravely user
and company must consider before they set up their security system is the
strengths and weaknesses of system. That will assist a lot to understand if the
system is proper or not. Password authentication system is very simple to use
as if carefully choosing strong passwords its most likely to increase security.
Strength depends on two important factors length which is very critical because
it growths the total number of combinations available and number of different
character types. Furthermore, passwords are simple to deploy since the
operating system provides the user accounts and password, no additional
configuration is needed. However, password authenticators can be easily
forgotten, or they can be lent so they are not trustworthy. Moreover, passwords
can easily be stolen as there are many ingenious people that might get the
password the time that someone’s typing so it is better to make sure that no one’s
watching or at least protect the keyboard or keypad by putting the hands on it.
The major problem is that password authenticators are vulnerable to guessing
due to users often choose short passwords that are susceptible to easy
Since everyone on the
world possesses unique physiological features that can’t be easily exchanged,
shared, or stolen, biometric identification has the potential to accurately
classify someone without a shadow of a doubt approximately hundred percent of
the time. Fingerprint is one of the various identification methods that can
guarantee very high accuracy. Furthermore, fingerprint identification has
easiest usability amongst the other biometric systems and after recent
researches has classified to be the most economical technique for a company to
install. Besides that, fingerprint identification has a use of small storage which
is very convenient for small companies. Except the advantages, biometrics and
specifically fingerprints also have various disadvantages. One of the most
dangerous weaknesses are the authentication threshold errors FRR, FAR, CER. The first type is false rejection rate (FRR) which
is the percentage of users who are incorrectly rejected, second type is false
acceptance rate (FAR) which is the percentage of users who were incorrectly
authenticated as valid users and the third type is the error rate where FAR
equals the FRR. The lower the CER, the more accurate and reliable the system
is. The variability of biometrics characteristics which is responsible for
threshold errors reduces accuracy as soon as a user press one side of finger
more than other or finger cuts may affect fingerprint scanning. Every
individual and company have to consider those strengths and weaknesses before
they proceed with final choice.
and potential attacks
The fundamental purpose of
authentication systems is to grant access only to authorized users. However, if
a system isn’t correctly chosen and implemented the authentication system can
depiction vulnerabilities that attackers can capitalize on to gain access to user’s
system. Some mentionable threads and attacks as brute force and dictionary
attacks are described below.
Brute force attacks
brute force attack is an effort from an attacker to discover the users ID and
password for a valid account on an application. As soon as the brute force
attack is fruitful the attacker might be able to elicit:
Confidential information, such as
profile data for users or confidential documents stored on a web application
Administration tools used by the
System Administrator for the web application to manage (modify and delete)web
Sections of a web application that
might expose vulnerabilities or advanced functions not available to
the kind of the attack that uses “camouflaged “email as a weapon. The aim of
the attacker is to trick the receiver of the email, to believe that the email
is something very important such as a bank request or an email from user’s
workplace. As soon as the user has been persuaded and enters personal
information, the attacker can use these info at user’s expense. Phishing can
also function in other ways such as a disguised program that contains a
malware. With that method attacker can distract much more information and use
them against the user.
5.0 Represents how phising attack is
is one of the most common ways that an attacker can gain access to personal
information or credential data especially from fingerprint identification
systems. If the attacker places a special membrane on the device can elicit the
fingerprint of the authorized user and after use it at the expense of it. ?? an excessive degree the
attacker may harm or even kill the authorized person only to have access on the
data. However due to the fingerprint sensor techniques is extremely difficult
for the attacker to have access. For example if the attacker kill the user, cut
its finger and try to authorize himself it will be unsuccessful because the
fingerprint device has a thermal sensor installed and the finger has to be warm
in order to function properly.
A very easy way for an attacker to get
the all the information is to break into a system by physically harming the devices.
Also, if the attacker gets in the server room of the company fot example can
take advantage of it delete the fingerprints employee’s details and put his
personal details and that leads to give the attacker a regularly access However,
that leaves the attacker exposed because there is higher possibility to get
caught by the police.
Easy to change
Impossible to change
Low cost (€100-€200)
High cost (€1000-€1500)
Can be shared amongst users
Cannot be shared
Necessity for unique password for every system
Can be used on any system
Can’t personally identify you
Comparison of the two authentication systems
In the 21st century
authentication systems are a fundamental aspect of computer security field as
various subjects rely on them. Individual users and companies must take into
serious consideration the viable of personal data or confidential documents and
conduct a research on what authentication system is suitable. Let’s consider a
scenario that a medium company wants a security authentication system to
protect various aspects of the company. In my opinion as soon as the company
employs more than one hundred people and gains a respected amount of income per
year, has the financial ability to install biometrics as an authentication
system. Specifically, the company can choose the fingerprint system as is the
cheapest amongst all the other biometrics choices. The employees of the company
will grant access to their pc’s by putting their finger into the fingerprint
device. Moreover, outside the server r??m or the room which has credential files
and documents in it, there is going to be a fingerprint device so that allows
only to an authorized employee to have access in those rooms. As soon as the
company take care to protect their documents, servers and employees the
percentage of the vulnerabilities available will be reduced significantly.
Anon., 2001 . Reference fot
Available at: http://www.referenceforbusiness.com/small/A-Bo/Biometrics.html
Accessed 3 January 2018.
Anon., 2006. Microsoft. Online
Available at: https://msdn.microsoft.com/en-us/library/ms851492(v=winembedded.11).aspx
Accessed 4 January 2018.
Anon., 2016. The WordPress Security Learning Center. Password
Authentication and Password Cracking, 15 February.
Bourgeois, D. T., 2014. Information Systems for Business
and Beyond. 1st ed. California: Saylor Foundation.
Cucu, P., 2017. Heimdal Security. Online
Available at: https://heimdalsecurity.com/blog/biometric-authentication/#Advantages
Accessed 6 January 2018.
Fustier, A. & Burger, V., 2005. Biometric
authentication, Stockholm: s.n.
Gralla, P., 1996. How Intranets work, s.l.: Stacy
Hogan, M., 2001. Body Language. Password glut got you
down? Hackers scoff at password systems, anyway. Is biometrics the answer?.
Kochetova, O. & Osipov, A., n.d. FUTURE ATTACK
SCENARIOS AGAINST AUTHENTICATION SYSTEMS, COMMUNICATING WITH ATMS, s.l.:
Meier, J. et al., 2003. Microsoft Developer Network. Improving
Web Application Security: Threats and Countermeasures, Volume 1, p. 23.
Mondal, S., 2016. A seminar report on biometric
authetication , s.l.: s.n.
O’Gorman, L., n.d. Securing Business’s Front Door
–Password, Token, and Biometric Authentication , Califoria: Avaya Labs.
Ríha, Z. & Matyáš, V., 2000. Biometric
Authentication Systems, Brno-st?ed: FI MU Report Series .
Woodward, J., 1997. Biometrics: privacy’s foe or privacy’s
friend?, 85(9), pp. 1480-1492.
UK Essays. November 2013. Advantages and
Disadvantages Of Biometrics. online. Available from: https://www.ukessays.com/dissertation/examples/information-systems/advantages-and-disadvantages-of-biometrics.php?cref=1
8 January 2018.