Authentication systems represent an increasingly important technology in today's society. The increasing number of services and systems to be accessed is creating new challenges for authentication systems. Often conflicts arise between security and usability. Authentication systems are often technically secure, but only if the user uses them correctly. Technically inexperienced user groups are often unaware of the relevance of these systems. For example, many users have weak passwords that are used in multiple services in parallel.
In this elaboration we compare common authentication methods with regard to their technical security. First, the requirements of an authentication system are generally addressed. Here, the different methods: Proof of knowledge, use of property and the body's own characteristics are delimited and compared. Subsequently, the advantages and dangers of individual mechanisms are to be identified.
1 Introduction
In the course of digitalization, more and more services and systems were created that needs be accessed. Often the number of users is difficult to narrow down. For this reason, technically experienced people and laymen often use the same applications that require authorization of the system. The goal of authentication is to verify the user's identity in order to give him or her access to the system.
The most common method is probably authentication using a user name and password. The security of the system depends strongly on the password strength of the respective user. Furthermore, passwords can be found by different attack techniques. In order to make the authentication process secure, there are therefore a number of approaches that are described and evaluated below.
2 Technical overview of the basic authentication methods
The following chapter provides a brief overview of common authentication methods, which are discussed in 3 and 4 with regard to the aspects of usability and security.
2.1 Authentication through knowledge
Authentication through knowledge is the foundation of all techniques. During the transaction, the user or the system used memorizes a specific password for identification. In most cases, this is a password-based means.
These means of authentication are classified as "knowing something". In addition to passwords, other knowledge-based means include PIN's or answers to specific questions (security question).
2.2 Authentication through possession
Ownership-based authentication is usually realized through hardware. In this identification, the user selects a physical object containing the information in mechanical, magnetic or electronic form. Examples are conventional keys or passports, magnetic and chip cards or tokens for a unique password generation. In[SB15, pp. 111-112] three basic methods are presented, which are described in 3.2.
2.3 Authentication by biometric features
Authentication by means of biometric features is based on the user himself/herself. Physical and, in rare cases, behavioural characteristics are evaluated. In most cases, fingerprints, iris, retina, veins, face or voice are used to identify the person.
According to[PDHB16, p. 126], the suitability of a biometric authentication system depends on the following factors: Universality, uniqueness, constancy, perceptibility, performance, acceptability and counterfeit protection.
2.4 Multi-factor authentication
The basic idea of multi-factor authentication is to combine at least two of the procedures described in 2.1,2.2,2.3.
Here the factors of knowledge and possession are a frequent combination.
For this reason, it is customary for online banking to specify a TAN in addition to password-based authentication in order to carry out a transaction. This TAN is usually available on a list in paper form, received by SMS or generated by a TAN generator. In each of these cases, the user receives the TAN by physical possession.
3 Authentication methods in terms of usability
The basic authentication methods mentioned in Chapter 2 are explained in relation to the user.
3.1 Knowledge based usability
The "password-based authentication" mentioned in 2 above is still the most common method for identifying oneself to a system. The reason for this is their ease of use and easy implementation.
The process of authentication begins by the user selecting a password of his choice, which offers sufficient protection depending on the use and thus also offers an advantage for inexperienced user groups. In addition, the speed of this type of authentication is also impressive, as the user has the option of saving his or her logon data in the browser. All he has to do is press "Ok" or "Login" when registering and the user will be logged in.
One of the main problems is the poor selection or memorability of the password. It must be safe but also user-friendly. The security criteria depend on the following factors: passwords should be long, contain upper and lower case letters as well as numbers and special characters. In order to prevent brute force attacks described in 4.1, the user should change his password as often as possible. Due to the high safety factors, the user is not able to remember this information. For most people, the following points are more important: the passwords should be short, should not contain any special characters and should be relatively easy to remember, such as the name of a pet.
Cormac Herley, P. C. van Oorschot and Andrew S. Patrick explain in[CH09, p. 4] that despite this authentication many users are able to handle passwords well. Herley notes that "users have no problems using passwords and simply let them reset when they forget them." For this reason, this type of authentication will continue to be very important.
3.2 Ownership based usability
Due to the widespread use, as described in 3.1, almost every user nowadays also has a smartcard, which is often used in banks. The use of the smart card in combination with authentication through knowledge (PIN) creates a two-factor authentication, which increases security.
On the basis of further physical possessions that the user needs, costs arise which he has to bear. Another disadvantage is that the user has to think about other possessive authentication methods.
In addition to the widely used smart cards, one-time password tokens must also be considered. In contrast to 3.1, this kind of authentication relieves the user at least mentally. The user authenticates himself with the help of a combination of numbers created by a token. By generating the number combination, the server can connect the assignment to the user.
Three authentication methods using the token are described in[SB15, p. 111-112]. A distinction is made between static, dynamic and challenge response methods. Static means that the user authenticates himself/herself to the token and the token authenticates the user to the computer. With a dynamic token, for example, the token creates a password every minute. The important thing is that the token and the associated system always stay connected so that the computer knows the password of the token. With the challenge-response, the
a change to the token. The token throws a response based on the challenge and allows the user to authenticate.
Ugo Piazzalunga, Paolo Salvaneschi and Paolo Co etti explain in a study in[UP05, p. 237] that many users misused property-based authentication with smart cards or USB tokens. The users inserted the smart cards upside down or forgot them when leaving the workplace.
3.3 Biometric based usability
As described in[SZSI13, p. 7], biometric authentication methods are becoming more popular and at the same time more trustworthy security systems that have become an alternative to the password-based authentication system.
On the basis of the factors described in 2.3, the fingerprint is discussed here. The most important points for usability are ascertainability, performance and acceptance. In[PDHB16, p. 126] it was mentioned that "the fingerprint can be detected quantitatively and by sensors. With fingerprints, the system's performance is given in terms of detection performance and speed. Fingerprints are accepted by the population ".
This type of scanner is relatively inexpensive to implement compared to other biometric methods and is therefore the most commonly used. The storage of fingerprints offers several advantages, such as the convenience of users. Instead of entering a password or pin, they simply have to put their finger on the impression scanner and they are authorized.
The biometric method offers advantages over the user. In 3.2 it was described that the user has to think about other means of authentication. This is not the case with biometric authentication, as the user is the identification medium. Furthermore[PDHB16, p. 128] describes:"The advantage of biometric methods is the high coupling between the biometric property and the respective person. This means that the property cannot be unintentionally lost, it cannot be forgotten and it is not possible to delegate, i. e."pass the characteristics on to a third party".
4 Attack vectors
Authentication systems or the authentication process in general are often attacked targets. The protection goals of confidentiality, integrity and availability are violated at the same time. Due to the large number of authentication options and contexts, there are many potential attack vectors, some of which are described below.
4.1 authentication through knowledge
The attack vectors in knowledge-based authentication processes are divided into three major groups: Technical attacks on the user, the system and social engineering.
In the case of authentication in a service on the computer or on the web, technical attacks can take the form of malware, for example. An attacker can use a keylogger to record all keystrokes. A vulnerability in the user's computer can also cause access to the file system. Files can then be searched for possible plain text passwords or password hashes.
A technical attack on the system or the operator could be carried out by attempting to gain access to the system's database if successful, password hashes of passwords with low complexity can be broken using, for example, rainbowtables. Many lists with user names or e-mail addresses and the corresponding passwords are easily found on the Internet. Provided that the user uses the same password for different services, a potential attacker can easily gain access to systems as described in[SB15, p. 98-110].
The most common attacks on passwords are[....Brute Force Attacks"[La13, p. 24]. The choice of a suitable password by the user is therefore not to be neglected. Joseph Bonneau analyzes 70 million anonymous passwords in[Bo12]. This shows that 6.5% of German-speaking users were able to guess passwords with less than 1000 attempts at a targeted dictionary attack. However, this is not solely due to technical weaknesses. It is mainly the user's responsibility to choose a strong password.
Social engineering attempts to be authorized by attack vectors of non-technical origin. This can take the form of phishing, for example. In this case, the user is sent an email under a fake identity with the request to enter PINs or passwords on a fake website. If the attack is tailored to the user, it is known as spear phishing. The better the attacker succeeds in addressing him personally, the greater the probability that the received mail appears credible to the user. The user's stolen information can be used to integrate his or her address or mobile phone number into the mail, for example, in addition to his or her name. It is important for the attacker at this point that the user actually uses the service whose login form has been reconstructed. Other social engineering techniques such as Dumpster Diving or Shoulder Surving can jeopardise the protection of knowledge-based authentication by third parties[KG16, p. 80].
4.2 Authentication through possession
In contrast to many of the approaches described in 4.1, for attack scenarios based on possessive systems, physical proximity is usually required. In most cases, a key, smart card or similar can only be stolen directly. It is also conceivable to reach the object through clever social engineering.
Technical attacks on property-based authentication systems are often only carried out in the context of multi-factor authentication. Here, intercepting SMS is a possible approach. 4.4 further explains the security of multi-factor authentication systems.
A further attack technique can be carried out by a relay attack. A smart card or a key can be read out with a device. Another device, which is located in the immediate vicinity of the system, receives the previously read data and sends them out again. Thus, the system authorizes access as it assumes that it is a smart card or key.
4.3 Authentication by biometric features
The unmistakability and forgery protection, which were briefly described in 2.3, are elementary requirements for the operation of a secure biometric authentication system. For this reason, you should only enter characteristics that can only be assigned to one person. This creates a strong coupling between the respective person and the biometric property[PDHB16, p. 128].
However, the requirement of unmistakability only makes sense if it is not possible to counterfeit the identity or if it is not possible to do so with unreasonable effort. A fingerprint taken from a glass and transferred to another medium with similar properties to human skin should not lead to successful authentication. A combination of different "Liveness Tests"[Mv, p. 8] increases the security against attacks of this kind. Depending on how the system is used, different thresholds are useful, as the authors explain in[Mv]. A lower "lower false acceptance rate" increases the security of the system, but often has a negative effect on usability, as explained in 5. Unlike other authentication methods, biometric features cannot be changed or exchanged as is the case with passwords and smart cards. Based on these biometric features, the data is particularly valuable for protection.
The[PDHB16, p. 129] also mentions a possible higher level of violent crime with respect to biometric authentication systems.
4.4 Multi-factor authentication
By combining different authentication options, security can be increased enormously. For example, if an attacker succeeds in obtaining a password using a technique described in 4.1, he or she must have something extra in the case of a two-factor authentication with the factors knowledge and possession. Often the attacker must have physical access to a mobile phone, for example. This can render automated online attacks harmless. In addition, a targeted attack is much more difficult, although the security gain depends on the use of the system. Therefore, it does not seem advisable to authenticate yourself by knowing a password on a device, which is at the same time assigned to the factor possession by a TAN via SMS.
In addition to the attack scenarios outlined by Radhesh Krishnan Konoth, Victor van der Veen and Herbert Bos in[RKK], there are many more. Multi-factor authentication is by no means a guarantee for security, but it usually makes an attack extremely difficult.
5 Combining usability and security aspects
Combining security and usability aspects inevitably leads to compromises on at least one of the points. In the following, we therefore want to point out procedures that achieve the highest possible level of safety and ease of use.
The link between usability and security is easy to recognize when authentication with passwords. Due to the user, a technically secure system can become an overall unsafe system. Reasons for this are that the user either uses the same passwords for different services or uses a password that is too weak due to the high effort involved. On the other hand, a password that is easy to use for the user is usually unsafe against technical attacks. For this reason, a secure system can only be realized by considering usability aspects.
With regard to password-based authentication, it makes sense to use a password manager. At this point the user only has to remember a master password, which should be highly complex. Afterwards, an individual and very strong password is created for each service with the help of the password manager.
On the one hand, it frees the user from having to know only one basic password instead of several passwords. On the other hand, many of the attack vectors mentioned in 4.1 are dropped.
In biometric systems, the parameters of usability and security are partly changed with the help of threshold values. Too high a threshold often leads to frustration among users. On the other hand, the safety of the system is threatened by a too low threshold value. These thresholds differ depending on the context of use and the security requirements. However, it is important that the user recognizes a possible advantage of the method and does not manually set a weak password again because the biometric variant is too cumbersome for him.
In any case, safety is significantly increased by the use of a second factor. At this point, the user has an additional effort compared to considering only one factor. However, this effort is acceptable in view of the safety gain. A one-time password created by an app such as Google's Authenticator can be entered within a few seconds. The user does not need to think about additional hardware, as the smartphone is usually ubiquitous.
6 Conclusion
The aim of this article was to compare common authentication methods in terms of security and usability. On the basis of the aspects described in 5, the use of password managers in combination with two-factor authentication offers the best balance between security and usability aspects.
Sources
[Bo12]
Bonneau, Joseph: The science of guessing: analyzing an anonymized corpus of 70 million passwords. Available at: http://ieeexplore.ieee.org/stamp/stamp.jsparnumber=6234435, 2012.
[CH09]
Cormac Herley, P.C. van Oorschot, Andrew S. Patrick: , Passwords: If We’re So Smart, Why Are We Still Using Them? Available at: https://www.microsoft.com/en-us/research/wp-content/uploads/2016/02/fc09.pdf , 2009.
[KG16]
Kammermann, Markus; Gut, Mathias: CompTIA Security+ - IT-Sicherheit verständlich erklärt - Vorbereitung auf die Prufung SYO-401. MITP-Verlags GmbH & Co. KG, Heidelberg, 2. aufl.. Auflage, 2016.
[La13]
Langer, Stefanie: , Sicherheit von passwortbasierten Authentifzierungssystemen. Available at: http://edoc.sub.uni-hamburg.de/haw/volltexte/2013/2131/pdf/BA_Stefanie_Langer.pdf , 2013.
[Mv]
Matyáö, Václav; íha, Zden k: , BIOMETRIC AUTHENTICATION — SECURITY AND USABILITY. Abrufbar unter: https://www.fi.muni.cz/usr/matyas/cms_matyas_riha_biometrics.pdf
[PDHB16] Prof.Dr.HaraldBaier,Prof.Dr.StefanEdelkamp,Prof.Dr.MarianMagrafSebastianGaertner Sven Ossenbuhl: , IT-Sicherheit. Available at: http://www.tzi.de/~edelkamp/lectures/itsec/script/skript_main.pdf, 2016.
[RKK]
Radhesh Krishnan Konoth, Victor van der Veen, Herbert Bos: , How Anywhere Computing Just Killed Your Phone-Based Two-Factor Authentication. Available at: http://fc16.ifca.ai/preproceedings/24_Konoth.pdf
[SB15]
Stallings, William; Brown, Lawrie: Computer Security: Principles and Practice, Global Edition -. Pearson Education Limited, Harlow, 3. aufl.. Auflage, 2015.
[SZSI13]
Syed Zulkarnain Syed Idrus, Estelle Cherrier, Christophe Rosenberger Jean- Jacques Schwartzmann: , A Review on Authentication Methods. Abrufbar unter: https://hal.inria.fr/hal-00912435/document , 2013.
[UP05]
Ugo Piazzalunga, Paolo Salvaneschi, Paolo Co etti: The Usability of Security Devices. O’Reilly Media, 1. Auflage, 2005.
Thank you for reading. If you have any comments / open questions, I will be happy to answer them in the comments.
Helpfull !!thanks man !!
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit