Evaluating Passwords, Smart Cards, Fingerprints, and Two Factor Authentication (2FA) Options

Passwords have been the standard form of authentication since a very long time but it seems they have outlived their usefulness. Weak passwords are easy to guess which forces users to create long and complex passwords but difficult to remember. Also, such enforcement comes with the risk that employees will write their passwords which ultimately defeats the attempt at increasing security. Even with passwords having a strong entropy, criminals can crack them using automated password cracking software. There have been numerous instances of password hacking where organizations and individual’s data security have been compromised. The problem of remembering long, complex and changing passwords suggests that a more convenient and secure form of user authentication is necessary.

This article will discuss the different forms of authentication – passwords, smart cards and fingerprint recognition. These are collectively known as authenticators. We will also compare these three authenticators and see how they can be combined effectively against intruder attacks. We will also assess their suitability for certain security specifications such as compromise detection and non-repudiation.

In today’s connected world, we exchange a lot of personal information about our finances and health with entities on the remote end of a computer network. This entity could be a friend, machine or an intruder. To ensure that only the intended recipient has access to our data and also for the security of our data, proper authentication methods have to be enforced. Thus, for protection of our personal information or digital identities, we need to adopt formal methods of authentication in our daily lives.

So, what exactly is authentication? It is the process of positively verifying the identity of a user or a device in a computer system. It is a prerequisite for allowing access to resources in the system. The authenticating entity accomplishes this by matching some sort of a shared secret code that has been pre-arranged during enrollment or registration of the authorized users.

We can prove our identity in these three ways:

1. By using something we know (e.g. a PIN code, a password)
2. By using something we have (e.g. a smart card)
3. By using something we are (Biometrics e.g. fingerprint, iris, face)
4. Combining two form of authentication (Two Factor Authentication)

Let us look at the definition of the above four types of authenticators.

The term password is used to include single words, phrases and PINs (personal identification numbers) and these are the closely kept secrets which are used for authentication. A password by far is the oldest and the simplest solution to provide user authentication. Although this might sound very simple, we need to take care about how the password is communicated. The password should be shared through a secure channel otherwise main-in-the-middle attacks such as eavesdropping are possible. In password-based systems, a secure channel must be established between the authenticator and the individual wanting to access the system. These two entities must also be present at the primary exchange when the shared password is being set up. Studies have shown that password-based authentication problems are highly vulnerable and passwords are potentially the weakest link in any organization’s information security systems.

The fundamental problem with passwords can be explained quite simply – a memorable password can often be guessed or cracked by a hacker whereas a long, complex, random and changing password can be difficult to remember. PIN (Personal Identification Number) is a code authorizing the use of a banking card and is one of the most highly used password-based authentication schemes. A user should take precautions when entering the PIN code since someone could spy over his shoulder. This type of an attack is called “shoulder surfing”.

In recent technology, smart cards such as credit or debit cards are used for many online activities such as marketing, online transactions and in ATMs. Smart cards have also been introduced for personal identification and entitlement schemes at the regional, national and international levels. Citizen’s card, driver’s license and health scheme cards are all examples of smart cards and are commonly used nowadays.

Contactless technology is also becoming more prevalent in the form of ePassports. In contactless cards, energy and data are transferred without any physical contact between the card and the terminal. This is very convenient as the user does not necessarily need to hold the card in his hand during use and it can be in his purse or wallet. Contactless cards are very popular and are widely used for access control applications in public transportation, corporate badges, ski passes, banking etc. This type of card is also resistant to wear and tear and gets rid of manufacturing failure rate of the electrical contact. Contactless cards are preferred for convenience and contact interface is preferred for security. One example of contact interface is for significant amount transactions such as cash withdrawals in ATM.

So, a smart card is basically an authentication token and is the ultimate descendant of plastic cards and magnetic stripe cards. Essentially, the smart card has an embedded computer chip which contains a communication port for exchanging data and control information with the external world. It is ideal for storing cryptographic secrets such as symmetric secret keys and asymmetric private keys. The smart card is able to dynamically store and process several kilobytes of information. The card data is transacted though a card reader which is part of a computing system. The first smart-cards were introduced in Europe nearly three decades ago and now smart-cards are being used worldwide for a variety of daily tasks.

The small size and the bend requirements of the smart card which are designed to protect it physically limit the memory and processing resources of the card. When used as the only identification system it is not excessively trustworthy as it can be easily stolen, lost or simply forgotten at home. Also due to theft or cracking of smart-card passwords, there could be an unusual loss of property.

Fingerprint recognition is a type of biometric identification technology which uses a highly sensitive camera to capture the thumb print of individuals. It is the oldest and the most deployed biometric technique. It works on the impressions made by a regular texture pattern found on the fingerprints and is composed of ridges and valleys. These ridges are characterized by landmark points known as minutiae and the spatial distribution of these minutiae points is unique to each finger. And, it is the collection of these minutiae points that is primarily used for matching of two fingerprints. The structure of the fingerprint’s ridges and valleys is stored as a digital template which is later compared with the newly captured fingerprint image of the subject for authentication or verification purpose. Fingerprint recognition is a physical biometrics technology.

So, what is biometrics? Biometrics technology essentially analyses the biological traits that are unique to an individual. These are the inherent characteristics that differentiate one individual from another, such as fingerprints, face recognition, iris or retina or the pattern of an individual’s voice. The data gathered by some of these technologies, particularly fingerprints can be used to uniquely distinguish a person from the entire global population.

Fingerprint identification technology has been successfully used in applications for more than a century, more recently becoming automated owing to the advancements in technology. It is also popular because of the inherent ease of acquisition and numerous sources for collection (ten fingers). Law enforcement agencies and immigration are also establishing the use and collection of fingerprint data. Fingerprint is the second and optional biometrics to be sued in ePassport.

A biometric identifier inextricably links the authenticator to its owner. This is something which passwords and smartcards are not capable of doing since biometric identifiers cannot be lent or stolen. This inextricable link of the biometric identifier with its owner also provides the property of non-repudiation when used to verify the authentication of the subject in a transaction. This property is proof of the transaction and the involved parties cannot reject the transaction as unauthorized or deny having participated in it. In spite of having all these advantages, biometric identifiers can still be copied or stolen but with great levels of difficulty and sophisticated counterfeiting techniques.

In our daily lives, for authentication we usually prefer a combination of something-we-have (e.g. smart card) and something-we-know (e.g. password). For example, banking cards, SIM cards in mobile phones can be used with a password. However, somebody could steal or guess our password and our personal device could also be stolen. So what can be the solution to this? An ideal situation would be to use a three-factor authentication along with one or several biometric techniques. Such an authentication technique can prove to be highly secure, robust as well as provide non-repudiation.

We will look at how to combine the different authentication types (two factor authentication) for enhanced security.

If smart card and biometric technology like fingerprint recognition is combined, there will be huge benefits in terms of security and convenience. Also, it will have a dramatic impact on identity verification, security access and cryptographic applications. The primary advantage of biometrics is that the biometric data is unique to every individual and it can verify the individual’s identity irrespective of any time variation. It does not matter if the individual’s first biometric sample was collected a year ago.

The main pillars of internet security are authentication, data confidentiality, access control, data integrity and non-repudiation. Biometrics satisfies all these requirements and is highly reliable. The applications which can benefit from the combination of smart card and fingerprint technologies are passports, ID cards, social security cards, driving license, work permits etc. The possibilities are endless. Other organizations that can benefit from this technology are banks, correctional facilities and personnel agencies.

The fact that governments are starting to mandate the use of biometric identifiers such as fingerprints in official documents (e.g. passports) has also proven to be a key driver in the use of biometric technology. To enhance the security of the validation process in ePassport systems, a smart card ePassport contains biometric information like fingerprints and digital photograph of the passport holder.

The business and consumer use of the internet is dependent upon successful verification of the user. Both online and offline applications such as email, banking and research require complex passwords to access the content securely. This necessitates maintaining a multitude of passwords for different applications which can be overwhelming. A security method can be considered effective if it is also convenient. Biometric systems can eliminate the need for remembering a large number of passwords.

Security of ID and password combination systems can be enhanced by combining them with fingerprint recognition. This technique adds an extra level of security and makes it extremely difficult for intruders to crack the system. Most smartphones have inbuilt fingerprint identification nowadays such as Apple’s Touch ID. Let us see how this system works. A user can log on to his smartphone using his password or his personal identification number (PIN) and then provide his fingerprint to complete the authentication process. The great benefit to this system is that even if the password gets compromised, the device cannot be accessed without the fingerprint verification. This severely limits as to what hackers can pull off.

The figure below shows the different types of authentication and their attributes.

We have discussed in this article about the different types of authentication and how they can be combined effectively for enhanced security and convenience. Multi-factor authentication that uses all the three types of authentication have not been widely used but some high security applications might need it.