and Fingerprint Recognition Authentication Systems
This report investigates password and
fingerprint authentication systems,
Table of Contents
1.0 Introduction. 1
How the systems work. 2
How password authentication systems work. 2
How fingerprint recognition authentication systems work. 2
Security methods used by password authentication systems for protecting its
Security methods used by fingerprint authentication systems. 3
False Acceptance Rate (FAR). 3
Strengths and weaknesses of each system.. 3
Strengths and weaknesses of password authentication systems. 3
Strengths and weaknesses of fingerprint recognition authentication systems. 4
Potential attacks against the systems. 4
As humans we can
recognise other humans by their face, voice or even their smell, today computers
are able to identify humans by their unique characteristics too, like face,
iris, fingerprint and more. Until recently, password authentication systems
were dominating the security world until biometric authentication systems were
the companies have assets like expensive hardware and servers that contain confidential
data of their customers or employees, which are extremely valuable, not only
for money but also for legal issues. These assets should be available for
access and modification only from authorized persons like the system
administrator, but unfortunately that’s not always the case.
protect their assets and decrease the risk of human disaster threat, most
companies use the two most commonly used authentication systems, password and
biometric. This report is focused on password and fingerprint recognition
authentication systems, explains the way the systems work, their security
methods for protecting data and advantages/disadvantages. In addition, covers the
potential attacks that can be executed against them and finally recommends one
of the systems for medium size company.
the systems work
The purpose of both
password and fingerprint recognition authentication systems is to determinate whether
someone is in fact who is declared to be and as a result allow logical or physical
access to that person. To achieve their goal, the systems use different authentication
2.1 How password authentication
The way password
authentication systems work is by comparing a given username or ID and a password
with the corresponding credentials inside a database that holds all authorized
users and their password. With that authentication method, password
authentication systems have 100% chance of knowing whether someone is a
legitimate user or not.
2.2 How fingerprint recognition
authentication systems work
The first time a user
registers into a server by fingerprint recognition authentication system, a
procedure called enrolment takes place, which translates illuminated images of
the fingerprint into digital code.
the enrolment is complete, if the user wants to get logical or physical access
to the server, must scan their fingerprint again, then the verification
procedure happens, which uses a capacitive scanner that measures their finger
electrically. When a finger is pushed on a surface, the ridges in the
fingerprint touch the surface while the hollows between the ridges stand
slightly clear of it.
A capacitive scanner
builds up a picture of the fingerprint by measuring these distances and then
translates that picture into a digital code, which is finally compared with the
previously stored sample. Even if this comparison is happening in less than a
second, there is no clear answer whether a fingerprint scanned is the same as
the one saved inside the database, but only a percentage of similarity called
authentication threshold of the two samples in term of distance pattern, which
is set by the system administrator.
3.0 Security methods used by password
authentication systems for protecting its data
3.1 Hash Password authentication systems are not
saving passwords in the database as clear text but as an irreversible coded
form which is generated using hash algorithms like MD5, SHA-1, etc. Just using
hash algorithms is not enough for a password to be protected, because if two
users have the same password then the hash counterparts would be the same, and
as a result leaving the system more vulnerable to potential attacks. In addition,
if a hacker manages to break through a system he can use a precomputed table
which is reversing cryptographic hash functions named “rainbow table”.
To fix this security
vulnerability, a computer random generated component called salt is added to
the password before is inputted into the hash algorithm, by doing that, every
password in the database is unique even if is identical to another. In
addition, “salting” a hashed password
increases the level of complexity and ensures that any exposed confidential
data will need many years of work for extracting any usable passwords.
4.0 Security methods used by fingerprint
4.1 False Acceptance Rate (FAR)
acceptance rate, or FAR, is the measurement of a possibility that a
biometric authentication system will falsely allow logical or physical access to
an unauthorized person. A system’s FAR is defined as the ratio of the number of
false acceptances divided by the number of identification attempts. For
example, if the FAR is 0.1 percent, on the average two out of 2000 impostors
attempting to breach a system will be successful. In other words, the
probability of an impostor being identified as an authorized person is 0.1
percent. If a system administrator sets the FAR to the lowest possibility he
dramatically decreases the chance of a false acceptance into the system.
5.0 Strengths and
weaknesses of each system
Not a single authentication system in
the world is completely secure, every system has its own strengths and vulnerabilities.
The correct use of each system’s strengths can overcome most of the
5.1 Strengths and weaknesses of password
The main strength that
can be easily turned into a weakness is the length of the password chosen by
the user. A long password increases the total number of combinations that a
hacker must check to find any useful information. For example, a 6-digit
password can have 1,000,000 different combinations. To even increase the
different combinations that a 6-digit password can have, different character
types like uppercase letters, numbers and symbols should be used.
Another advantage that
password authentication systems have, is the ability of a company to apply
password policies that forces the employees to use a “strong” password, for
types of characters (uppercase, numbers, symbols).
change at regular intervals (every two months).
not share any password with another person or write them down on a publicly
system disables the account after several failed logon attempts.
On the other hand,
password authentication systems carry a lot of weaknesses. Many users take
security lightly and choose “weak” passwords which can be easily cracked or even
guessed. If a company doesn’t apply password policies then the employees might
write their password on their desk or share it with a co-worker, and as a
result making the life easier of unauthorized people who want to damage or
steal from the system. In addition, the easiest way possible for a password to
be stolen is when is inputted into the system, that when an impostor can
physically see the password being typed and eventually steal it.
5.2 Strengths and weaknesses of fingerprint
recognition authentication systems
fingerprints cannot be “forgotten” or written down and are always available
when needed. Every human has its unique features like fingerprints which
automatically denies most of the attacks that can be used against passwords.
Moreover, fingerprint recognition is extremely convenient for a user to use
since it only requires one small movement of the arm. In addition, the very
high accuracy and the relatively low cost comparing to other biometric systems,
makes fingerprint recognition the most used biometric authentication system.
The other side of the
coin, fingerprint readers need to be installed on all machines or doors which
can be cost inefficient. In addition, fingerprint recognition has a medium
acceptability from the people because is related to criminal identification. Moreover, a huge disadvantage is the false
acceptance rate (FAR) which is the percentage of people who can be incorrectly authenticated
as valid users into the system. Finally, unlike passwords, that don’t necessarily need the person to
get hurt so it can be obtained, one of the ways that impostors can get the fingerprint is by cutting the persons finger.
6.0 Potential attacks
against the systems
In the past, most of the attacks executed on a server were
targeting to damage or even destroy the entire server or sometimes just for
fun. Nowadays, almost all the attacks have one goal, money. By executing a
denial-of-service attack, which can make a machine or network resource
unavailable to its users by interrupting services of a host connected to the internet,
hackers ask money to restore the services back to normal.