Passwordand Fingerprint Recognition Authentication Systems AbstractThis report investigates password andfingerprint authentication systems, Table of Contents Abstract. 1 1.
0 Introduction. 1 2.0 How the systems work. 2 2.1 How password authentication systems work. 2 2.
2 How fingerprint recognition authentication systems work. 2 3.0 Security methods used by password authentication systems for protecting its data. 3 3.1 Hash.
3 3.2 Salt. 3 4.0 Security methods used by fingerprint authentication systems. 3 4.1 False Acceptance Rate (FAR).
3 5.0 Strengths and weaknesses of each system.. 3 5.1 Strengths and weaknesses of password authentication systems.
3 5.2 Strengths and weaknesses of fingerprint recognition authentication systems. 4 6.0 Potential attacks against the systems. 4 1.0 IntroductionAs humans we canrecognise other humans by their face, voice or even their smell, today computersare able to identify humans by their unique characteristics too, like face,iris, fingerprint and more.
Until recently, password authentication systemswere dominating the security world until biometric authentication systems wereintroduced. Most ofthe companies have assets like expensive hardware and servers that contain confidentialdata of their customers or employees, which are extremely valuable, not onlyfor money but also for legal issues. These assets should be available foraccess and modification only from authorized persons like the systemadministrator, but unfortunately that’s not always the case.Toprotect their assets and decrease the risk of human disaster threat, mostcompanies use the two most commonly used authentication systems, password andbiometric. This report is focused on password and fingerprint recognitionauthentication systems, explains the way the systems work, their securitymethods for protecting data and advantages/disadvantages. In addition, covers thepotential attacks that can be executed against them and finally recommends oneof the systems for medium size company. 2.0 Howthe systems workThe purpose of bothpassword and fingerprint recognition authentication systems is to determinate whethersomeone is in fact who is declared to be and as a result allow logical or physicalaccess to that person.
To achieve their goal, the systems use different authenticationmethods. 2.1 How password authenticationsystems workThe way passwordauthentication systems work is by comparing a given username or ID and a passwordwith the corresponding credentials inside a database that holds all authorizedusers and their password. With that authentication method, passwordauthentication systems have 100% chance of knowing whether someone is alegitimate user or not.
2.2 How fingerprint recognitionauthentication systems workThe first time a userregisters into a server by fingerprint recognition authentication system, aprocedure called enrolment takes place, which translates illuminated images ofthe fingerprint into digital code. Afterthe enrolment is complete, if the user wants to get logical or physical accessto the server, must scan their fingerprint again, then the verificationprocedure happens, which uses a capacitive scanner that measures their fingerelectrically. When a finger is pushed on a surface, the ridges in thefingerprint touch the surface while the hollows between the ridges standslightly clear of it. A capacitive scannerbuilds up a picture of the fingerprint by measuring these distances and thentranslates that picture into a digital code, which is finally compared with thepreviously stored sample.
Even if this comparison is happening in less than asecond, there is no clear answer whether a fingerprint scanned is the same asthe one saved inside the database, but only a percentage of similarity calledauthentication threshold of the two samples in term of distance pattern, whichis set by the system administrator.3.0 Security methods used by passwordauthentication systems for protecting its data 3.1 Hash Password authentication systems are notsaving passwords in the database as clear text but as an irreversible codedform which is generated using hash algorithms like MD5, SHA-1, etc. Just usinghash algorithms is not enough for a password to be protected, because if twousers have the same password then the hash counterparts would be the same, andas a result leaving the system more vulnerable to potential attacks.
In addition,if a hacker manages to break through a system he can use a precomputed tablewhich is reversing cryptographic hash functions named “rainbow table”.3.2 SaltTo fix this securityvulnerability, a computer random generated component called salt is added tothe password before is inputted into the hash algorithm, by doing that, everypassword in the database is unique even if is identical to another. Inaddition, “salting” a hashed passwordincreases the level of complexity and ensures that any exposed confidentialdata will need many years of work for extracting any usable passwords.
4.0 Security methods used by fingerprintauthentication systems 4.1 False Acceptance Rate (FAR) The falseacceptance rate, or FAR, is the measurement of a possibility that abiometric authentication system will falsely allow logical or physical access toan unauthorized person. A system’s FAR is defined as the ratio of the number offalse acceptances divided by the number of identification attempts. Forexample, if the FAR is 0.
1 percent, on the average two out of 2000 impostorsattempting to breach a system will be successful. In other words, theprobability of an impostor being identified as an authorized person is 0.1percent.
If a system administrator sets the FAR to the lowest possibility hedramatically decreases the chance of a false acceptance into the system. 5.0 Strengths andweaknesses of each systemNot a single authentication system inthe world is completely secure, every system has its own strengths and vulnerabilities.
The correct use of each system’s strengths can overcome most of thevulnerabilities. 5.1 Strengths and weaknesses of passwordauthentication systemsThe main strength thatcan be easily turned into a weakness is the length of the password chosen bythe user. A long password increases the total number of combinations that ahacker must check to find any useful information. For example, a 6-digitpassword can have 1,000,000 different combinations.
To even increase thedifferent combinations that a 6-digit password can have, different charactertypes like uppercase letters, numbers and symbols should be used.Another advantage thatpassword authentication systems have, is the ability of a company to applypassword policies that forces the employees to use a “strong” password, forexample:· 10+characters long.· Mixedtypes of characters (uppercase, numbers, symbols).· Mustchange at regular intervals (every two months).· Mustnot share any password with another person or write them down on a publiclyvisible location.
· Thesystem disables the account after several failed logon attempts. On the other hand,password authentication systems carry a lot of weaknesses. Many users takesecurity lightly and choose “weak” passwords which can be easily cracked or evenguessed. If a company doesn’t apply password policies then the employees mightwrite their password on their desk or share it with a co-worker, and as aresult making the life easier of unauthorized people who want to damage orsteal from the system. In addition, the easiest way possible for a password tobe stolen is when is inputted into the system, that when an impostor canphysically see the password being typed and eventually steal it.
5.2 Strengths and weaknesses of fingerprintrecognition authentication systemsUnlike passwords,fingerprints cannot be “forgotten” or written down and are always availablewhen needed. Every human has its unique features like fingerprints whichautomatically denies most of the attacks that can be used against passwords.Moreover, fingerprint recognition is extremely convenient for a user to usesince it only requires one small movement of the arm. In addition, the veryhigh accuracy and the relatively low cost comparing to other biometric systems,makes fingerprint recognition the most used biometric authentication system.The other side of thecoin, fingerprint readers need to be installed on all machines or doors whichcan be cost inefficient. In addition, fingerprint recognition has a mediumacceptability from the people because is related to criminal identification. Moreover, a huge disadvantage is the falseacceptance rate (FAR) which is the percentage of people who can be incorrectly authenticatedas valid users into the system.
Finally, unlike passwords, that don’t necessarily need the person toget hurt so it can be obtained, one of the ways that impostors can get the fingerprint is by cutting the persons finger. 6.0 Potential attacksagainst the systems In the past, most of the attacks executed on a server weretargeting to damage or even destroy the entire server or sometimes just forfun. Nowadays, almost all the attacks have one goal, money.
By executing adenial-of-service attack, which can make a machine or network resourceunavailable to its users by interrupting services of a host connected to the internet,hackers ask money to restore the services back to normal.