The Evolution of Authentication
When first we sought to create secure and convenient means of identification, we relied on user names paired with passwords and PINs. These values are typically stored centrally within the relying party’s database. Often times, these values are encrypted at point of entry, and once received by the relying party passed through a one-way function, before being stored in the database. This use of cryptography to encrypt the PIN or Password in transit and perform the one-way function before storing the result is simply to prevented the PIN or Password from being captured in transit or reverse engineered.
Each time the user logs in, they enter their password or PIN, it is received by the relying party, run through the same one-way function and compared to the value stored at user registration
Over the last 30 or so year there has been mounting concern as to the long-term viability of depending on the user being able to remember, create a unique & complex value and accept responsibility to frequently change their passwords and PINs. Especially given the myriad of sites and digital relationships we each continue to establish.
To assure the integrity of passwords and PINs, the challenge is making sure the length and randomness creates difficultly and minimizes the chance someone can guess what the Pin or password is. By adding special characters and insisting on password and PIN policies, the rely party has attempted to reduce risk and the chance for rouge penetration.
Unfortunately, people forget their password, phish & vishing attacks work, key-loggers and other clever ways of obtaining the user name and password have increased. The threat of rouge intrusions and the resulting reputational and financial lose is out of control.
As these loses escalated, the cost of the various techniques to support more secure authentication have been developed. The market always understood if we could merge a unique object something you Have, with a secret you Know or a biometric something you Are; you would be able to establish a superb form of multi-factor authentication. Many, such as the ICAO, EMV and PIV specifications, embraced the idea of cryptography operating within a secure element or smart card. They further embraced the idea of loading the registered biometric rending into the chip and incorporate the matching algorithm within the software. By then using an external PIN pad or biometric sensor, multi-factor authentication could be enabled. Unfortunately, at considerable cost.
In Europe, in order to secure access to websites they looked to physical objects capable of displaying a onetime password as the answer. In some cases, the user had to first enter a PIN then a number displayed on the screen and then type the value displayed on the device into a field in browser window. Something you have with a secret, a one-time password, unique to each event.
Clearly PINs and passwords carry with them two flaws. They need to be remembered and they need to be typed in. Biometrics on the other hand offer convenience and do not require the user to remember a complex set of characters. Fortunately, the size, cost and complexity of biometric sensors has decreased significantly and it is viability to integrate sensors into a user operated device. The first company to offer a phone with a biometric fingerprint sensor was Motorola, quickly followed by Apple on their iPhone 5S. Today it is rare to find a mobile phone which does not included a biometric sensor and related algorithms.
Now with an identifier (user name), a device with a unique digital signature and the ability to support biometrics, all the virtues of multi-factor authentication and the wonders of biometrics such as: fingerprints, veins, retina, iris, EKG, behavior or selfies are available to assure the registered user is present.
All because the sensor can capture the biometric and software will render the output of the sensor into images, patterns or templates. The sensor and the related software have unique characteristics as to how the matching processes work. It then simply requires us to accept that the output of the sensor becomes the input into the matching algorithm.
The last concern – how do we measure the reliability of the biometric sensors and algorithms. To help people understand the reliability of these sensors and matching algorithms, there are an assortment of acronyms such as: FRR, FAR and PAD. These three are the ones I am most familiar with. They measure and quantify the risk of false acceptance or false rejection and provide a measure of the assurance of life.