Workshop: Identity Management (ÖSD) #cedem16

We know your password! Do you?

In an afternoon workshop at CEDEM16 on identity management by the ÖSD (Austrian State Printing House), an overview on biometric authentication – not only as technologies valid for electronic participation.

These technologies usually develop exponentially. In the first phase of “deceptive disappointment”, nobody really believes in the technology, only after a tipping point is reached. From there, development usually is fast, reaching either a. disruptive stress or b. the level of opportunity (a development that can be compared to the one of the digital camera).

This is a questionnaire for participants, which you are also welcome to fill out:

Below a summary of the workshop.

What’s wrong with passwords?

There are three factors relevant in authentication: a. I know something (f.i. password) b. I have something (hardware token or mobile) c. I am something (f.i. biometrics). If more of these factors are needed, we call it multi-factor authentication (known already from Google). About 8 in 10 people are worried about their online security. On average, a person uses 6 unique password to guard 24 online accounts.  In the workshop, presenters gave an example that it takes around 6 seconds to crack a password based on a word, and it does not matter whether you write this word backwards or exchange certain letters against number. If your password is thus rooting from hellokitty, variations like H3LLOKITTY or h3lL0k1Tty take around 10 seconds to crack as well.

Password Strength

(Source: xkcd)

And check here to see if your account has been compromised in a data breach.

How does cracking a password work?

One can either try out every possible combination or use dictionary attacks. After that, one can use certain rules. This takes around 18 minutes with an equipment for about 500 Euros (for 8 characters and lower case). Including lower/upper case and numbers increases this time to 2 weeks. What can you do? Change the password on a regular basis 🙂 and treat it like your toothbrush (don’t let anyone else use it).

Biometrics to the rescue?

Fingerprintsensors/biometric capabilities are built in about 30% of smartphones. Fingerprint is not perfect, spoofing is possible, but it is a hightly personalized attack. Another less known biometric technology is palm vein authentication. Face authentication offers similar advantages (no touch is needed). Today this is used for borderline control and can be combined with other technologies. Voice authentication and iris & eye authentication were presented. One problem with using the iris is that other things, f.i. sicknesses, can be expressed in the iris as well (which is unwanted for certain processes). Another thing unique in a human body that can be used for authentication is the heartbeat. Behaviour metrics are based on patterns of behaviour, f.i. how I use my smartphone. Other future possibilities are brainwave (quite realistic) or nose authentification (not very mature).

Research has been dealing with relating different options to expected benefits, advantages or problems. When doing biometrics, it is important to avoid creating big data on servers (match on server), and to use multi modal biometrics. As opposed to a password, biometrics are based on probabilities. This also means that the thresshold (%) of validity is debatable. Summarizing, there is no shortage of ways to authenticate a person, and there will never be one technology right for every device, person and transaction. Standard APIs can be used to create interfaces to applications, and to use more multi factor methods.

This is a questionnaire for participants, which you are also welcome to fill out:

One comment

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s