Solutions for Portable Security

Since user authentication is the front line of security, the stronger it is the better. In this article I want to discuss multi-factor authentication and why it is stronger than just a single factor. Proving your identity involves using one or more of three possible factors:

• Knowledge (passwords, PINs, etc.)
• Possession (driver’s license, token, corporate badge, etc.)
• Being (biometric: face, finger, voice, retina, etc.)

You will likely come across conflicting opinions of whether one factor is better than another. For example some people might consider passwords better than biometrics while others will argue the opposite. But who is correct? Is there one factor that is better than all of the others?

The answer is that it really depends on what criteria you are using to measure the authentication mechanism against, and there are many dimensions to consider. For example you could compare biometrics and passwords with respect to accuracy, convenience, ability to share, presence of a live person, usability, susceptibility to replay attacks, and so on. Your choice of what is important will determine which single factor is better than another. Worse still, there can be variations even within a particular factor type. The following diagram illustrates this point.

In the plot above I have chosen convenience and accuracy as measures. You can see immediately that a complex password, say “%SPc_87snwi$”, is more accurate (harder to guess) than a simple password, like “Hello” but you pay the price in convenience. Similar trade-offs occur in biometric technologies. A retina scan is considered to be more accurate than voice recognition but you have to shine a light at the back of your eyeball to provide a sample which is quite a bit more invasive than speaking into a microphone. A DNA sample (using enough markers) is in theory orders of magnitude more accurate but you might have to wait a few days for the results, which I consider a huge inconvenience when logging into your workstation.

With only two measures; accuracy and convenience, there are valid arguments for favoring either factor over the other. Imagine the difficulty in deciding which mechanism is better when you consider a dozen of more different threats.

One thing to realize is that there are advantages and disadvantages among each factor of authentication. No single factor of authentication is perfect. What is interesting is that biometrics and passwords have some very complimentary properties. That is, a weakness in one factor can actually be a strength of the other. This is what makes multi-factor authentication so compelling for security because the effect of combining them creates something much stronger than either factor on its own could possibly attain.

To illustrate this I have chosen a handful of security threats and highlighted the weaknesses and strengths of biometric, password and both combined. A red brick indicates that the method is vulnerable to the corresponding threat and a green brick means it is not.

I have deliberately selected software-based password authentication and a hardware-based (fingerprint) biometric as my two factors in order to more acutely demonstrate their complementary nature with respect to the list of threats. You can see that when they are combined, the resulting two-factor authentication is resistant to all of the listed threats.

If strong authentication is critically important to you I highly recommend multi-factor authentication because it is without a doubt, the best authentication security you can get.

Who hasn’t marveled at the high-tech spy gadgets Q developed for James Bond. Biometric technology was something we once envisioned as only being used in secret facilities and spy agencies, like the CIA or MI-6.

In reality, biometric products have been commercially available for more than a decade. “Lowcost” desktop fingerprint scanners appeared on the market as early as 1995 and soon there was a proliferation of biometric companies and advances in cool technologies such as finger, iris, face, voice recognition and even some not-so-glamorous types, such as smell (body odor) and gait (walking stride).

People and companies became keenly interested in the possible uses of biometrics, making it clear that solutions were needed, not just technology. Vendors quickly responded by demonstrating numerous solutions, including biometric logins, single sign-on, time and attendance and integration with
PKI. Few deployments ever happened though. While there were significant advances in technology, biometrics was just too hard and expensive to deploy.

Now, finally, this situation has changed and we are seeing biometric products that are very deployable. The big deployment issues facing organizations are security, cost, interoperability and usability. One thing that hasn’t changed much is the difficulty of assessing the security of a biometric solution. A first step is to understand whether the technology is accurate enough for your security needs. How good is it at accepting genuine matches and rejecting imposters?

While biometric performance is quantifiable, vendor claims of false acceptance and rejection rates are often exaggerated and biased. The details about how many features are captured or whether it is pattern-based or uses a neural network, and so on, are interesting but not relevant to the performance.

Biometric technology can be treated as a black box — with biometric image samples going in and scores coming out. It is best to turn to independent, third-party technology evaluations that have done the hard work to develop trustworthy comparative numbers based on this black box approach.

The biometric performance is only one dimension of its security. A poor implementation of a product, even with great technology, can still leave an organization with unacceptable security risks. If you can find them, products with security certifications are best. Barring that, there should at least be reviews by industry analysts and respected publications. Fortunately, the industry has matured and a lot of hype has been replaced with scrutiny, allowing well-informed decisions to be made.

Technological advancements have dramatically changed the ability to successfully deploy fingerprint biometrics. Several years ago, fingerprint technology required host computer processing power along with a relatively expensive (around $100) peripheral to scan fingers. Not only does this imply touching all the desktops to install biometric software and device drivers, but there are serious security issues that are practically impossible to solve. Anytime a host computer is required to manipulate a biometric sample, you expose your authentication data to malicious code. Think of the threat like a Trojan virus that captures your password and has the additional severe consequence that you cannot change your biometric if it is compromised. Hostbased processing of biometric information is now a big security risk, since malicious code and cyber crime are undergoing explosive growth.

Today, fingerprint technology is packed into dedicated chips with inexpensive, high performance swipe sensors that can handle every part of the biometric processing (image capture, template creation, matching). This advancement has enabled the development of self-contained portable authentication devices that not only process the biometric in a secure environment (within the device) but also provide secure storage for fingerprint templates. While central fingerprint databases caused privacy concerns and were barriers to deployment, these issues no longer exist when biometric information never leaves the device.

Interoperability has taken a quantum leap, but surprisingly not from biometric standards. It used to be that applications needed to become biometrically aware in order to leverage the technology. This meant major software changes and to do it right, the industry needed standards so that the biometrically-
enabled applications could easily use different technology. Lots of effort has gone into biometric standards, but the uptake by applications has been very disappointing.

The irony is that applications are being augmented with biometric authentication without the need to
implement biometric standards. This is possible through other (non-biometric) standards that have been widely implemented throughout the industry; namely Microsoft CAPI and PKCS#11. These are cryptographic standards that allow hardware devices (tokens) to be used to enhance the security of crypto operations. The trick is that self-contained biometric authentication devices that also have cryptographic token functionality can be plugged into these interfaces and used as strong authentication tokens.

Applications get biometric authentication for free, without any additional complexity. This is really significant because we suddenly have many off-the-shelf applications: workstation logins, e-mail encryption, SSL Web authentication, enterprise single signon, etc., where biometrics can now be
used. By selecting the right biometric product, corporations can contemplate deploying biometric authentication across many applications that support the crypto standards.

Ultimately, it is the end-user that will either reject or accept the deployment of biometric technology. Here too there are big changes in usability, above-and-beyond the performance improvements of the technology. Portable biometric devices allow more mobility and convenience than ever before. The ability to go to any machine, plug-in the device and biometrically authenticate to a remote corporate server is a reality today. The fact that a multitude of applications are suddenly biometrically-enabled means that the user has a single, simplified experience. Whether it is digitally signing an e-mail, logging into a workstation, decrypting a file or launching a remote desktop, the authentication to each is the same for the user. When increased security actually becomes easier for a user, you have a winning situation for the user and the corporation.

In the case of fingerprint biometrics, the cost reduction, development of dedicated chips and the creation of fully-portable secure devices are technological advancements that have propelled biometrics to being deployable to the enterprise with huge gains in security, interoperability and usability. Fingerprint biometrics may have been the first, but may be not the last to undergo this transformation.

Recently there was an article published whereby several USB sticks with biometric authentication were found to be completely insecure (See “Easy to crack” http://www.heise-online.co.uk/security/Secure-USB-sticks-cracked–/features/110280/0).

In the article it was demonstrated how on some “secure” USB devices biometric authentication can be bypassed completely. Rest assured that biometric devices from MXI Security do not fall into this category. We have secure implementations of biometric and encryption technology within our devices.

I want to delve into this topic a bit deeper and provide a bit of insight for readers who want to be better equipped to challenge biometric technology vendors on the security of their implementation.

I like to categorize the deployment of biometric technology in four ways based on where the biometric matching is actually done.

1. Match-on-PC
2. Match-on-Server
3. Match-on-Card (on a smart card that is)
4. Match-on-Device

First, matching is not the only part of a biometric process. There is also image capture whereby an image of a biometric sample is captured from a sensor, and template creation where the image is processed to extract the important features for the matching algorithm. Template creation is actually done in two places within the overall biometric system; a) to create enrollment templates when you first register your biometric, and b) to create verification templates that are used in the actual matching when you are attempting to authenticate. For the best biometric security, all three of these processes (image capture, template creation, and matching) must be done in a trustworthy environment.

Here is a useful fact that is generally true for biometric technology and can help you read between the lines: matching is computationally much cheaper than template creation.

In Match-on-PC the local host system is used to do the biometric comparison. What does this mean? Well it means that your enrollment templates and your verification templates are compared in software on the PC, out in open, and exposed to the seething pool of malware that might be on the system. Furthermore, it probably means that template creation is also done on the PC because if the matching needs to be done there, most likely there is no where else to do the template creation either. If your biometric templates are compromised it could be bad news for whatever systems you are protecting with biometric authentication. Tip: don’t ever use a Match-on-PC implementation at an Internet Café. Until PCs become trustworthy platforms I would never contemplate using this mode.

Match-on-Server is much better than Match-on-PC. Assuming the server is protected and trusted, it is a safe environment to do the biometric matching. Most often though the server will have a database of user templates, which raises privacy concerns for many people. Unfortunately server implementations can be expensive to deploy because of the need to protect biometric information in transit, and the need to provide scalability, fault tolerance, and high-availability. Another thing to watch out for in a Match-on-Server implementation - and this is important - is that template creation has to occur somewhere. I’ll bet that 90% of the time it won’t be on the server because of the extra processing requirements. So where is it done? It might be on the PC where the sensor is attached which would be bad. If instead it is done on the biometric sensing device then there needs to be a good reason to have a server since the device probably has the power to also do the matching. A couple of potential reasons could be: a) the biometric devices are not portable and since many users use the machines the templates need to be stored centrally, or b) the server is doing biometric identification (checks against many templates, not just yours), for some reason or other.

Match-on-Card is rather interesting. Smart cards are very secure platforms in which to perform any kind of security function. Biometric matching has been tough to achieve on a smart card because of the processing requirements but there are several implementations now available on the market. Smart cards don’t have biometric sensors built into them and they certainly don’t have the power to do template creation. So again, a Match-on-Card solution needs a trustworthy environment (outside of the card) where the other parts of the biometric processing can occur securely. One option here is a portable device that contains the smart card chip or a secure smart card reader with the biometric sensor and processing power built in.

Match-on-Device can be the most deployable and the most secure type of biometric implementation. Here the image capture, template creation and matching are all done within hardware (preferably a hardware device with certified security). No biometric information ever leaves the device. Furthermore as mentioned above, this can also be a good hybrid solution with a Match-on-Card technology. Because of the portability and no requirement for a server infrastructure it is a very attractive solution from a cost and usability perspective. In addition, the enrollment templates are carried securely in the possession of the user so there are no privacy issues to be concerned about.

This brings me back to the title of this article and why you should be wary of biometric images. If you see a biometric image being displayed in a user interface while your sample is being captured, then your biometric information is being exposed to the system that is displaying the user interface. I know it’s cool to see your fingerprint displayed, but think about where the software is running.