I read an interesting post and subsequent discussion on multi-factor authentication and its strength. The author, Luther Martin applies a model to determine the strength of authentication systems that is based on "the chances of any particular random attempt at authentication succeeding”. Multi-factor meaning a pin/password (something you know) combined with something you are (biometric) or have (physical token). Generally the industry has accepted that two things you know is not strong authentication. He then applies this to pose the following question:
“Let’s compare two authentication schemes:
Scheme A, which requires a username/password plus a biometric
Scheme B, which requires two different username/password combinations
Which one is more secure and why? Is there any reason to say that one is inherently more secure than the other?”
The basis of Martin’s claim is that the chances of someone succeeding to hack Scheme A are statistically nearly the same as Scheme B, therefore scheme A and B both presents the same relative authentication strength.
A very thought provoking position and I 100% agree with Martin’s position that a uniform model is required to measure authentication strength. But there are a couple of points to throw into the mix…
The basis of his claim is that a biometric has at best a 10^6 FMR (false match rate) or a 1 in a million chance that you will authenticated when you should not have been.
Firstly, Biometric systems are tuned to achieve certain performance metrics depending on the balance between security and convenience. It is possible to achieve a better FMR if you are willing to give up convenience (increase the FNMR). The FNMR measures the times you didn’t authenticate when you should have. If you tighten up the system you can drop down the FMR drastically at the expense of a user possibly having to present their fingerprint more than one time when they should have succeeded the first time. The result is a much, much less likely chance someone is incorrectly authenticated. The authors model holds and Scheme A wins out.
Second, related to the biometric, this FMR is for a single finger print. A fingerprint is one kind of biometric and it is one of ten (generally) you have of that type. With two fingers it gets better, other biometrics (e.g., iris) it can be much better. Scheme A would be way better if the second factor is iris. Of course, there is a cost tradeoff here but the model does not take cost and convenience into account.
The fourth point to make is where does the authentication occur? In scheme B the authentication is server side making it much easier to attack. In scheme A with a biometric or frankly with any OTP device it needs to involve the local workstation making it much harder to attack. A authentication strength model should take into account how easy it is to conduct an attack.
The third point to make is the one of practicality. The subsequent discussion touches on this but doesn’t go much further. What is the real likelihood a user will remember two username/password combinations? More likely they will remember them but writing them down on a yellow sticky note attached to the monitor. It is harder to put this in a model but does assume that it more likely the chances of getting to a password or two are much easier that we think it should be.
In the end a good thought provoking post but the real take away is the point that a model should exist that measures the strength of authentication mechanisms, and that model should include as many variables as possible.
Posts
0 comments:
Post a Comment