 So briefly about some other forms of authentication. We've focused mainly on passwords. We use passwords a lot They're not very good. There are many vulnerabilities with using passwords many things can go wrong, but they're widely used Users are happy to use them So We need to understand how to store them and and how to select them But now let's just look quickly about using tokens just to find what we mean by a token and then biometric authentication By tokens quite briefly we mean some object that the user has that they possess and They use it for authenticating So we call that a token Different types. They may be cards. They may not may be USB drives So some object that we have we can even think of a mobile phone as a token now This table just lists some examples of the the card type tokens that people have The magnetic stripe ones have some stripe which have some information encoded in it So in the in your possession of that card and you swipe it and then that Can act as some form of authentication some of your cards, especially from banks will have some electronic memory inside or Smart cards even that have Not just memory to store information But also a process processor to do some calculations So there are examples of different tokens summer contact smart cards where you need to touch it with Some electrical contact summer have some radio device embedded so that we can be nearby and You can think almost as some of the features of mobile phones like what's it called NFC? Near-field communications is a technology mobile phones that allows you to have your phone within a few centimeters as of a reader and That can exchange information and you can use that for authentication So that case your phone is acting acting as a contactless token You don't have to touch it. You just have to be nearby has some a radio device inside So there are different types Some of the issues that come up So memory cards mainly we've seen them with with banks for example that they a bank card A credit card or ATM and so on They often store data at least the older versions would just store data. They don't have a processor inside They can't do any calculations. So they just store data and there was once with just the magnetic stripe at most today have some electronic memory inside and Usually are combined with a password or a pin So they we have two forms of authentication that is you need to be in possession of that card as well as know the pin to be authenticated So that's quite good security because it relies on both forms Guessing someone's pin is not enough. You need to have the card Stealing someone's card is not enough. You need to know the pin. So it combines two forms compared to Just using passwords on their own though What are the problems? Well, it requires a specialized reader. Okay, it requires hardware to read it If you lose the card, that's a problem if you lose the token You need to go back and be inconvenienced to get a new one and You need to carry it around with you. So you may be not as happy You can carry the password in your head. You carry the card in your bag or wallet And it's not just a card. It also applies for say other types of tokens those issues smart cards really means in this case Tokens that in include the ability to do some processing so they include a processor on board and some Some banks for example will issue customers with such cards or devices Which may even have some keypad on it So it's not just For storage of information, but it will do some processing. Maybe it prompts you to enter Some value type in some value with a key keypad and it generates some random value which is then used as a password So it's a combination of password plus the smart card and again Your mobile phone can do similar things the one-time password is the similar concept. That is something is sent to your phone One-time password a random value that you then use to log in so the similar concepts is what we use for our mobile phones today There's some interface sometimes So if it's not a mobile phone base you can actually get cards which look like a very small Calculator you can type numbers in and it has a little display and it would generate secure keys for you and there are some Different protocols for them to communicate with a server to check authentication. We're not going to touch upon how that authentication works I just wanted to mention that of course there are tokens I don't have any examples though other than your mobile phone that you Right, right, so I do have examples of the simple ones, you know of all of your Bank cards and so on And the other one you may have used is your mobile phone That's when a message is sent to you to generate something or maybe even for payments So a number of companies Google Apple and so on have payment based systems Where when you have the mobile phone you just put your phone near some payment processor and it will make the payment So that's a form of a token based authentication Just be aware that we don't just have to use pins or passwords. We can use physical tokens as well But maybe we'll say a little bit more about the last technique biometric authentication so try to authenticate people based upon their physical characteristics and It uses usually some form of pattern recognition See some examples of that Compared to other approaches passwords and tokens. It's usually much more complex and as a result more expensive to implement So we don't see it as widely used because of those reasons, but it can be more secure in some cases So what physical characteristics? your face so the idea is that people people have different facial characteristics, so if we can Recognize from their face those characteristics. They may be to recognize that individual person and authenticate Fingerprints the shape of the geometry of your hand your retina your iris so that the two parts of your eye Your voice and your signature when you sign something. So I think some of these you have used signature especially Fingerprints, maybe Some of our rooms have fingerprint scanners on them to get access Which one's best? Retina fingerprint. I think it turns out iris is considered one of the best ones your iris Iris is the color part of your eye the one that gives you color You've got blue eyes or green eyes that that part of your eye is the iris The retina is the ball or the part covering the eyeball So there's a trade-off with different biometric schemes This roughly compares them with respect to cost and accuracy So cost in terms of you need some some hardware to to recognize the pattern from that physical characteristic and Accuracy in terms of how good is it at authenticating people and In terms of accuracy the best one is iris that is if you can read the iris of someone then it's very high Probability if you can read it correctly that you can identify and authenticate that particular person out of everyone in the world The problem is it's quite costly to have equipment to do that So iris is the best in terms of accuracy the highest accuracy But also the highest cost financial cost Voice for example is the least accurate or one of the least accurate But it's quite cheap. You just need a microphone and then some processor to to Record the voice and then compare it to some characteristics of a stored voice But lowest accuracy in that what may happen is if someone Talks into the microphone and the system is trying to check it. Then there's much larger chance that you'll make the wrong decision and either Not authenticate the person when it is the right one Authenticate the person when it's someone else And we'll talk more about those two two choices in a moment. So that's a rough comparison saying that Some are cheaper than others Voice and face and fingerprint are cheaper than iris and retina and hand and some are more accurate than others just a rough comparison this illustrates the approaches for how to implement this in practice and The top pitchersh called enrollment shows what happens when we register. So first we must register our physical characteristic This one's for fingerprint, but it similar applies for the other characteristics to register what we do is we Maybe supply our name or some password or pin as well we may optionally have that and We scan our fingerprint for example there's some sensor that we that scans the fingerprint that looks at the fingerprint and The system does not store say a photo or a copy of your fingerprint what the system does is looks at your fingerprint and Try us to extract what's called features from that fingerprint that will be unique to you or unique to that fingerprint So think of it if the fingerprint is this picture or is a picture of the fingerprint It doesn't store the actual fingerprint. It stores some Some points in the fingerprint which are unique or something that identifies the shape or the curves of the the lines that Is unique to that user? So there's some component which extracts those features from the biometric information the system stores those that information in a database as Well as your name or your ID and an optionally your pin Then later when you want to use the fingerprint to identify or authenticate you well there are two different approaches and it separates between verification and identification and that's slightly different Verification is checking that the person is who they say they are Identification is finding out who this person is identifying a particular person Let's look at them With verification what happens is that? the user submits two things their name maybe a pin but some identifier and Their fingerprint in this example. So what I do is maybe I type in my name or my user ID and Also scan my finger. So I submit two things to the system The sensor gets a copy of my fingerprint So when I scan it on the sensor it gets a copy and then it extracts the features from that scanned fingerprint When I submit my name or ID the database looks up or the system looks up in the database that name and From the registered or enrolled data. It finds the matching entry and It finds the features which were stored from the enrollment that says here One template think it contains the data that was stored and then the data which was stored is Compared against the data which is extracted from the scanned fingerprint if they match Then we've verified if they don't match it fails. This is like our password verification. We submit our ID and the password the system compares them to the stored values That verifies that this user is who they say they are Identification is slightly different identification is just using the password to find out who you are you don't submit your name You just scan your fingerprint the sensor grabs your fingerprint The feature extractor the software extracts the the key parts from the fingerprint some some information from it about the contours and so on and Then the features from the scanned fingerprint as Compared against in the worst case all of the fingerprint information in the database and we try and find a match and If we find a match we've identified that user If we don't find a match then we haven't identified that user So this is just identifying users not verifying a user against the username slight difference there Which one's easier think of verification versus identification in terms of implementing the system which one's easier here Why is verification easier? right, it's about one template versus and templates with verification There's a database. Let's say we have a thousand users The database has entries for each user and their corresponding fingerprint information the fingerprint features With verification we submit our name So from the database we find that name In there and we find the features and here it's denoted as that one template That one set of features for that user and then we just compare that against the features for the scanned fingerprint That's quite easy But for identification We scan the fingerprint and we must compare the features against all of the entries in the database To or up to all of them to find one that matches and that can be much more processing intensive Because this comparison of features requires really some pattern recognition which can be Complex to do and to do accurately The same approaches apply for other physical characteristics not just fingerprint. It's about the same for others Questions before we See the last few slides how to authenticate ask me Verification is like we use for passwords. We want to check That this person by this name is who they say they are and the way that we'll know is if their fingerprint matches the enrolled or registered one so it's like I Go to the door. I type in my pin my unique ID And I also scan my fingerprint the system looks up my fingerprint information Compares the stored value against the scanned value if they match I'm verified okay, sure and Identification is just Identifying that particular person out of the set of all users They have different purposes What have we got left? I think two of these three slides will look at in all cases that the challenge with biometric authentication is comparing or Distinguishing between a real user Okay, any comments on authentication on your phone? Let's get through the last two slides The challenge with all these biometric authentication techniques is Distinguishing distinguishing between the real user and the attacker or listed here than authorised user and an imposter An imposter is someone who's pretending to be someone else What this diagram shows you don't have to be worried too much about the details, but we can think that The first curve here this imposter profile means that if we look at the features of an imposter We can think there's a high likelihood that they'll have the features within this range and A normal user or an authorised user in this range here where it says profile of genuine user the challenge with biometric authentication is That often the features of an imposter will overlap with the features of a normal user We'd like them not to overlap Then it will be easy, but in practice they usually do and what it results in is that when we compare The features stored in the database with the features supplied either in verification or identification We might need to make a decision whether they match or not This feature matcher needs to compare them and it's not easy to compare say as two images and see if they are similar Because they don't have to provide exact matches. They need to be similar Because there may be some differences so So that there's some decision that says okay The features supplied are they close enough to the stored value if yes, then we accept it if no then we say reject The problem that arises is that we may get cases where we have false matches or false non matches a false match So this this gray area here is is when an imposter submits their fingerprint for example and the system Authenticates them because the system compares the imposter's fingerprint to one that's on record and it compares them and the state sees that They're very similar. So it assumes that they're okay. That's a problem. That's in this diagram called a false match and That happens when the profile of the imposter Overlaps with the profile of the genuine user and we accept that imposter the other problem is when We reject someone who was actually the right person. I Go scan my fingerprint. The system compares my fingerprint against my registered fingerprint and And unfortunately it returns. They don't match. They're too dissimilar because again My registered fingerprint and the scanned one when I'll try to log in will be different Might maybe my finger is oriented in a different way. It's sweaty or whatever. So it'll be a different image So the system has to do a comparison and find out Whether they're very close or not and then it makes a decision and if it makes a decision saying that they are too far apart Then it's a a false non-match In that the genuine user is treated as an imposter and they're not allowed in for example So that are the two issues we need to make sure that We'd like a low number of both of them We don't want to allow the imposter in So we don't want to make the wrong decision here and let someone in who shouldn't be and Similar we don't want to block the normal users from getting access. So we don't want to have false non-matches and this slide compares some of those different biometric techniques with respect to False non-match and the false match rate. So from some studies that have come up with some data We'll just look at a few the data points and explain what it means Let's take a data point just to explain this slide. So where fingerprint fingerprint is a circle here the white circle This point this point says that the false match rate is what 0.001 percent and The false non-match rate is getting close to 10 percent. Maybe it's 8 percent. It's on a logarithmic scale How do we interpret that that says if we want to have a? False match rate a false match rate is the percent of times that an imposter Gets wrongly accepted into the system gets wrongly verified. So if we want to keep that less than 0.001 percent Then with a fingerprint it suggests that we're going to have to accept close to 10 percent Maybe eight or nine percent of false non-matches That means about getting close to 10 percent of the time a normal user will be rejected Again this data point tells us let's say we want to Make sure that the imposter the chance of them being authenticated is less than 0.001 percent with fingerprint Biometric authentication that suggests that if we have that Then about eight or nine percent of the times our real users will be rejected even though they have the correct biometric characteristics We'd like The data points to be as close as possible to this far left bottom or this this bottom left corner We'd like a very low false match rate and a very low false non-match rate So this compares those different schemes For another example Face recognition this blue dot here This tells us that if we're using face recognition then we can get 1% of the time we'll get a false match meaning 1% of the time the Imposter will be accepted when they shouldn't be 99% of the time will be okay. They'll be rejected, but 1% of the time the imposter will be accepted and in that case We'll have about what's this maybe? 20% of The time that a normal user will be rejected So we need to weigh up that that trade-off of not accepting the imposter But not rejecting the normal user Which one's best? The one that's closer to this point is the best and in this case iris It says that with a false non-match rate that is Rejecting our normal users in the order of two or three percent of the time We reject the imposter Point oh or we accept the imposter point Oh one percent of the time So very few times do we accept an imposter and only a few percent of the times will we reject a normal user So that's just a comparison of the different techniques We've looked at what you know passwords what you possess briefly tokens and what you are or do biometrics as ways for user Authentication Make sure you know how to store a password you store a hash of a salted password We say the salt and the hash at the salt and the password are hashed There are many issues which we don't discuss how to select good passwords How to implement them and the many vulnerabilities of different authentication techniques that lead to multi-factor authentication We'll stop there. We'll have a quiz tomorrow morning, and then we'll move on to access control