- No related Topics found
MULTIFACTOR AUTHENTICATION SYSTEM USING PASSWORD AND FINGER PRINT
In today’s high speed systems and internet enabled world, millions of transactions occur every minute from offline transaction to online transaction. For these transactions, data needs to be readily available for the people who are meant to have access, kept securely from those who those who should not. Data, the product of the networked world, has become a near equivalence to concurrency, it holds company transaction secrets, consumer credit card and numbers, and confidential executive information. Keeping data from the wrong people is in everyone’s best interest.
A common method used to keep data from falling into wrong hands is the use of passwords. This method has consistently been in the context of challenge and response, a user is promoted to identify him/her to the system he is trying to access and supply the password associated with that identity (typically a login name).
A second method used for securing data and system from wrong people is through the use of biometrics and this biometrics is the automated use of physiological or behavioral characteristics to determine or verify an identity. These includes fingerprints, iris, face recognition, or hand geometry can be used to authenticate a person.
TABLE OF CONTENT
Table of content v
BACKGROUND OF THE STUDY
1.1 INTRODUCTION 1
1.1.1 WHAT IS MULTIFACTOR AUTHENTICATION? 3
1.2 AIMS AND OBJECTIVES 4
1.3 STATEMENT OF PROBLEM 4
1.4 SCOPE OF THE STUDY 5
1.5 RESEARCH METHODOLOGY 5
1.6 DEFINITION OF TERMS 5
2.1 INTRODUCTION 7
2.2 TWO-FACTOR AUTHENTICATION (T-FA) OR (2FA) 8
2.2.1 TYPES OF AUTHENTICATION 9
2.2.2 BENEFITS OF TWO-FACTOR AUTHENTICATION 9
2.2.3 CHALLENGE OF TWO-FACTOR AUTHENTICATION 10
2.3 BIOMETRICS 10
2.3.1 PROCESS OF BIOMETRICS SYSTEM 10
2.3.2 ADVANTAGES AND DISADVANTAGES OF BIOMETRIC TECHNIQUES 12
2.4 FINGERPRINT RECOGNITION 13
2.4.1 HOW FINGERPRINT RECOGNITION WORK 13
2.4.2 USER INFLUENCES ON FINGERPRINT 15
2.4.3 FINGERPRINT RECOGNITION TECHNIQUES 15
2.4.4 CHEAT ON FINGERPRINT 17
2.5 PASSWORD 17
2.5.1 ADVANTAGES OF PASSWORD 17
2.5.2 DISADVANTAGES 18
SYSTEM ANALYSIS AND DESIGN
3.1 APPROACH 19
3.2 SIMULATION TOOL 19
3.3 OBJECTIVE OF THE DEVELOPED SYSTEM 19
3.4 SYSTEM DESIGN ANALYSIS 20
3.5 DATABASE ENTITY RELATIONSHIP DIAGRAM 23
3.6 SIMULATION DEPENDENCIES 24
4.1 SIMULATION MODULE AND USER INTERFACE 25
4.1.1 THE ENROLLMENT MODULE 25
4.1.2 THE VERIFICATION MODULE 28
4.1.3 INFORMATION DISPLAY MODULE 29
RECOMMENDATION AND CONCLUSION
5.1 RECOMMENDATION 30
5.2 CONCLUSION 30
BACKGROUND OF THE STUDY
Authentication is one of the most important aspects of security. Regardless of how tightly-locked down a system is, the information is useless without some means of controlling who can access that data.
Authentication remains a tricky issue for the primary reason, it must interact with the end user.
Systems administrators, programmers and other technologically savvy individuals often understand the issues surrounding authentication and are willing to deal with many of the difficulties inherent in the process, such as memorizing complicated passwords and passphrases and using different passwords for each system.
A common method used to keep data from falling into the wrong hands is the use of passwords. This method has consistently been in the context of challenge and response: a user is prompted to identify himself to the system he is trying to access and supply the password associated with identity (typically a login name). This process is one based on knowledge or possession, that is, if one knows/has the password then he is granted access. With this system structure, it is easy for anyone to gain access to data if they are given or can possible guess the right information. For each system they have access to and remember these password.
A second method of securing data and system is through the use of biometrics.
Biometrics is defined as the “automated use of physiological or behavioral characteristics to determine or verify identity” for example fingerprints, iris, face, or hand geometry can be used to authenticate a person. Biometrics shifts the burden of knowledge/possession of the user and places it on a person’s physical or behavioural characteristics. In order to access a system that requires the input of biometrics data, the process becomes “something you are” rather than “something you possess” This shift of burden from possession to some quality of a person directly ties access to data with a person’s identity over what person knows. The difference between these technologies is illustrated in the example that follows: Say, for example, John is a user of online paycheck system, which allows users to access financial information after supplying their password. When John picked a password he write it on a note and stuck it underneath his desk, since he had too many passwords to remember already. When one of the night-shift workers accidentally discovered the note, they could easily pose as John and gain access to his online pay check information. As far as the authentication system is concerned, a user claimed to be John and password therefore it must be him.
If the paycheck instead used multi-factor authentication, there may be no need for a password, all John’s transactions will be more secure. If for instance, biometric is integrated into the system, after enrollment into the system, John would simply needs to present the biometric data required (a fingerprint, iris or signature) to gain access. Since biometric data is unique among individuals he would not have to worry about other users accessing his account.
With a biometric system, people attempting to gain access cannot guest (or learn) something that will give them access. Only users who have been enrolled in the system will be given access after they have presented their biometric data and verified. That is not to say biometrics does not have it own draw backs.
In summary, integrating different factors of authentication into authentication system result in a high degree of certainty of a person’s identity. This confidence and accountability leads to more security, resulting in cost savings and reduced risk of financial loss for individuals and companies. Consequently, in this paper we shall focus more on two-factor authentication (T-FA).
1.1.1WHAT IS MULTIFACTOR AUTHENTICATION?
Definition: Multifactor Authentication System (MFA) is a security system control that requires more than one form of authentication to verify the authenticity and legitimacy of a user (wapedia.mobi, 2005).
In a multifactor authentication system, Authentication basically consists of verifying and validating the authenticity of a user/identity using more than one form of validation mechanism.
Authentication factor that depend on more than one factor is difficult to compromise.
One problem with multi-factor authentication generally is the lack of understanding of what constitute “true” multi-factor authentication. Supplying a user name (“something the user knows”) and password is single factor authentication, despite the use of multiple pieces of distinct information. Adding a visual image (more of “something the user knows”) is still single-factor authentication. [wapedia.mobi, 2005]
In an authentication system, multifactor means that there are more than one of the authentication factors being used. An authentication factor is a piece of information and process used to authenticate or verify the identity of a person or other entity requesting access under security constrains. Multifactor authentication consists of verifying and validating the authenticity of an identity using more than one validation mechanism. Authentication factors apply for a procedure of authentication a user as an individual with definitive granted access right [Bruce Schneirer, March 2005] there are two different factor types for authentication:
· Something the user has (e.g ATM card, John’s card)
· Something the user knows (e.g password, PIN);
· Something the user is (e.g., biometric characteristic, such as fingerprint)
Authentication method that depend on more than one factor are more difficult to compromise than single-factor method; the success of which depends on more than the technology. It also depends on appropriate policies, procedures and control.
1.2 AIMS AND OBJECTIVES
The purpose of this project is to consider a subset of multifactor authentication (two factor authentication) as against the normal single factor authentication with the inclusion of biometric to authenticate and verify the identity of a user using finger print before access is granted to the system.
1.3 STATEMENT OF PROBLEM
Among the two factor authentication in existence, the combination of “what you have” and” what you know” factors are the most common over the years. This approach has been subjected to different attacks which has actually exposed its weakness. Some of the attacks are: Bruce force, Shoulder surfing, Spyware, Dictionary attack etc.
However the inclusions of who you are factor actually solve most of the problem posed by many of the threat.
1.4 SCOPE OF THE STUDY
This project will involve the simulation of two factor authentication system to establish it strength over single factor authentication, using fingerprint as a case study of authentication which refers to the automated method of verifying a match between two human fingerprints. Fingerprints are one of many forms of biometrics used to identify individuals and verify their identity.
1.5 RESEARCH METHODOLOGY
To bring this paper to reality, the method employed in collecting necessary information includes:
Surfing the internet for latest information and current thesis on the issue of authentication. Observation of various authentication systems where multifactor concept is adopted.
1.6 DEFINITION OF TERMS
Brute force: this is an attack in which possible passwords are guessed at random until a working password is discovered.
Shoulder surfing: this is the process by which an attacker steal a password by observing its entry.
Spyware: it is a software that records information about users, usually without their knowledge. In a typical case, users unintentionally install spyware when they visit certain websites or install unapproved software. Spyware may be used in conjunction with social engineering techniques to trick users into installing the spyware. The software then spies on the user’s sensitive data.
Dictionary Attack: A dictionary attack is a technique for defeating authentication mechanism by trying to determine its passphrase by searching a large number of possibilities. In contrast to a brute force attack, where all possibilities are searched through exhaustively, a dictionary attack only tries possibilities which are most likely to success, typically derived from a list of words in a dictionary.