Identification and Authentication: Technology and Implementation Issues

Computer-based information systems in general, and Internet e-commerce and e-business systems in particular, employ many types of resources that need to be protected against access by unauthorized users. Three main components of access control are used in most information systems: identification, authentication, and authorization. In this paper we focus on authentication, which is the most problematic component. The three main approaches to user authentication are: knowledge-based, possession-based, and biometric-based. We review and compare the various authentication mechanisms of these approaches and the technology and implementation issues they involve.

[1]  Anil K. Jain,et al.  Biometric Systems: Technology, Design and Performance Evaluation , 2004 .

[2]  William J. Haga,et al.  Question-and-answer passwords: an empirical evaluation , 1991, Information Systems.

[3]  Richard E. Smith,et al.  Authentication: From Passwords to Public Keys , 2001 .

[4]  Brent Auernheimer,et al.  Biometric Authentication for Web-Based Couse Examinations , 2005, Proceedings of the 38th Annual Hawaii International Conference on System Sciences.

[5]  Kefei Chen,et al.  Cryptanalysis of a timestamp-based password authentication scheme , 2004, IACR Cryptol. ePrint Arch..

[6]  Sacha Brostoff,et al.  Transforming the ‘Weakest Link’ — a Human/Computer Interaction Approach to Usable and Effective Security , 2001 .

[7]  Belden Menkus,et al.  Understanding the use of passwords , 1988, Comput. Secur..

[8]  Wei-Chi Ku,et al.  Weaknesses and improvements of an efficient password based remote user authentication scheme using smart cards , 2004, IEEE Transactions on Consumer Electronics.

[9]  Arthur E. Oldehoeft,et al.  A survey of password mechanisms: Weaknesses and potential improvements. Part 2 , 1989, Comput. Secur..

[10]  Paul Ashley,et al.  Practical Intranet Security: Overview of the State of the Art and Available Technologies , 1999 .

[11]  M. Angela Sasse,et al.  Are Passfaces More Usable Than Passwords? A Field Trial Investigation , 2000, BCS HCI.

[12]  A. R. Roddy,et al.  Fingerprint features-statistical analysis and system performance estimates , 1997 .

[13]  Ibrahim Sogukpinar,et al.  Understanding users' keystroke patterns for computer access security , 2003, Comput. Secur..

[14]  Michael K. Reiter,et al.  On User Choice in Graphical Password Schemes , 2004, USENIX Security Symposium.

[15]  Niv Ahituv,et al.  Verifying the authentication of an information system user , 1987, Comput. Secur..

[16]  Stephen M. Matyas,et al.  A Biometric Standard for Information Management and Security , 2000, Comput. Secur..

[17]  I. S. Herschberg,et al.  Computer security: The long road ahead , 1987, Comput. Secur..

[18]  Ben F. Barton,et al.  User-friendly password methods for computer-mediated information systems , 1984, Comput. Secur..

[19]  Sidney L. Smith Authenticating users by word association , 1987, Comput. Secur..

[20]  Charles P. Pfleeger,et al.  Security in computing , 1988 .

[21]  Lee-Ming Cheng,et al.  Cryptanalysis of a Timestamp-Based Password Authentication Scheme , 2002, Comput. Secur..

[22]  Ron Henderson,et al.  Cost-effective computer security: cognitive and associative passwords , 1996, Proceedings Sixth Australian Conference on Computer-Human Interaction.

[23]  Hyun-jung Kim Biometrics, is it a viable proposition for identity authentication and access control? , 1995, Comput. Secur..

[24]  Lei Fan,et al.  An enhancement of timestamp-based password authentication scheme , 2002, Comput. Secur..

[25]  Chou Chen Yang,et al.  Cryptanalysis of a user friendly remote authentication scheme with smart cards , 2004, Comput. Secur..

[26]  Nasir D. Memon,et al.  PassPoints: Design and longitudinal evaluation of a graphical password system , 2005, Int. J. Hum. Comput. Stud..

[27]  A. Alterman,et al.  ``A piece of yourself'': Ethical issues in biometric identification , 2003, Ethics and Information Technology.

[28]  Julie Thorpe,et al.  Graphical Dictionaries and the Memorable Space of Graphical Passwords , 2004, USENIX Security Symposium.

[29]  Charles Adams,et al.  Understanding Public-Key Infra-structure: Concepts, Standards, and Deployment Con-siderations , 1999 .

[30]  Ronald F. DeMara,et al.  Evaluation of the Human Impact of Password Authentication , 2004, Informing Sci. Int. J. an Emerg. Transdiscipl..

[31]  Moshe Zviran,et al.  Cognitive passwords: The key to easy access control , 1990, Comput. Secur..

[32]  Hung-Min Sun,et al.  An Efficient Remote User Authentication Scheme Using Smart Cards , 2000 .

[33]  Min-Shiang Hwang,et al.  A new remote user authentication scheme using smart cards , 2000, IEEE Trans. Consumer Electron..

[34]  Sig Porter,et al.  A password extension for improved human factors , 1982, Comput. Secur..

[35]  Doug Mahar,et al.  Perceived acceptability of biometric security systems , 1995, Comput. Secur..

[36]  Wael Hassan,et al.  Security Technologies for the World Wide Web , 2000 .

[37]  Alan F. Blackwell,et al.  The memorability and security of passwords – some empirical results , 2000 .

[38]  Julie Bunnell,et al.  Word Association Computer Passwords: The Effect of Formulation Techniques on Recall and Guessing Rates , 2000, Comput. Secur..

[39]  Moshe Zviran,et al.  User authentication by cognitive passwords: an empirical assessment , 1990, Proceedings of the 5th Jerusalem Conference on Information Technology, 1990. 'Next Decade in Information Technology'.

[40]  L. O'Gorman,et al.  Comparing passwords, tokens, and biometrics for user authentication , 2003, Proceedings of the IEEE.

[41]  Charles Cresson Wood Effective information system security with password controls , 1983, Comput. Secur..

[42]  Julie Bunnell,et al.  Cognitive, associative and conventional passwords: Recall and guessing rates , 1997, Comput. Secur..

[43]  Simson L. Garfinkel,et al.  Practical UNIX and Internet Security , 1996 .

[44]  Steven Furnell,et al.  Authentication and Supervision: A Survey of User Attitudes , 2000, Comput. Secur..

[45]  Shyi-Tsong Wu,et al.  A user friendly remote authentication scheme with smart cards , 2003, Comput. Secur..

[46]  Mohammad S. Obaidat,et al.  Verification of computer users using keystroke dynamics , 1997, IEEE Trans. Syst. Man Cybern. Part B.

[47]  Bruce L. Riddle,et al.  Passwords in use in a university timesharing environment , 1989, Comput. Secur..

[48]  Nalini K. Ratha,et al.  Automatic Fingerprint Recognition Systems , 2011, Springer New York.

[49]  Yishay Spector,et al.  Pass-sentence - a new approach to computer code , 1994, Comput. Secur..

[50]  Cheng-Chi Lee,et al.  A flexible remote user authentication scheme using smart cards , 2002, OPSR.

[51]  Jean Hitchings,et al.  Deficiencies of the traditional approach to information security and the requirements for a new methodology , 1995, Comput. Secur..

[52]  Anil K. Jain,et al.  Handbook of Fingerprint Recognition , 2005, Springer Professional Computing.

[53]  Wen-Shenq Juang,et al.  Efficient password authenticated key agreement using smart cards , 2004, Comput. Secur..

[54]  Arthur E. Oldehoeft,et al.  A survey of password mechanisms: Weaknesses and potential improvements. Part 1 , 1989, Comput. Secur..

[55]  Jianhua Li,et al.  Further analysis of password authentication schemes based on authentication tests , 2004, Comput. Secur..

[56]  Moshe Zviran,et al.  A Comparison of Password Techniques for Multilevel Authentication Mechanisms , 1990, Comput. J..

[57]  Matt Bishop,et al.  Improving system security via proactive password checking , 1995, Comput. Secur..

[58]  P. Dowland,et al.  A long-term trial of alternative user authentication technologies , 2004, Inf. Manag. Comput. Secur..

[59]  Rolf Oppliger,et al.  Authentication and authorization infrastructures (AAIs): a comparative survey , 2004, Comput. Secur..

[60]  Cheng-Chi Lee,et al.  A remote user authentication scheme using hash functions , 2002, OPSR.

[61]  Helmut Schneider,et al.  The domino effect of password reuse , 2004, CACM.

[62]  Sharath Pankanti,et al.  Biometric Recognition: Security and Privacy Concerns , 2003, IEEE Secur. Priv..

[63]  Sharath Pankanti,et al.  Proceedings of the 2005 international conference on Advances in Biometric Person Authentication , 2005 .

[64]  J. Yan,et al.  Password memorability and security: empirical results , 2004, IEEE Security & Privacy Magazine.

[65]  Sungzoon Cho,et al.  Keystroke dynamics identity verification - its problems and practical solutions , 2004, Comput. Secur..

[66]  Tieniu Tan,et al.  Proceedings of the 5th Chinese conference on Advances in Biometric Person Authentication , 2004 .

[67]  E. B. Fernandez,et al.  Information Systems Security: Scope, State-of-the-art, and Evaluation of Techniques , 2008 .

[68]  Shiuh-Pyng Shieh,et al.  Password authentication schemes with smart cards , 1999, Comput. Secur..