1 / 23

Authentication and Beyond

Authentication and Beyond. Judith Markowitz, PhD President J. Markowitz, Consultants August 8, 2006. Security. User Authentication. Biometrics. SIV. User Authentication. Agenda. Why good UA is important Levels of UA Biometrics SIV. Why Should We Care about Authentication ?.

monifa
Download Presentation

Authentication and Beyond

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Authentication and Beyond Judith Markowitz, PhD President J. Markowitz, Consultants August 8, 2006

  2. Security User Authentication Biometrics SIV User Authentication Judith Markowitz J. Markowitz, Consultants

  3. Agenda • Why good UA is important • Levels of UA • Biometrics • SIV Judith Markowitz J. Markowitz, Consultants

  4. Why Should We Care about Authentication? • Identity Theft • Industrial Espionage • National Security • Privacy Judith Markowitz J. Markowitz, Consultants

  5. Why Should We Care? • Univ. of Ohio • Boston College • Chico State Univ • US Veterans Administration • US Dept. of Agriculture • ChoicePoint • LexisNexis • US Federal Trade Comm. • US Dept. of the Navy • AIG • CitiBank • ING Financial Serv. • Nat’l Nuclear Safety Admin. • FBI • MasterCard Int’l. • ADP • Ernst & Young Judith Markowitz J. Markowitz, Consultants

  6. Identity Theft Factoids • In the past year, over half of all US companies doing business in the technology, media and telecommunications sectors experienced data breaches that potentially exposed their intellectual property or customer information.(2006 Deloitte Touche Tohmatsu) • About 3% of US households (3.6 million families) suffered some sort of ID theft in the first 6 months of 2004(DOJ) • 13 US governmental agencies are fighting it • Cost to businesses and financial institutions was $52.6 billion in not counting the complex systems put in place to fight it.(2004 Javelin Strategy and Research) Judith Markowitz J. Markowitz, Consultants

  7. Identity Theft Factoids Not Just a U.S. Problem • Japan:2006 data loss by KDDI for 4 million subscribers 2006 Chubu Electric Power plant info on Web • UK:2004 120,000 reported cases (up 20%) • EU:2004 credit card fraud ascribable to identity theft caused damages of over $210 millions (Source: VISA) 2006 members of European Parliament demanded action against this growing threat • Global:2005 An average of 11% of bank customers in all regions report having been subjected to some form of identity theft. The figure for the U.S. is 17%. (Unisys) 2005 survey of consumers showed 66% are "a little worried." In Mexico and Brazil 78% and 70% of people, respectively, worry "a lot" about it. Judith Markowitz J. Markowitz, Consultants

  8. User Authentication User Authentication Judith Markowitz J. Markowitz, Consultants

  9. User Authentication Definitions User authentication The process of establishing confidence in user identities Electronic user authentication The process of establishing confidence in user identities presented to an information system. Judith Markowitz J. Markowitz, Consultants

  10. User Authentication User authentication employs one or more of the following • What you have (token, key) • What you know (PIN, password) • Who you are (biometrics) • Where you are (GPS) Judith Markowitz J. Markowitz, Consultants

  11. User Authentication Resources Office of Management and Budget publication M04-04 E-Authentication Guidance for Federal Agencies 2003 NIST Special Publication 800-30 Risk Management Guide for Information Technology Systems Recommend a methodology for managing risk in information systems. The focus is on authentication Judith Markowitz J. Markowitz, Consultants

  12. User Authentication Security/Assurance Levels(OMB M04-04 & NIST SP800-63) Judith Markowitz J. Markowitz, Consultants

  13. User Authentication Security/Assurance Level Examples Judith Markowitz J. Markowitz, Consultants

  14. User Authentication Limits of OMB M04-04 & NIST SP 800-63 • They only address authentication based on secrets • “This guidance addresses only traditional, • widely implemented methods for remote • authentication based on secrets.” • They don’t address biometrics • “Biometrics do not constitute secrets suitable for use in the conventional remote authentication protocols addressed in this document.” Judith Markowitz J. Markowitz, Consultants

  15. Biometrics Biometrics Judith Markowitz J. Markowitz, Consultants

  16. Biometrics What Are They? • Who you are user authentication • They are based in physiology and behavior • They are not secrets • High degree of uniqueness “Biometrics provide a very high level of security because the authentication is directly related to a unique physical characteristic of the user which is more difficult to counterfeit. (NIST SP 800-32 Section 2.2) Judith Markowitz J. Markowitz, Consultants

  17. Biometrics Study Report on Biometrics in E-Authentication (ANSI/M1 Ad hoc committee on biometrics in e-authentication) • Add biometrics to e-authentication measures • Dispel misunderstandings about biometrics • Examine the vulnerabilities of biometrics “What is the role of biometrics at the various security levels and what architectures and surrounding security mechanisms are appropriate for use in the remote e-authentication environment?” Judith Markowitz J. Markowitz, Consultants

  18. Biometrics Biometrics at Security/Assurance Levels (Study Report on Biometrics in E-Authentication) Judith Markowitz J. Markowitz, Consultants

  19. SIV Speaker Identification and Verification Judith Markowitz J. Markowitz, Consultants

  20. SIV SIV = Biometric authentication • Based on aspect of who you are • Requires enrollment • Lots of misunderstanding • Needs to be user friendly • Not perfect (nothing is perfect) • Vulnerable to attack Judith Markowitz J. Markowitz, Consultants

  21. SIV Uniqueness of SIV • Audio-based • Standard (non-proprietary) devices • The most multi-faceted of commercial biometrics • text-dependent, text-independent, challenge-response • works with ASR and TTS and lip movement • Cancelable Judith Markowitz J. Markowitz, Consultants

  22. Security User Authentication Biometrics SIV Summary Authentication is just part of the challenge • Policies • Gateway Security • Backup • Usability Judith Markowitz J. Markowitz, Consultants

  23. Thank you Judith Markowitz, PhD, President J. Markowitz, Consultants 5801 N. Sheridan Road, Suite 19A, Chicago, IL 60660 773-769-9243 judith@jmarkowitz.com Judith Markowitz J. Markowitz, Consultants

More Related