Authentication: Part 3

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
15 hours 43 minutes
Difficulty
Advanced
CEU/CPE
16
Video Transcription
00:00
>> But Kelly, you say,
00:00
you promised us three types of
00:00
authentication and you've only given us two types.
00:00
Well that is indeed correct.
00:00
I'm going to remedy that problem with Part 3,
00:00
where we talk about Type 3 authentication.
00:00
Type 3 authentication is really the use of biometrics.
00:00
Now we'll talk about physiological
00:00
versus behavior-based biometrics
00:00
and then we're going to talk about
00:00
some considerations such as accuracy.
00:00
Biometrics. Biometrics is a general term
00:00
for authentication means
00:00
>> that are tied to your identity.
00:00
>> Now, we have
00:00
physiological traits and we have behavior-based traits.
00:00
The physiological traits are
00:00
stronger because they can't be modified.
00:00
Now I'm not talking about sci-fi films,
00:00
but your thumbprint is your thumbprint,
00:00
your retina is your retina.
00:00
They're not going to be able to be
00:00
modified by typical means.
00:00
Now that doesn't mean they can't be
00:00
spoofed because anything can be spoofed.
00:00
But it means that these are
00:00
>> much more difficult to spoof.
00:00
>> Nothing stands on its own.
00:00
We always want multi-factor authentication.
00:00
But all things being equal,
00:00
physiological traits are much stronger authentication
00:00
than something I know or something I have.
00:00
Now the behavior traits again, fingerprint,
00:00
hand geometry scan, palm scan,
00:00
iris and retina scan.
00:00
Those are physiological,
00:00
but behavior-based biometrics are pretty strong as well
00:00
because these are based on something I do uniquely.
00:00
How I talk, how I type my name,
00:00
that keyboard cadence, how I walk.
00:00
People's age is often used in airport
00:00
recognition utilities to identify
00:00
suspects of crime or potential terrorists,
00:00
because that winds up being a good identifier.
00:00
Facial recognition would
00:00
>> go to the physiological traits.
00:00
>> Lots of different types of biometrics is used.
00:00
Now with the behavior-based biometrics,
00:00
you can change how you walk or how
00:00
you talk for a short period of time.
00:00
But eventually, 99.9 percent of people,
00:00
if they're asked to do something long enough,
00:00
they'll revert back to what's natural for them.
00:00
I might walk differently for 15 feet,
00:00
but eventually I'm going to go
00:00
back to how I normally walk.
00:00
Now, biometrics, like we said,
00:00
if everything is equal and you
00:00
only get single factor authentication,
00:00
then biometrics tends to be the strongest.
00:00
Well, it really depends on the quality of your device.
00:00
Some biometrics devices do very basic reading.
00:00
They're very inexpensive,
00:00
but they don't give you a great degree of security,
00:00
whereas others much more
00:00
sophisticated can give you a high degree of assurance.
00:00
Let's say that I have a laptop and I'm
00:00
going to use my thumbprint to authenticate.
00:00
Now, I want to make sure no one that is
00:00
not me gets access to my laptop.
00:00
When I provide the setup and I provide my thumbprint,
00:00
I am go in and say I want a 100 percent match.
00:00
Anybody trying to log in,
00:00
if it doesn't match a 100 percent,
00:00
then deny them access.
00:00
That's a pretty steep requirement.
00:00
What I'm going to find happens is
00:00
every time I go to login,
00:00
I'm going to be denied.
00:00
Because a 100 percent match
00:00
>> is just not going to happen.
00:00
>> The exact same pressure,
00:00
the exact same role.
00:00
Nothing on my fingertips,
00:00
no cuts, no nix.
00:00
It's just not going to happen.
00:00
What's going to happen
00:00
is I'm going to get a false rejection.
00:00
False rejections are referred to as Type 1 errors.
00:00
There's a lot of overhead with Type 1 rejections.
00:00
I have to go in,
00:00
I log in, but I'm denied.
00:00
I have to go and make corrections., have to override.
00:00
We don't like those.
00:00
I get frustrated with false rejections and I say,
00:00
you know what, as long as you have a thumb,
00:00
you can access my laptop.
00:00
Well, that's pretty low requirement.
00:00
What's going to happen there
00:00
is we're going to have false acceptances.
00:00
With false acceptances, someone who should
00:00
not be allowed access is going to get access.
00:00
The two really are inversely proportional.
00:00
As I make false rejections go down,
00:00
false acceptances will increase.
00:00
If I reduce false acceptances,
00:00
>> rejections will increase.
00:00
>> There will always be a point where
00:00
false rejections meet false acceptances,
00:00
and that point is called
00:00
the Crossover Error Rate, the CER.
00:00
With that Crossover Error Rate,
00:00
that's the indication of the accuracy of the system.
00:00
I want that to be a low number.
00:00
It's expressed in percentages.
00:00
I want that to be as low as possible
00:00
if accuracy is my primary concern.
00:00
If accuracy is your primary concern,
00:00
if you're looking for a type of
00:00
biometric that has very high accuracy rates,
00:00
iris scans would be the most accurate out there,
00:00
the colored portion in your eye.
00:00
Now I'll mention retina scans are also very accurate.
00:00
But whereas a retina scan
00:00
examines the vascular pattern in the back of your eyes,
00:00
we tend to shy away from that because
00:00
health care information can be
00:00
obtained by looking at individual employees retinas.
00:00
Then we have the questions,
00:00
do I have to protect that based on HIPAA?
00:00
What do I have to do just secure it?
00:00
We opened up new can of worms.
00:00
Well, let me tell you.
00:00
I went to get my glasses checked because
00:00
my prescription is woefully lacking.
00:00
I went to get my prescription
00:00
checked the other day and get my eyes checked.
00:00
They asked me at my doctor's office,
00:00
do you want to dilate your eyes
00:00
or do you want us to do a retina scan?
00:00
Well, for me there was no [inaudible] do a retina scan.
00:00
I hate that weird feeling when your eyes are dilated.
00:00
They did a retina scan.
00:00
A few minutes later my doctor came in and
00:00
she was looking at the scan results with me.
00:00
She would show me a specific vessel and she'd say,
00:00
here's how we know you don't have diabetes.
00:00
Here's how we know you're not pregnant.
00:00
I was like, "get out
00:00
of my medical records. You're an eye doctor.
00:00
I want a cheap pair of glasses so I can go."
00:00
>> Just imagine if that information was
00:00
>> turned over to your security guard.
00:00
Can you imagine Bob,
00:00
the security guard pulling a woman out of line saying,
00:00
hey, let me tell you some happy news, you're pregnant.
00:00
Congratulations.
00:00
That's not the information you want to get from Bob,
00:00
the security guard, just throwing that out there.
00:00
Companies have shied away,
00:00
not all of them, but many from retina scans.
00:00
Iris scans are more accurate anyway,
00:00
so it seems to be a good choice.
00:00
We're concerned with elements about biometrics.
00:00
Users aren't always willing to submit to biometrics.
00:00
Now, I don't mean that as
00:00
my first and only consideration,
00:00
but I do want my users to not
00:00
feel like their privacy is being infringed upon.
00:00
When they have to login to a system every day.
00:00
I want to find
00:00
a biometric technique that's less invasive,
00:00
one that users are more willing to submit to.
00:00
I want it to be
00:00
a relatively smooth process
00:00
for enrollment and verification,
00:00
especially verification because that's going to
00:00
happen each time there's access.
00:00
I want to think about costs.
00:00
Another concern, particularly from users,
00:00
if my password gets compromised,
00:00
we can just reset and get me a new password.
00:00
But if my thumbprint is compromised,
00:00
you can't revoke biometrics.
00:00
Again, we're not talking about sci-fi.
00:00
I've seen a couple of sci-fi movies
00:00
where biometrics were revoked.
00:00
I'm not given a spoilers,
00:00
but if any of you watched TV show True Blood,
00:00
there was a less than
00:00
delicate way of stealing someone's biometrics.
00:00
That's all I'm saying out there.
00:00
Now, this could come up in a question like this.
00:00
Which of the following is of
00:00
least concern when choosing biometrics?
00:00
Your choices would be technology type,
00:00
accuracy, cost, user acceptance.
00:00
Here's the way I want you to think about this.
00:00
Business needs are addressed first
00:00
and we choose the technology
00:00
>> based on our business needs.
00:00
>> My business needs or to keep the costs down,
00:00
I have a certain degree of
00:00
accuracy I'm going to require,
00:00
and I have a consideration of user acceptance.
00:00
The technology type that I
00:00
choose is going to be driven by the business needs.
00:00
This is exactly an example
00:00
of what we've talked about
00:00
all the way throughout this class.
00:00
The idea that always start with the business.
00:00
Know the business needs,
00:00
know the objectives before
00:00
you determine any technical solution.
00:00
Wrapping up Type 3 authentication here,
00:00
we talked about Type 3 authentication being
00:00
something you are or something you do.
00:00
Something you are the physiological traits
00:00
whereas something you do are behavior based.
00:00
Those are usually both
00:00
considered to be types of biometrics.
00:00
Then we talked about the crossover error rate
00:00
to indicate accuracy of biometrics.
00:00
I'll also mention we just talked about some of
00:00
the considerations that lead us
00:00
to choose biometric technology.
Up Next