jump to navigation

Continuous User Authentication September 27, 2013

Posted by patrickcallan2013 in Security.

Many computer systems continue to rely upon password/account combinations for user authentication to maintain system security. Morris and Thompson’s article, “Password Security: A Case History”, found that 86% of user passwords were between one and 6 characters in length and consisted of dictionary words or names significantly compromising computer system security. [1] Efforts to enhance password based security include increasing the required password length to 8 or more characters with at least a single digit and a special character, and requiring passwords to be reset periodically. The more rigorous the effort to enforce complex and secure passwords, the more likely users will engage in counterproductive measures like writing down passwords and using the same password for many computer systems. Therefore, relying solely upon passwords to maintain computer system security will result in relatively weak security.

A common theme which emerges in computer system security articles is the benefit of using multifactor user authentication to increase security. [2, 3] Combining something the user knows, a password, with something the user has, a token, with some unique personal characteristic, a fingerprint, facial features, voice, etc., significantly increases the level of security. The higher the number of factors the greater the security. As passwords alone continue to create relatively weak security, adding an additional security measure such as a token and/or biometric screening devices will significantly improve computer system security. Organizations need to balance the costs of enhanced security measures with the consequences of unauthorized system access. The more valuable the information within the system, the more extensive the security measures must be in order to secure those information assets.

Security measures to address common security lapses like users leaving unattended computers logged into the system do not have to be intrusive, complicated for users, or costly to improve security. Niiunuma et al. in their article, “Soft Biometric Traits for Continuous User Authentication”, address the problem of users leaving unattended computers logged into the system by using inexpensive webcams or built in laptop cameras combined with their software to insure the original user authenticated via both a password and “hard biometrics”, here facial recognition, is the one currently in front of the computer. [4] When the user logs into the system, their identity is verified by checking their password and comparing their facial features to an image stored in the security system (a hard biometric). Niinuma et al. soft biometric software involves capturing a color histogram of the user’s facial skin tone and another color histogram of their clothing each time the user logs onto the system. The two color histograms are used to maintain “continuous user authentication” meaning that the software repeatedly verifies that the person sitting in front of the computer now, has skin tone and clothing color histograms matching the template captured when the user originally logged into the system. If the user is not in front of the computer, the two color histograms do not match causing the computer to essentially log out and requires the full login process to be repeated – entering the password and passing the hard biometric test comparing the user facial features to a stored image. If another user sits in front of the logged in computer, their skin tone and clothing histograms do not match the soft biometric histograms captured during login which again causes the computer to log out preventing unauthorized system use. Niinuma et al. developed a creative solution to a common computer security problem – logged in unattended computers. This is an example of adding another security measure to supplement existing computer security.

Image capture hardware and software continues to improve allowing the capture of better quality images and the application of more sophisticated algorithms to identify unique facial features and their geometric relationships. Should future computer security only rely upon biometric data or should additional measures like passwords and tokens continue to be used to supplement biometric data?

[1] Morris, Robert and Ken Thompson. “Password Security: A Case History”. Communications of the ACM Volume 22 Number 11. November 1979.

[2] Mallow, Christopher. “Authentication Methods and Techniques”. Accessed on 9/22/2013 at http://www.giac.org/cissp-papers/2.pdf .

[3] Communications Security Establishment Canada (CSEC). “Information Technology Security Guideline User Authentication Guidance for IT Systems”. Government of Canada CSEC. March 2009. Accessed on 9/22/2013 at http://www.cse-cst.gc.ca/documents/publications/itsg-csti/itsg31-eng.pdf .

[4] Niinuma, Koichiro, Unsang Park and Anil K. Jain. “Soft Biometric Traits for Continuous User Authentication”. IEEE Transactions on Information Forensics and Security Volume 5 Number 4. December 2010.



No comments yet — be the first.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: