Comparing passwords, tokens, and biometrics for user authentication

Proceedings of the IEEE

Volumn 91, Issue 12, 2003, Pages 2021-2040

  O'Gorman, Lawrence ^a  

^a AVAYA LABS RESEARCH   (United States)

Author keywords

Access control; Biometric; End user authentication; Human authentication; Identity management; Identity token; Password; Verification

Indexed keywords

DATA REDUCTION; FINANCE; INTERNET; NETWORK PROTOCOLS; SECURITY OF DATA; WEB BROWSERS;

ACCESS CONTROL; BIOMETRICS; END-USER AUTHENTICATION; HUMAN AUTHENTICATION; IDENTITY MANAGEMENT; IDENTITY TOKEN; PASSWORD; VERIFICATION;

ELECTRONIC DOCUMENT IDENTIFICATION SYSTEMS;

EID: 10044293457     PISSN: 00189219     EISSN: None     Source Type: Journal    
DOI: 10.1109/JPROC.2003.819611     Document Type: Conference Paper

References (56)

1. D. Kahn, The Codebreakers: The Story of Secret Writing. New York Scribner. 1996.
2. G. Stocksdale. NSA Glossary of Terms Used in Security and Intrusion Detection [Online]. Available: http://www.sans.org/newlook/ resources/glossary. htm
3. E. Rescorla, SSL and TLS: Designing and Building Secure Systems. Reading, MA: Addison-Wesley, 2000.
4. Specification for (he Advanced Encryption Standard (2001, Nov.). [Online]. Available: http://csrc.nist.gov/encryption/aes/
5. R. Morris and K. Thompson, "Password security: A case history," Commun. ACM. vol. 22. no. 11. pp. 594-597, Nov. 1979.
6. B. L. Riddle, M. S. Miron, and J. A. Semo. "Passwords in use in a university timesharing environment," Comput. Security, vol. 8. no. 7, pp. 569-579, 1989.
7. D. L. Jobusch and A. E. Oldehoeft. "A survey of password mechanisms: Weaknesses and potential improvements," Comput. Security, vol. 8. no. 8, pp. 675-689, 1989.
8. D. C. Feldmeier and P. R. Karn. "UNIX password security - ten years later." in Advances in Cryptology - CRYPTO'89 Proc., 1990, pp. 44-63.
9. [9| M. Bishop and D. V. Klein, "Improving system security via proactive password checking," Comput. Security, vol. 14, no. 3, pp. 233-249. 1995.
10. J. Bunnell. J. Podd, R. Henderson, R. Napier, and J. Kennedy-Moffat, "Cognitive, associative, and conventional passwords: Recall and guessing rates," Comput. Security, vol. 16, no. 7, pp. 645-657, 1997.
11. S. M. Furnell, P. S. Dowland. H. M. Illingworth, and P. L. Reynolds. "Authentication and supervision: A survey of user attitudes," Comput. Security, vol. 19, no. 6, pp. 529-539, 2000.
12. R. Pond, J. Podd, J. Bunnell, and R. Henderson, "Word association computer passwords: The effect of formulation techniques on recall and guessing rates," Comput. Security, vol. 19. no. 7, pp. 645-656. 2000.
13. R. E. Smith, Authentication. From Passwords to Public Keys. Reading, MA: Addison-Wesley. 2002, pp. 255-284.
14. A. Jain. R. Bolle, and S. Pankanti, Eds., Biometrics: Personal Identification in Networked Society. Dordrecht, The Netherlands: Kluwer. Nov. 1998.
15. Computer (Special Issue on Biometrics: The future of identification), vol. 33, no. 2, pp. 46-80, Feb. 2000.
16. R. M. Bolle. J. H. Connell. S. Pankanti. N. K. Ratha, and A. W. Senior. Guide to Biometrics: Selection and System Design. New York: Springer-Verlag, 2003.
17. R. Anderson, Security Engineering. New York: Wiley. 2001, pp. 384, 398-399.
18. W. Stallings, Cryptography and Network Security: Principles and Practice, 2nd ed. Englewood Cliffs, NJ: Prentice-Hall. 1999, p. 490.
19. B. Schneier, Applied Cryptography. New York: Wiley, 1996, pp. 429-459.
20. K. P. Weiss, "Method and apparatus for positively identifying an individual," U.S. Patent 4 720 860, Jan. 19, 1988.
21. L. O'Gorman, "Seven issues with human authentication technologies." in Proc. IEEE Workshop Automatic Identification Advanced Technologies, 2002, pp. 185-186.
22. T. Matsumoto, H. Matsumoto, K. Yamada, and S. Hoshino. "Impact of artificial gummy fingers on fingerprint systems," Proc. SPIE, vol. 4677, pp. 275-289, 2002.
23. N. K. Ratha, J. H. Connell, and R. M. Bolle, "Enhancing security and privacy in biometrics-based authentication systems." IBM Syst. J.. vol, 40, no. 3, pp. 614-634. 2001.
24. S. M. Bellovin and M. Merritt, "Encrypted key exchange: Password-based protocols secure against dictionary attacks." in Proc. 1992 IEEE Computer Society Conf. Research Security and Privacy. 1992. pp. 72-84.
25. L. Gong. M. A. Lomas, R. M. Needham, and J. H. Saltzer, "Protecting poorly chosen secrets from guessing attacks," IEEE J. Select. Areas Commun., vol. 11, pp. 648-656, June 1993.
26. T. Wu, "The secure remote password protocol," in Proc. 1998 Internet Society Network and Distributed System Security Symp., pp. 97-111.
27. S. Pankanti, S. Prabhakar, and A. K. Jain, "On the individuality of fingerprints," IEEE Trans. Pattern Anal. Machine Intell., vol. 24, pp. 1010-1025, Aug. 2002.
28. Common Criteria for Information Technology Security Evaluation, Part 2, Security Functional Requirements (1999, Aug.). [Online], Available: http://www.commoncriteria.org/docs/PDF/CC-PART2V21.PDF
29. S. M. Matyas Jr. and J. Stapleton, "A biometric standard for information management and security," Comput. Security, vol. 19, no. 5, pp. 428-441, 2000.
30. B. Schneier. (1998, Aug.) Biometrics: Truths and fictions. Crypto-Gram [Online] Available: http://www.counterpane.com/ crypto-gram-9808.html
31. R. Germain, A. Califano, and S. Colville, "Fingerprint matching using transformation parameter clustering," IEEE Comput. Sci. Eng. Mag., vol. 4, pp. 42-49, Oct.-Dec. 1997.
32. J. L. Wayman, "Error-rate equations for the general biometric system," IEEE Robot. Automat. Mag., vol. 6, pp. 35-48. Mar. 1999.
33. C. Rigney, S. Willens, A. C. Rubens, and W. A. Simpson. (2000, June) Remote Authentication Dial in User Service (RADIUS). Internet Engineering Task Force. [Online]. Available: http://www.ietf.org/rfc/rfc2865.txt?number=2865
34. U. D. Black, Internet Security Protocols: Protecting IP Traffic. Englewood Cliffs, NJ: Prentice-Hall, 2000, pp. 113-121.
35. R. Rivest and S. Dusse. (1992, Apr.) The MD5 Message-Digest Algorithm. Internet Engineering Task Force. [Online]. Available: http://www.ietf.org/rfc/ rfc1321.txt?number=1321
36. J. G. Steiner, B. C. Neuman, and J. I. Schiller, "Kerberos: An authentication service for open network systems," in Proc. Winter USENIX Conf., 1988, pp. 191-201.
37. J. Kohl and C. Neuman. (1993, Sept.) The Kerberos Network Authentication Service (V5). Internet Engineering Task Force. [Online], Available: http://www.ietf.org/rfc/rfc1321.txt?number=1321
38. R. M. Needham and M. D. Schroeder, "Using encryption for authentication in large networks of computers," Commun. ACM, vol. 21, no. 12. pp. 993-999, Dec. 1978.
39. J. Taschek. (2002, June) Liberty alliance or passport?. eWeek [Online]. Available: http://www.eweek.com/article2/ 0,3959,266840,00.asp
40. P. Hallam-Baker and E. Maler, Eds., (2002, May) Assertions and Protocol for the OASIS Security Assertion Markup Language (SAML). [Online]. Available: http://www.oasis-open.org/committees/security/docs/cs-sstc-core-01.pdf
41. C. E. Shannon. (1948, July, Oct.) A mathematical theory of communication. Bell Syst. Tech. J. [Online], pp. 379-423. Available: http://cm.bell-labs.com/ cm/ms/what/shannonday/paper.html
42. D. R. Stinson. Cryptography Theory and Practice, 2nd ed. London, U.K.: Chapman & Hall/CRC, 2002.
43. "Secure Hash Standard," U.S. Dept. Commerce, Nat. Inst. Sci. Technol. (NIST), FIPS Pub. 180-1, Apr. 1995.
44. R. M. McCabe. ANSI/NIST-ITL 1-2000 Data Format for the Interchange of Fingerprint, Facial, and Scar Mark & Tattoo (SMT) Information. [Online]. Available: ftp://sequoyah.nist.gov/pub/nist_internal_reports/sp500-245-a16.pdf
45. R. Shirey, "Internet Security Glossary," Internet Engineering Task Force, RFC 2828, May 2000.
46. User Authentication With Windows NT (2001, Aug.). [Online]. Available: http://support.microsoft.com/default. aspx?scid=kb%3ben-us%3b102 716
47. M. Howard, Designing Secure Web-Based Applications for Microsoft Windows 2000. Redmond, WA: Microsoft Press, 2000, pp. 407-421.
48. Oxford English Dictionary, 2nd ed. London, U.K.: Oxford Univ. Press, 2002.
49. R. Derakhshani, S. Schuckers, L. Hornak, and L. O'Gorman, "Determination of vitality from a noninvasive biomedical measurement for use in fingerprint scanners," Pattern Recogn., vol. 36, no. 2, pp. 383-396, Feb. 2003.
50. Q. Li, B.-H. Juang, Q. Zhou, and C.-H. Lee, "Automatic verbal information verification for user authentication," IEEE Trans. Speech Audio Processing, vol. 8, pp. 585-596, Sept. 2000.
51. L. Rabiner and B.-H. Juang, Fundamentals of Speech Recognition. Englewood Cliffs, NJ; Prentice-Hall, 1993.
52. R. L. van Renesse, Optical Document Security. Norwood, MA: Artech House, 1994.
53. A. Martin and M. Przybocki, "The NIST 1999 speaker recognition evaluation - An overview." Dig. Signal Process., vol. 10, no. 1-3, pp. 1-18, 2000.
54. D. M. Blackburn, J. M. Bone, and P. J. Phillips. (2001, Feb.) FRVT 2000 Evaluation Report. [Online]. Available: www.dodcounterdrug.com/ facialrecognition/DLs/FRVT_2000.pdf
55. D. Maio, D. Maltoni, R. Cappelli, J. L. Wayman, and A. K. Jain, "FVC2000: Fingerprint Verification Competition," IEEE Trans. Pattern Anal. Machine Intell., vol. 24, pp. 402-412, Mar. 2002.
56. T. Mansfield, G. Kelly, D. Chandler, and J. Kane. (2001, Mar.) Biometric Product Testing Final Report. [Online]. Available: www.cesg.gov.uk/technology/ biometrics