Criteria to evaluate Automated Personal Identification Mechanisms

Computers and Security

Volumn 27, Issue 7-8, 2008, Pages 260-284

  Palmer, Anthony J ^a  

^a UNIVERSITY OF LONDON   (United Kingdom)

Author keywords

Accessibility; Automated Personal Identification Mechanism; Biometric identification; Biometric verification; Privacy; Reliability; Risk; Usability; User authentication; Vulnerabilities

Indexed keywords

AUTOMATION; BIOMETRICS; COMPUTER SYSTEMS; RISK ANALYSIS; RISK MANAGEMENT;

ACCESSIBILITY; AUTOMATED PERSONAL IDENTIFICATION MECHANISM; BIOMETRIC IDENTIFICATION; BIOMETRIC VERIFICATION; PRIVACY; USABILITY; USER AUTHENTICATION; VULNERABILITIES;

ELECTRONIC DOCUMENT IDENTIFICATION SYSTEMS;

EID: 55649096177     PISSN: 01674048     EISSN: None     Source Type: Journal    
DOI: 10.1016/j.cose.2008.07.007     Document Type: Article

References (101)

1. Adams A., and Blandford A. Bridging the gap between organizational and user perspectives of security in the clinical domain. International Journal of Human Computer Studies 63 1-2 (2005) 175-202
2. Adams A., and Sasse M.A. Users are not the enemy: Why users compromise computer security mechanisms and how to take remedial measures. Communications of the ACM 42 12 (1999) 41-46
3. Al-Khouri A.M. UAE National ID programme case study. International Journal of Social Sciences 1 2 (2007)
4. Allendoerfer K.R. Human factors considerations for passwords and other user identification techniques, part 1: literature review and analysis, document reference DOT/FAA/CT-05/20 (2005), Federal Aviation Administration, U.S. Department of Transportation. http://hf.tc.faa.gov/technotes/dot_faa_ct_05_20.pdf [accessed April 2007]
5. Allendoerfer K.R. Human factors considerations for passwords and other user identification techniques, part 2: field study, results and analysis, document reference DOT/FAA/TC-06/09 (2006), Federal Aviation Administration, U.S. Department of Transportation. http://hf.tc.faa.gov/technotes/dot_faa_tc_06_09.pdf [accessed April 2007]
6. Anderson R. Security engineering - a guide to building dependable distributed systems (2001), John Wiley & Sons Inc
7. Andronikou V., Demetis D.S., and Varvarigou T. Biometric implementations and the implications for security and privacy (2007). http://journal.fidis.net/fileadmin/journal/issues/1-2007/Biometric_Implementations_and_the_Implications_for_Security_and_Privacy.pdf [accessed April 2008]
8. Australian Government. Dealing with identity theft (2006). http://www.ag.gov.au/www/agd/rwpattach.nsf/VAP/(03995EABC73F94816C2AF4AA2645824B)∼ID+Theft+DL+Booklet+Final+Art.pdf/$file/ID+Theft+DL+Booklet+Final+Art.pdf [accessed April 2008]
9. Baddeley A. What is autobiographical memory?. In: Conway M.A., Rubin D.C., Spinnler H., and Wagenaar W.A. (Eds). Theoretical perspectives on autobiographical memory (1992), Kluwer Academic Publishers
10. Bernard R. Information lifecycle security risk assessment: a tool for closing security gaps. Computers & Security 26 1 (2007) 26-30
11. Bhargav-Spantzel A., Squicciarini A.C., and Bertino E. Establishing and protecting digital identity in federated systems. Journal of Computer Security 14 (2006) 269-300
12. Biometric Evaluation Methodology Working Group. Common methodology for information technology security evaluation. Biometric evaluation methodology supplement version 1.0 (2002). http://www.cesg.gov.uk/site/ast/biometrics/media/BEM_10.pdf [accessed April 2008]
13. Boehner K., DePaula R., Dourish P., and Sengers P. How emotion is made and measured. International Journal of Human-Computer Studies 65 (2007) 275-291
14. Brostoff S., and Sasse M.A. Ten strikes and you're out: increasing the number of login attempts can improve password usability approach to usable and effective security. BT Technology Journal 19 3 (2001) 122-131
15. Bundesamt für Sicherheit in der Informationstechnik. Technical guideline TR-03110 advanced security mechanisms for machine readable travel documents - extended access control, version 1.10 (2007). http://www.bsi.bund.de/fachthem/epass/EACTR03110_v110.pdf [accessed April 2008]
16. Clarke R. Identification and authentication fundamentals (2004). http://www.anu.edu.au/people/Roger.Clarke/DV/IdAuthFundas.html [accessed April 2008]
17. Commission of the European Union. Commission decision establishing the technical specifications on the standards for security features and biometrics in passports and travel documents issued by member states, reference C. 28th June 2006 (2006). http://eur-lex.europa.eu/LexUriServ/site/en/oj/2004/l_385/l_38520041229en00010006.pdf [accessed April 2008]
18. Common Criteria, arrangement on the recognition of common criteria certificates in the field of information technology security (2000). http://www.commoncriteriaportal.org/files/operatingprocedures/cc-recarrange.pdf [accessed April 2008]
19. Common Criteria, common methodology for information technology security evaluation, introduction and general model part 1 - version 3.1 revision 1 (2006). http://www.commoncriteriaportal.org/files/ccfiles/CCPART1V3.1R1.pdf [accessed April 2008]
20. Cotroneo D., Graziano A., and Russo S. Security requirements in service oriented architecture for ubiquitous computing. Second workshop on middleware for pervasive and ad-hoc computing vol. 77 (2004), ACM Press 172-177
21. Coventry L., De Angeli A., and Johnson G. Honest it's me: self service verification (2003). http://www.andrewpatrick.ca/CHI2003/HCISEC/hcisec-workshop-coventry.pdf [accessed April 2008]
22. De Angeli A., Coventry L., Johnson G., and Coutts M. Usability and user authentication: pictorial passwords verses PIN (2003). http://www.informatics.manchester.ac.uk/∼antonella/files/Pdf/USABILITY%20AND%20USER%20AUTHENTICATION%20PICTORIAL%20PASSWORDS%20VS%20PIN.pdf [accessed April 2008]
23. Denning D. Information warfare and security (1999), ACM Press
24. Dourish P, Delgado de la Flor J, Joseph M. Security as a practical problem: some preliminary observations of everyday mental models, 2003 http://www.andrewpatrick.ca/CHI2003/HCISEC/hcisec-workshop-dourish.pdf.
25. Fåk V. Computer verification of human users' identity: a theoretical model and some evaluation criteria. Computers & Security 10 7 (1991) 626-636
26. Federal Information Processing Standard Publications. Guidelines on evaluation techniques for automated personal identification vol. 48 (1977), US National Institute of Standards and Technology
27. Federal Information Processing Standard Publications. Guidelines on the use of advanced authentication technology alternatives vol. 190 (1994), US National Institute of Standards and Technology. http://www.itl.nist.gov/fipspubs/fip190.htm [accessed April 2008]
28. Federal Information Processing Standard Publications. Personal identity verification of federal employees and contractors. 201-1 (2006), US National Institute of Standards and Technology. http://csrc.nist.gov/publications/fips/fips201-1/FIPS-201-1-chng1.pdf [accessed April 2008]
29. Flechais I., Sasse M.A., and Hailes S.M.V. Bringing security home: a process for developing secure and usable systems. Proceedings of the 2003 workshop on new security paradigms workshop (2003), ACM Press 49-57
30. General Accounting Office of United States. Information security challenges in using biometrics, statement of K.A. Rhodes chief technologist. Applied research and methods, GAO-03-1137T (2003). http://www.gao.gov/new.items/d031137t.pdf [accessed April 2008]
31. Gerber M., and von Solms R. Management of risks in the information age. Computers & Security 24 (2005) 16-30
32. Germain R. Large scale systems in biometrics. In: Jain A, Bolle R, Pankanti S, editors. Personal identification in a networked society 1999. Kluwer Academic Publishers.
33. Grinter R.E., and Smetters D.K. Three challenges for embedding security into applications. CHI 2003 workshop on human-computer interaction and security systems (2003). http://www.parc.com/research/publications/files/4886.pdf [accessed April 2008]
34. Hamadi R. Identity theft (2004), Vision Paperbacks
35. Homeland security presidential directive, policy for a common identification standard for federal employees and contractors, directive 12 (2004). http://www.whitehouse.gov/news/releases/2004/08/20040827-8.html [accessed April 2008]
36. Hoofnagle C. Measuring identity theft at top banks. Paper 44 (2008), Berkeley Center for Law and Technology. http://repositories.cdlib.org/bclt/lts/44 [accessed April 2008]
37. International Civil Aviation Organisation, Machine readable travel documents, technical report, development of a logical data structure for optical capacity expansion technologies, revision 1.7; 2004a.
38. International Civil Aviation Organisation, Machine readable travel documents, technical report, PKI for machine readable travel documents offering ICC read-only access, version 1.1; 2004b.
39. International Civil Aviation Organisation. Machine readable travel documents, document number 9303. Part 1. Specifications for electronically enabled passports with biometric identification capability vol. 2. (2006). http://mrtd.icao.int/content/view/33/202/ [accessed April 2008]
40. ISO/IEC 15408-1. Information technology security techniques - evaluation criteria for IT security, part 1: introduction and general model; 2005.
41. ISO/IEC 19785-1. Information technology - common biometric exchange formats framework, part 1; 2006.
42. ISO/IEC 27001. Information technology - security techniques - information security management systems - requirements; 2005.
43. ISO/IEC 27002. Information technology - information techniques - code of practice for information security management; 2005.
44. ISO/IEC 7816-4. Identification cards - integrated circuits cards, organization, security and commands for interchange; 2005.
45. ITU-T. Identity Management Global Standardisation Initiative (2008). http://www.itu.int/ITU-T/gsi/idm/ [accessed April 2008]
46. Jain A.K., Bolle R., and Pankanti S. Introduction to biometrics. In: Jain A.K., Bolle R., and Pankanti S. (Eds). Biometrics: personal identification in a networked society (1999), Kluwer Academic Publishers 1-41
47. Johnson J., Eloff J.H.P., and Labuschagne L. Security and human computer interfaces. Computers & Security 22 8 (2003)
48. Juels A, Molnar D, Wagner D. Security and privacy issues in e-passports. In: Proceedings of the first international conference on security and privacy for emerging areas in communications networks; 2005. p. 74-88.
49. Kanungo S. Identity authentication in heterogeneous computing environments: a competitive study for an integrated framework. Computers & Security 13 3 (1994) 231-253
50. Karger P.A. Privacy and security threat analysis of the federal employee personal identity verification (PIV) program. Proceedings of the second symposium on usable privacy and security (SOUPS), Pittsburgh (2006), ACM Press 114-121
51. King MM. Rebus passwords. In: Proceedings of the seventh annual computer security applications conference; 1991. p. 239-43.
52. Krishnamurthy B., Malandrino D., and Wills C.E. Measuring privacy loss and the impact of privacy protection in web browsing. Symposium on usable privacy and security (2007). http://cups.cs.cmu.edu/soups/2007/proceedings/p52_krishnamurthy.pdf [accessed April 2008]
53. Krstić I., and Garfinkel S.L. Bitfrost: the one laptop per child security model. Symposium on usable privacy and security (2007). http://cups.cs.cmu.edu/soups/2007/proceedings/p132_krstic.pdf [accessed April 2008]
54. Leech J. Improving user security behaviour. Computers & Security 22 8 (2003) :685-92.
55. London School of Economics and Political Science. Identity project - all party briefing: nothing to hide, nothing to fear (2006). http://identityproject.lse.ac.uk/nothingtohide.pdf
56. Mansfield A.J., and Wayman J.L. Best practices in testing and reporting performance of biometric devices version 2.01 (August 2002), UK National Physical Laboratory and San Jose State University, Centre for Mathematics and Scientific Computing National Physical Laboratory, UK. http://www.cesg.gov.uk/site/ast/biometrics/media/BestPractice.pdf [accessed April 2008]
57. Matsumoto T., Matsumoto H., Yamada K., and Hoshino S. Impact of artificial "gummy" fingers on fingerprint systems. Proceedings of international society for optical engineering. Optical security and counterfeit deterrence techniques vol. 4677 (2002) 275-289. http://www.lfca.net/Fingerprint-System-Security-Issues.pdf [accessed April 2008]
58. McClure S., Scambray J., and Kurtz G. Hacking exposed: network security secrets and solutions (1999), Osborne McGraw-Hill
59. Mitnick K.D., Simon W.L., and Simon W. The art of deception: controlling the human element of security (2002), John Wiley & Sons, Inc, New York, NY
60. National Institute of Standards and Technology. Special publication 800-55: security metrics guide for information technology systems (2003). http://csrc.nist.gov/publications/nistpubs/800-55/sp800-55.pdf [accessed April 2008]
61. National Institute of Standards and Technology. Special publication 800-64 Rev.1, security considerations in the information system development life cycle (2004). http://csrc.nist.gov/publications/nistpubs/800-64/NIST-SP800-64.pdf [accessed April 2008]
62. Neumann P.G. Computer related risks (1995), Addison-Wesley
63. New Zealand Government, Department of Internal Affairs. Evidence of Identity Standard (2006). http://www.dia.govt.nz/diawebsite.nsf/Files/EOIStandard/$file/EOIStandard.pdf [accessed April 2008]
64. Newell A. Unified theories of cognition (1990), Harvard University Press
65. Norman D.A. The psychology of everyday things (1988), Basic Books
66. Office of Government Commerce, United Kingdom. Management of risk: guidance for practitioners (2007), The Stationery Office
67. Patrick A.S., Long A.C., and Flinn S. HCI and security systems. CHI 2003 conference proceedings, Fort Lauderdale (2003), National Research Council Canada, Institute of Information Technology
68. Peltier T.R., Peltier J., and Blackley J. Information security fundamentals (2005), CRC Press LLC
69. Peltier T.R. Information security risk analysis (2001), CRC Press LLC
70. Piazzalunga U., Salvaneschi P., and Coffetti P. The usability of security devices. In: Cranor L.F., and Garfinkel S. (Eds). Security and usability (2005), O'Reilly Media Inc
71. Raskin J. The humane interface: new directions for designing interactive systems (2000), ACM Press
72. Renaud K. Quantifying the quality of web authentication mechanisms - a usability perspective. Journal of Web Engineering 3 2 (2004) 95-123
73. Renaud K. Evaluating authentication mechanisms. In: Cranor L.F., and Garfinkel S. (Eds). Security and usability (2005), O'Reilly Media Inc
74. Rutherford A., and Wilson J.R. Searching for mental models in human-machine systems. Models of the mind: theory perspective and applications (1992), Academic Press Ltd
75. Sasse M.A., Brostoff S., and Weirich D. Transforming the 'weakest link' - a human/computer interaction approach to usable and effective security. BT Technology Journal 19 3 (2001) Netherlands: Springer
76. Sasse M.A. Computer security: anatomy of a usability disaster, and a plan for recovery (2003). http://www.andrewpatrick.ca/CHI2003/HCISEC/hcisec-workshop-sasse.pdf [accessed April 2008]
77. Shneiderman B. Designing the user interface: strategies for effective-human computer interaction (1998), Addison Wesley Longman Inc
78. Siegel C.A., Sagalow T.R., and Serritella P. Cyber-risk management: technical and insurance controls for enterprise-level security. In: Tipton H.F., and Krause M. (Eds). Information security management handbook (2003), CRC Press LLC
79. Smith R.E. Authentication: from passwords to public keys (2002), Addison-Wesley
80. Stevens T. Identity, identity, identity. Enterprise Security (2007), British Computer Society. http://www.bcs.org/server.php?show=conWebDoc.11113 [accessed April 2008]
81. Stoll C. The Cuckoo's egg (1991), Pan Books Ltd, London
82. Teltzrow M., and Kobsa A. Impacts of user privacy preferences on personalised systems - a comparative study (2004). http://www.ics.uci.edu/∼kobsa/papers/2004-PersUXinECom-kobsa.pdf [accessed April 2008]
83. Toledano D.T., Pozo R.F., Trapote A.H., and Gomez L.H. Usability evaluation of multi-modal biometric verification systems. Interacting with Computers 18 (2006) 1101-1122
84. Toure M. Intelligent framework for security. In: Rzevski G., Adey R.A., and Russell D.W. (Eds). Proceedings of the ninth international conference on applications of artificial intelligence in engineering (1994), Computer Mechanical Publications, Southampton
85. UK Biometrics Working Group. Use of Biometrics for identification and authentication - advice on product selection (2002), The UK Office of the E-Envoy, UK Government Cabinet Office. http://www.cesg.gov.uk/site/ast/biometrics/media/BiometricsAdvice.pdf [accessed April 2008]
86. UK Government, House of lords science and technology committee. Personal internet security. Report vol. 1 (2007), Authority of the House of Lords, The Stationery Office Limited, London. http://www.publications.parliament.uk/pa/ld200607/ldselect/ldsctech/165/165i.pdf [accessed April 2008]
87. US Federal Trade Commission. 2006 identity theft survey report (2006). http://www.ftc.gov/os/2007/11/SynovateFinalReportIDTheft2006.pdf [accessed April 2008]
88. Vielhauer C. Biometric user authentication for IT security: from fundamentals to handwriting (2006), Springer Science & Business Media
89. Warfel G.H. Identification technologies: computer, optical and chemical aids to personal ID (1979), Charles C Thomas
90. Wayman J., Jain A., Maltoni D., and Maio D. An introduction to biometric authentication systems. In: Wayman J., Jain A., Maltoni D., and Maio D. (Eds). Biometric Systems: technology, design and performance (2005), Springer-Verlag London Limited
91. Weingart SH, White SR, Arnold WC, Double GP. An evaluation system for the physical security of computing systems. In: Sixth Annual Computer Security Applications Conference. 1990, p. 232-43.
92. Weirich D, Sasse MA. Persuasive password security. In: Conference on human factors in computing systems, CHI '01 extended abstracts on human factors in computing systems; 2001. p. 139-40.
93. Whittaker J.A. How to break software security: effective techniques for security testing (2004), Pearson Education Inc
94. Whitten A, Tygar JD. Why Johnny can't encrypt: a usability evaluation of PGP 5.0. In: Proceedings of the eighth USENIX security symposium; 1999.
95. Woodward Jr. J.D., Orlans N.M., and Higgins P.T. Biometrics: identity assurance in the information age (2003), McGraw-Hill/Osborne
96. Yan J., Blackwell A., Anderson R., and Grant A. The memorability and security of passwords. In: Cranor L.F., and Garfinkel S. (Eds). Security and usability (2005), O'Reilly Media Inc
97. Ye Z., Smith S., and Anthony D. Trusted paths for browsers. ACM Transactions on Information and System Security 8 2 (2005) 153-186
98. Yee K.P. User interaction design for secure systems (2000). http://people.ischool.berkeley.edu/∼ping/sid/uidss.pdf [accessed April 2008]
99. Yee K.P. Secure interaction design and the principle of least authority. CHI 2003 workshop on human-computer interaction and security systems (2003). http://www.andrewpatrick.ca/CHI2003/HCISEC/hcisec-workshop-yee.pdf [accessed April 2008]
100. Zetter K. Scan this guy's e-passport and watch your system crash (2007). http://www.wired.com/print/politics/security/news/2007/08/epassport [accessed April 2008]
101. Zurko ME. User-centred security: stepping up to the grand challenge. In: Proceedings of the 21st annual computer security applications conference; 2005, p. 187-202.