Identifying Basic

Authentication & Authorization

Concepts
Dr. Risala Tasin Khan
Overview
Authentication
❖ It is the process of ascertaining that somebody really is who he
(or she) claims to be.
❖ Authentication = login + password (who you are).
Authorization
• It refers to rules that determine who is allowed to do what; that is, what
level of access a particular authenticated user should have to secured
resources controlled by the system.
• For example, Asif may be authorized to create and delete databases,
while Rasel is only authorized to read.
Another example: a database management system might be designed so as to
provide certain specified individuals with the ability to retrieve information
from a database but not the ability to change data stored in the database, while
giving other individuals the ability to change data.
Authorization systems provide answers to the questions:
o Is user X authorized to access resource R?
o Is user X authorized to perform operation P?
o Is user X authorized to perform operation P on resource R?
Authorization = permissions (what you are allowed to do).
Some Common Terms
Password

• The combination of user name and password is one of the most basic and widely
used authentication scheme.
• In this type of authentication user’s credential is checked against credential stored
in a database.
• If the user’s name and password match with the database the user is
authenticated.
• If not, the user is denied access.
• This method may not be very secure as it doesn’t necessarily identify the correct
user.
 Token

Tokens are physical or virtual objects such as

smart cards, ID badges, or data packets that
store authentication information.
Tokens can store personal identification
number(PIN), information about users or
passwords.
Unique token value can be generated using
special devices or software in response to a
challenge from an authentication server or by
using independent algorithm.
Smart Card
• Smart cards are a common example of token based
authentication.
• A smart card is a plastic card containing an embedded
computer chip that can store different types of electronic
information.
• The content of a smart card can be read with a smart
card reader.
 • Biomatrices are authentication scheme based on the
Biomatrices identification of individuals by their physical
characteristics.
• This can involve a fingerprint scanner, a retinal
scanner, a hand geometry scanner, and voice
recognition and facial recognition software.
Geolocation
• With more and more mobile devices connecting to networks,
geolocation provides an extra level of authentication.
• Users who are attempting to authenticate from an approved location
can be granted network access.
• Internet and computer geolocation can be performed by associating
a geographic location with an internet protocol (IP) address, RFID,
embedded hardware or software number, Wi-Fi position system,
GPS coordinates, or other information.
• Geolocation usually works by looking us a host’s IP address in a
geolocation database and retrieving the registrant’s country, region,
city name and other information.
• When a physical location is identified that can be compared to a list
of locations that are approved for (or restricted for) network access
and approve to the resources can be granted accordingly.
• Conversely, if a network attack originates from a particular country
packets originating from IP addresses physically located to that
country could be automatically dropped during that attack period.
 TYPES OF
AUTHENTICATION
Data Origin or Message Authentication
Data-origin or Message authentication:
❑ Message or data authentication is a procedure
that allows communicating parties to verify that
received or stored messages are authentic.
❑ A message, file, document, or other collection of
data is said to be authentic when it is genuine
and came from its alleged source.
❑ The two important aspects of message
authentication are to verify that the contents of
the message have not been altered and that the
source is authentic.
Entity Authentication
❑ Entity authentication is a technique designed to
let one party prove the identity of another party.
For example, a student who needs to access her
university resources needs to be authenticated
during the logging process.
❑ An entity can be a person, a process, a client, or
a server.
❑ The entity whose identity needs to be proved is
called the claimant; the party that tries to prove
the identity of the claimant is called the verifier.
Keystroke Authentication
• Keystroke authentication is a type of authentication
that relies on detailed information that describes
exactly when a keyboard key is pressed and
released as someone types information into a
computer or other electronic device.
• Each user has certain techniques, rhythms and
patterns when it comes to typing on a keyboard
and these can be recorded and measured to
compare against future keystrokes.
• Keystroke authentication requires the use of a
keystroke logger and other measurements such as
when a key is pressed and released, the interval
between a key release and the next key being
pressed and so on.
• Some consider keystroke authentication as an
extension of biomatrics.
Multi-factor
Authentication
• Multi-factor authentication is any authentication scheme
that requires validation of two or more authentication
factors.
• It can be any combination of who you are, what you have,
what you know, where you are and what you do.
• Requiring a physical ID card along with a secret password
is an example of multi factor authentication.
• Another example a user requires a validation code from his
mobile txt message for entering into his email after giving
password.
• Multi-factor authentication requires the factors to be
different, not just the specific objects or methods.
 Mutual Authentication

Mutual authentication is a security mechanism

that requires that each party in a communication
verifies each other’s identity.
A service or a resource verifies the client’s
credential and the client verifies the resource’s
credential.
Mutual authentication prevents a client from
inadvertently submitting confidential information
to a non-secure server.
Mutual authentication helps in avoiding
man-in-the-middle attack and session hijacking
attack.
Message Authentication
A message can be authenticated either by-
1) Message Authentication Code (MAC)
2) Hash Function

Slide-8
Message Authentication using MAC
MAC is a technique for message authentication.
❖ A message authentication code (MAC) is a short piece of
information that is appended to the message to be sent
for authentication.
❖ A MAC algorithm accepts a secret key and a message to
be authenticated.
❑ It outputs a MAC, which is sometimes called a tag.

The MAC value protects both a message's integrity as

well as its authenticity by allowing verifiers (who also
possess the same secret key) to detect any changes to
the message content.

Slide-8
Message Authentication using MAC
This technique assumes that two communicating parties, say Alice and
Bob, share a common secret key KAB. When Alice has a message to send
to Bob, she calculates the message authentication code as a complex
function of the message and the key: MACM = F(KAB, M).
The process of creating MAC value and verifying the integrity of message
is outlined below:
1. Sender generates a message.
2. He/she then creates a “MAC or Tag” of the message using MAC
Sender Site

algorithm (Note that the MAC algorithm accepts two input- a shared
secret key between the communicating parties and the message that
is to be sent).
3. Sender attaches the MAC code to the end of the message that is to be
sent.
4. The sender sends the attached message to the recipient.
5. The sender encrypts the attached message with the recipient’s public
key and sends it to the recipient.
6. After receiving, the recipient decrypts the entire message with his/her
private key.
7. The recipient detaches the message and MAC code.
Receiver Site

8. He/she creates a “MAC or Tag” of the received message using the

same MAC algorithm the sender used.
9. The recipient then compares the two MACs. If they are equal, the
Slide-8 message is granted, otherwise it will be rejected.
Message Authentication using MAC

Figure: Illustration of message authentication using MAC

Slide-8
Message Authentication Code (MAC)
If we assume that only the receiver and the sender know
the identity of the secret key, and if the received code
matches the calculated code, then-
1. The receiver is assured that the message has not been
altered.
❑ If an attacker alters the message but does not alter the code, then
the receiver’s calculation of the code will differ from the received
code.
❑ Because the attacker is assumed not to know the secret key, the
attacker cannot alter the code to correspond to the alterations in
the message.
1. The receiver is assured that the message is from the alleged
sender.
❑ Because no one else knows the secret key, no one else could
prepare a message with a proper code.
❑ If the message includes a sequence number, then the
receiver can be assured of the proper sequence, because
an attacker cannot successfully alter the sequence
Slide-9
number.
Message Authentication using Hash Function
To authenticate a message, an alternative approach to
the MAC is the one-way hash function.
A hash function is a formula or an algorithm that-
❖ takes large data sets of variable length as input, and
❖ returns smaller data sets of fixed length as output.
❑ Since, the output is smaller than the input data, a hash
function compresses an n-bit message string to create an
m-bit string where n is normally greater than m.
❑ The values returned by a hash function are called hash
values, hash codes, hash sums, checksums or message
digest (MD).
Unlike the MAC (that takes a secret key and message as input and produces a
tag as output), a hash function does not take a secret key as
input.
❖ It only receives message as input and produces message
digest as output.
❑ The message digest is created in such a way that it is
extremely unlikely that some other text will produce the
Slide-10 same hash value.
Message Authentication using Hash Function

The process of creating a digital signature and authenticating a message

using hash function is outlined below:
1. Sender generates a message.
2. He/she then creates a “digest” of the message using cryptographic hash
Sender Site
function.
3. Sender encrypts the message digest with his/her private key for
authentication. This encrypted message digest is called digital signature.
4. Sender attaches the digital signature to the end of the message that is to
be sent. The message attached with digital signature is known as digitally
signed message.
5. The sender encrypts the digitally signed message with the recipient’s public
key and sends it to the recipient.
6. After receiving, the recipient decrypts the entire message with his/her
private key.
The recipient detaches the message and digital signature.
Receiver Site

7.
8. He/she creates a “digest” of the received message using the same hash
function the sender used.
9. The recipient decrypts the digital signature and finds the “digest” that the
sender created.
10. The recipient then compares the two digests. If they are equal, the
message is granted, otherwise it will be rejected.

Slide-11
Message Authentication using Hash Function

The processes are illustrated in the figure below.

Slide-16 Figure: Illustration of message authentication using hash function

 Verification Categories/ Authentication Factors:
In entity authentication, the claimant must identify herself
to the verifier.
This can be done with one of three kinds of witnesses or
factors:

❑ Something known/ knowledge factor:

- This is a secret known only by the claimant that can be checked by
the verifier.
▪ e.g. Password, PIN, secret key, and private key.

❑ Something possessed/ Possession factor:

- This is something that can prove the claimant’s identity.
▪ e.g. passport, driver’s license, ID card, credit card, smart card.

❑ Something inherent/ Inherence factor:

- This is an inherent characteristics of the claimant.
▪ e.g. Conventional signature, fingerprints, voice, facial characteristics,
retinal pattern, and handwriting
Slide-25
 Types of Authentication based on Factors
Single-Factor Authentication (SFA):
Single-factor authentication is a process for securing access to a
given system, such as a network or website, that identifies the
party requesting access through only one category of
credentials.
❑ The most common example of SFA is password-based
authentication.

Slide-26
 Types of Authentication based on Factors
Two-Factor Authentication (2FA):
A 2FA system strengthens security by requiring the user to
provide dual means of identification from separate
authentication categories- one of which is typically a physical
token, such as a card, and the other of which is typically
something memorized, such as a security code.
❑ An automated teller machine (ATM) typically requires two-factor
verification.
❑ To prove that users are who they claim to be, the system requires two
items: an ATM smartcard and the personal identification number (PIN).
❑ In the case of a lost ATM card, the user's accounts are still safe; anyone
who finds the card cannot withdraw money as they do not know the PIN.
❑ The same is true if the attacker has only knowledge of the PIN and does
not have the card. or a voiceprint.

Slide-27
 Types of Authentication based on Factors
Three-factor Authentication (3FA):
3FA adds another factor for further difficulty in falsifying
authentication. Typically a biometric trait measurement is
added for the inherence factor.
❑ Some security procedures now require three-factor
authentication, which involves possession of a physical token and
a password, used in conjunction with biometric data, such as
finger scanning or a voiceprint.

Slide-28
 Verification by Something Known: Passwords
The simplest and oldest method of entity authentication is
the password-based authentication, where the password is
something that the claimant knows.
A password is used when a user needs to access a system
to use the system’s resources (login).
❖ User has a secret password
❖ System checks password to authenticate user
Each user of the system has a user identification that is
public, and a password that is private.
Issues:
❖ How is password stored?
❖ How does system check password?
❖ How easy is it to guess a password?
❖ Difficult to keep password file secret, so best if it is hard to
guess password even if you have the password file.
Slide-29
 Verification by Something Known: Passwords
Kinds of Password Authentication:
Password authentication can be divided into two schemes:

❑ 1st Scheme: Fixed Password

❖ This password is fixed and used always for every
communication.
❑ 2nd Scheme: One-time Password
❖ One form of attack on networked computing systems
is eavesdropping on network connections to obtain
authentication information such as the login IDs and
passwords of legitimate users.
❖ Once this information is captured, it can be used at a
later time to gain access to the system. One-time
password systems are designed to counter this type
of attack, called a "replay attack".
❖ The authentication system uses a secret pass-phrase
to generate a sequence of one-time (single use)
passwords.
Slide-30
 Verification by Something Known: Passwords
❑ 1st Scheme: Fixed Password
A fixed password is a password that is used over and over again for
every access.
This scheme has several approaches.
▪ Approach-1: User ID and password file
▪ Approach-2: Hashing the password
▪ Approach-3: Salting the password
▪ Approach-4: Combination of something known and something possessed

❑ 2nd Scheme: One-time Password

A one-time password is a password that is used only once.
This kind of password makes eavesdropping and salting useless.
This scheme also has several approaches.
▪ Approach-1: List of passwords
▪ Approach-2: Sequentially updated password
Slide-31 ▪ Approach-3: Sequentially updated password with hash function
 Verification by Something Known: Fixed Passwords
First Approach- User ID and Password File:
In the first approach, the system keeps a table (a file) that is stored by user
identification.

To access the system resources, the user sends her user ID and password in plaintext
format to the system.

The system uses the user ID to find the corresponding password in the table.

If the password sent by the user matches the password

in the table, access is granted; otherwise, it is denied.

Figure below shows this approach.

Figure: User ID and password file

Slide-32
 Possible Attacks on Fixed Passwords
Using fixed password is subject to several kinds of
attacks.

❑ Eavesdropping:
- Eve can watch Alice when she types her password.
❖ Most system do not show the characters a user types.
- Eavesdropping can take a more sophisticated form. Eve can
listen to the line and intercept the message, thereby
capturing the password for her own use.

Slide-33
 Possible Attacks on Fixed Passwords
❑ Stealing a Password:
- This occurs when Eve tries to steal Alice’s password
physically.
This can be prevented if Alice does not write down the
password and instead she just commits it to memory.
❖ For this reason, the password should be very simple or else
related to something familiar to Alice.
❖ But this makes the password vulnerable to other types of
attacks.

Slide-34
 Possible Attacks on Fixed Passwords
❑ Accessing a Password File:
- Eve can hack into the system and get access to the
ID/password file.
- Eve can read the file and find Alice’s password or even
change it.
- To prevent this type of attack, the file can be read/write
protected.
- However, most systems need this type of file to be
readable by the public.

Slide-35
 Possible Attacks on Fixed Passwords
❑ Guessing:
- Using a guessing attack, Eve can log into the system and try
to guess Alice’s password by trying different combinations
of characters.
❖ The password is particularly vulnerable if the user is allowed to
choose a short password.
❖ It is also vulnerable if Alice has chosen something trivial, such as
her birthday, her child’s name, or the name of her favorite
actor.
- To prevent guessing, a long random password is
recommended, something that is not very obvious.
❖ However, the use of such a random password may also create
a problem. Because she could easily forget such a password,
Alice might store a copy of it somewhere, which makes the
password subject to stealing.
Slide-36
 Verification by Something Known: Fixed Passwords
Second Approach- Hashing the Password:
In the second approach, the system stores the hash of the password instead of the
plaintext password in the table (a file) that is stored by user identification.

Any user can read the contents of the file, but, because the hash function is a one-way
function, it is almost impossible to guess the value of the password.

When the password is created , the system hashes it and stores the hash in the
password file.

When the user sends her user ID and password, the system creates a hash of the
password and then compare the hash value with the one stored in the file.

If there is a match, the user is granted access;

otherwise, access is denied.

In this approach,
the table (file) does
not need to be read
protected.

Figure: Hashing the password

Slide-37
Figure: Hashing the password
 Verification by Something Known: Fixed Passwords
Third Approach- Salting the Password:
In the third approach, a random string, called the salt, is concatenated to the
password when the password string is created.

The salted password is then hashed.

The ID, the salt, and the hash are then stored in the table (file).
When a user asks for access, the system extracts the salt,
concatenates it with the received password, makes a hash out
of the result, and compares it with the hash stored in the file.

If there is a match, access is granted;

otherwise, it is denied.

Slide-38
Figure: Salting the password
 Verification by Something Known: Fixed Passwords
Fourth Approach- Combination of something known and
something possessed:

In the fourth approach, two identification techniques are

combined.
A good example of this type of authentication is the use of an ATM
card with a PIN (personal identification number).
Here, the ATM card belongs to the category “something
possessed” and the PIN belongs to the category “something
known”.
The PIN is a password that enhances the security of the card.
If the card is stolen, it can not be used unless the PIN is known.
The PIN number is very short, so it is easily remembered by the
owner. Hence this makes it vulnerable to the guessing type of
attack.

Slide-39
 Verification by Something Known: One-time Password
First Approach- List of Passwords:

In the first approach, the user and the system agree upon a list of
passwords.
Each password on the list can be used only once.
There are some drawbacks to this approach:
▪ The system and the user must keep a long list of passwords.

▪ If the user does not use the password in sequence, the system needs to
perform a long search to find the match.

This approach makes eavesdropping and reuse of the password

useless.
The password is valid only once and can not be used again.

Slide-40
 Verification by Something Known: One-time Password
Second Approach- Sequentially Updated Password:

In the second approach, the user and the system agree to

sequentially update the password.
They agree on an original password, P1, which is valid only for the
first access.
During the first access, the user generates a new password, P 2, and
encrypts this password with P1 as the key.
P2 is the password for the second access.
During the second access, the user generates a new password, P 3,
and encrypts this password with P2 as the key.
P3 is the password for the third access.
And so on..
If Eve can guess the first password (P1), she can find all of the
subsequent passwords.

Slide-41
 Verification by Something Known: One-time Password
Third Approach- Sequentially Updated Password with Hash
Function:
This approach is devised by Leslie Lamport where the user and the system create a
sequentially update the password using a hash function.

In this approach, the user and the system agree upon an original password, P0, and a
counter, n.

The system calculates hn(P0), where hn means applying a hash function n times. In
other words,

The system stores the identity of Alice, the value of n, and the value of hn(P0).

When the system receives the response of the user in the third message, it applies the
hash function to the value received to see if it matches the value stored in the entry. If
there is a match, access is granted; otherwise, it is denied. The system then
decrements the value of n in the entry and replaces the old value of the password
hn(P0) with the new value hn-1(P0).

When the user tries to access the system for the second time, the value of the counter
it receives is n-1. The third message from the user is now hn-2(P0). When the system
receives the message, it applies the hash function to get hn-1(P0), which can be
compared with the updated entry.

Slide-42
 Verification by Something Known: One-time Password
Third Approach- Sequentially Updated Password with Hash
Function (continue…):
The value of n in the entry is decremented each time there is an access. When the
value of n becomes 0, the user can no longer access the system; everything must be
set up again. For this reason, the value of n is normally chosen as a large number such
as 1000.

Figure below shows how the user accesses the system for the first time.

Figure: Lamport one-time password

Slide-43
 Authentication by Inherence Factor
In computer system, authentication can be done traditionally based on:
▪ something that one has e.g. passport, driving license, ID card, credit card,
smart card.
▪ or something one knows e.g. PIN, password, passphrase.
Things like passport, credit cards tend to get stolen or lost and passwords
are often forgotten or disclosed.
To achieve more reliable verification or identification, we should use
something that really characterizes the given person.
With the help of biometrics, it is possible to confirm or establish an
individual’s identity based on “who he is”, rather than by “what he
possesses” (e.g., an ID card) or “what he knows” (e.g., a password).
Biometric authentication has grown in popularity as a way to provide
personal identification. It is highly reliable, because physical human
characteristics are much more difficult to forge than security codes,
passwords and hardware keys.
Biometrics offer automated methods of verification or identification based
on the measurable physiological or behavioral characteristics such as a
fingerprint or a voice sample that is unique. These characteristics should
not be duplicable, but it is unfortunately often possible to create a copy
that is accepted by the biometric system as a true sample.
Slide-36
 What is Biometrics?
Biometrics is the science and technology of measuring and analyzing
biological data for recognizing a person.
❖ It is an automated measurement of physiological and/or
behavioral characteristics of a human being such as a
fingerprint or a voice sample that can be used to identify an
individual or verify the claimed identity of an individual.
Let us spread the definition into its three major components, shown
above in different colors.
These components will determine what is and what is not a biometric and
also its different types and functionalities.

1st Component: Automated Measurement

It means no human intervention or involvement is required. Biometrics
are automated in as much as the processes involved in sample
acquisition, feature extraction, record retrieval, and algorithm-based
matching are computerized or machine-based.
Comparison takes place in Real-Time. The record retrieval and
comparison against another measurement must take place in Real-Time
▪ DNA sampling is not a Biometric measurement, because today it still requires
human intervention and it is not done in real time.
Slide-37
 What is Biometrics?

2nd Component: Physiological and/or Behavioral Characteristics

The second component of the definition determines the two main
biometric categories:
1. Behavioral:
▪ The behavioral characteristics measure the movement of a user,
when users walk, speak, type on a keyboard or sign their name.
2. Physiological:
▪ The physiological characteristics would be the physical human traits
like fingerprints, hand shape, eyes and face, veins, etc.

Slide-38
 What is Biometrics?
3rd Component: Identify an Individual or Verify the Claimed Identity
of an Individual
The last component of the definition categorizes the two types of biometric
functionalities.
1. Identification Systems:
❖ Identification (also called search) occurs when the identity of a
user is priori unknown. In this case the user’s biometric data is
matched against all the records in the database as the user can be
anywhere in the database or he/she actually does not have to be
there at all.
❖ An example of an Identification system using biometrics would be:
You approach an ATM with no card, no claimed identity, no PIN.
The ATM scans your iris and determines who you are and gives
you the access to your money.

2. Verification Systems:
❖ Verification occurs when the user claims to be already enrolled in
the system (presents an ID card or login name); in this case the
verification biometric data obtained from the user is compared to
the user’s data already stored in the database.
❖ An example of a Verification System using biometrics would be:
You approach an ATM and swipe a card or enter an account
number. The ATM scans your iris and uses it as a password to
authenticate you are the rightful owner of the card and therefore
Slide-39
give you access to your money.
 Why Biometric Application?/ Advantages
❑ Biometric authentication is highly reliable
Biometric authentication is highly reliable, because physical
human characteristics are unique and much more difficult to
forge than the traditional use of security codes or PINs,
passwords and hardware keys.

❑ It provides increased security

Tokens such as smart card, magnetic stripe cards, ID cards,
physical keys, can be lost, stolen, duplicated or left at home.
Password can be forgotten, shared or observed. But biometric
data cannot be guessed, stolen or shared among users, therefore
providing increased security to a system.

❑ Biometrics relieves user from the burden of

remembering password
Now-a-days, people are asked to remember a multitude of
passwords and Personal Identification Number (PINs) for
computer accounts, banks, ATMs, E-Mail, wireless, phones,
websites and so forth. But, in theory, biometrics relieves the user
from the burden of having to remember a password, or worse
multiple passwords for different systems within an organization.
Slide-40
 Why Biometric Application?/ Advantages
❑ Biometric provides fast, easy, accurate, reliable and less
expensive authentication for a variety of application
Biometrics holds the promise of fast, easy, accurate, reliable and
less expensive authentication for a variety of application.

❑ Some biometric authentication systems is more speedy

Another advantage of biometric authentication systems may be
their speed. The authentication of a habituated user using an
iris-based identification system may take 2 (or 3) seconds while
finding your key ring, locating the right key and using it may take
some 5 (or 10) seconds.

❑ In large-scale identification systems, biometric

applications offer fraud detection and fraud deterrence
In addition to authentication, biometric applications are employed
in large-scale identification systems, where they offer two
important benefits: fraud detection and fraud deterrence. For
example, one person can claim multiple identities, using
fraudulent documents, to receive benefits from a public program.
Without the use of biometrics, it would be extremely difficult to
discover that the person has multiple registrations, considering
the large volume of data stored in the system. Biometrics can
therefore contribute to fraud detection.
Slide-41
 Disadvantages of Biometric Authentication

Biometric authentication system is better than that of other

identification systems.
❖ So why do not we use biometrics everywhere instead of passwords or
tokens?
❖ Nothing is perfect and biometric authentication methods also have
their own shortcomings.

1. Even if no biometric system is really dangerous, users are

occasionally afraid of something they do not know much
about. In some countries people do not like to touch
something that has already been touched many times (e.g.,
biometric sensor), while in some countries people do not like
to be photographed or their faces are completely covered.

Slide-42
 Disadvantages of Biometric Authentication
3. Biometric systems may violate user’s privacy.
❖ Biometric characteristics are sensitive data that may contain a lot of
personal information. The DNA (being the typical example) contains
(among others) the user’s preposition to diseases. This may be a very
interesting piece of information for an insurance company.
❖ The body odor can provide information about user’s recent
activities.
❖ It is also told that people with asymmetric fingerprints are more
likely to be homosexually oriented, etc.
4. Although good for user authentication, biometrics cannot be
used to authenticate computers or messages.
❖ Biometric characteristics are not secret and therefore they
cannot be used to sign messages or encrypt documents. If my
fingerprint is not secret there is no sense in adding it to documents we
have written. Anyone else could do the same.

Slide-43
 Disadvantages of Biometric Authentication
5. Use of biometric systems may also imply loss of anonymity.
❖ While one can have multiple identities when authentication methods
are based on something the user knows or has, biometric systems can
sometimes link all user actions to a single identity.

6. The performance of biometric systems is not ideal.

❖ Biometric systems still need to be improved in the terms of accuracy
and speed.
❖ Biometric systems with the false rejection rate under 1% are still rare
today. Although few biometric systems are fast and accurate enough
to allow identification, most of current systems are suitable for the
verification only, as the false acceptance rate is too high.

Slide-44
 Disadvantages of Biometric Authentication
7. The fail to enroll rate brings up another important problem.
Not all users can use any given biometric system. People
without hands cannot use fingerprint or hand-based systems.
Visually impaired people have difficulties using iris or retina
based techniques. As not all users are able to use a specific
biometric system, the authentication system must be
extended to handle users falling into the FTE category. This
can make the resulting system more complicated, less secure
or more expensive.
8. Even enrolled users can have difficulties using a biometric
system. The FTE rate says how many of the input samples are
of insufficient quality. Data acquisition must be repeated if the
quality of input sample is not sufficient for further processing
and this would be annoying for users.
9. Lack of standards (or ignorance of standards) may also posses
a serious problem. Two similar biometric systems from two
different vendors are not likely to interoperate at present.
Slide-45
 Biometric Devices
Biometric device is a device that translates personal
characteristics into a digital code that is compared
with a digital code stored in the database.
Some biometric devices include:
▪ Fingerprint Recognition,
▪ Facial Recognition
▪ Hand Geometry,
▪ Iris Scanning,
▪ Retinal Scanning,
▪ Voice Recognition and
▪ Signature Verification

Slide-46
 Types of Biometric Technologies
There are two major classifications of biometric technologies
depending on the number of distinctive characteristics each
technology offer:
❑ Those that do identification and verification, like
▪ Finger scan
▪ Iris scan
▪ Retina scan
▪ Facial scan (optical and infrared)

❑ Those that do verification only, like

▪ Hand Geometry
▪ Voice Print
▪ Keystroke Behavior
▪ Signature

Biometric technologies that do identification and verification

will have more distinctive characteristics to work with, than
the ones that only do verification.
Slide-47
 Biometric Technology: Finger Scan/ Finger Print
A fingerprint is an impression (ছাপ) of the friction ridges of all or any
part of the finger.
This is a technology that uses the
unique fingerprint patterns present
on the human finger to identify or
verify the identity of the individual.

Several acquisition techniques can be

used:
▪ optical scanning
▪ capacitive scanning (silicon chip)
▪ ultrasound scanning
These characteristics or minutiae (as
they are called), are
▪ Crossover
▪ Core
▪ Bifurcations
▪ Ridge ending
▪ Island
▪ Delta
▪ Pore

The finger print obtained from an Optical

Fingerprint Reader is shown in figure here. Figure: Fingerprint Bitmap
Slide-48
 Biometric Technology: Finger Scan/ Finger Print
Fingerprint samples like the one shown in the figure above, typically
don’t have all the minutiae types available. It is desirable but not
always possible.
The traditional fingerprint method uses the ink to get the finger print
onto a piece of paper. This piece of paper is then scanned using a
traditional scanner.
Now in modern approach, live finger print readers are used. Today
we may find many automated fingerprint identification systems
(AFIS), because of the high quality scanners available.
Fingerprints do not change over lifetime and that no two fingerprints
are exactly alike.
This technique is used mostly for forensic and background checks
and is being used in both logical and physical security.
Features of Fingerprint scanner:
▪ Good accuracy
▪ Used for both identification and verification
▪ Low cost
▪ Problem when skin is too dry or too wet
▪ Problem with dirt
Slide-49
 Biometric Technology: Iris Scan
Iris is the colored area that surrounds the pupil.
It forms during gestation and remains the same for the rest of one’s life.
It is well protected and extremely difficult to be modified.
Iris patterns are unique for individuals and are obtained through video
based image acquisition system in the distance of 10- 40 cm of camera.
Iris scan measures the unique characteristics (or pattern) of the iris.
So far, the technology has been successfully implemented in ATMs and is
currently being promoted for desktop usage.
This technique, just like finger scan, is being used in both logical and
physical security.
Once the gray scale image of the eye is obtained then the software tries
to locate the iris within the image.
Image of an iris is shown in the figure below.

Figure: Iris Bitmap

Slide-50
 Biometric Technology: Retina Scan
It is based on the blood vessel pattern in the retina of the eye as the
blood vessels at the back of the eye have a unique pattern, from eye to
eye and person to person.
Retina is not directly visible and so a coherent infrared light source is
necessary to illuminate the retina. The infrared energy is absorbed faster
by blood vessels in the retina than by the surrounding tissue.
After capturing, the image of the retina blood vessel pattern is then
analyzed.
Retina scan requires significant more effort to use than Iris scan, and it is
more challenging because the slightest movement causes rejection by
the system. It also needs more sophisticated cameras than iris scan.
Figure below shows the image of retina.

Slide-51 Figure: Retina Bitmap

Biometric Technology: Facial Scan
A facial recognition technique is an application of computer for automatically
identifying or verifying a person from a digital image or a video frame from a
video source. It is the most natural means of biometric identification.
Facial recognition is a form of computer vision that uses faces to attempt to
identify a person or verify a person’s claimed identity. Regardless of specific
method used, the facial recognition is accomplished in a five step process.
1. Acquiring the image of an individual’s face:
There are two ways to acquire an image-
▪ Digitally scan an existing photograph
▪ Acquire a live picture of a subject

2. Locate image of face:

software is used to locate the faces in the image that has been obtained

3. Analysis of facial image:

software measures face according to is peaks and valleys (nodal points)
focuses on the inner region of the face known as the “golden triangle”
nodal points are used to make a face print

4. Comparison:
the face print created by the software is compared to all face prints the system
has stored in its database.
5. Match or no match:
software decides whether or not any comparisons from step 4 are close enough
Slide-52
to declare a possible match.
 Biometric Technology: Facial Scan
In the case of facial scan, it measures facial features like the-
▪ Distance between the eyes.
▪ Distance between the eyes and nose ridge.
▪ Angle of a cheek.
▪ Slope of the nose.
▪ Thickness of the lips.
▪ Facial Temperatures.

It is the most common Biometric technique used to obtain a personal

identification.
This technique is used at all US embassies worldwide, and government
agencies.
Also used to guarantee uniqueness against an image databases usually to
prevent identity theft.
Many ATMs and casinos around the country, use this techniques to identify
users.

Slide-53
 Biometric Technology: Hand Geometry/ Hand Scan
This technology uses distinctive features of the hand, such as geometry of
hand and fingers, for identity verification.
It is based on the fact that nearly every person’s hand is shaped differently
and that the shape of a person’s hand does not change after certain age.
These techniques include the estimation of length, width, thickness and
surface area of the hand. Various method are used to measure the hands.
Recent uses include the I. N. S. pass System, which scans a hand of frequent
travelers, so instead of presenting a passport for authentication these
frequent travelers swipe a card and do a hand scan. It is both convenient to
consumers and frees up human resources to attend for more higher risk
passengers.
The hand geometry can change due to age and health conditions.
Figure below shown a hand geometry scanner.

Figure: Hand Geometry Scanner

Slide-54
 Biometric Technology: Voice Scan
This is a technology that uses the unique aspects of the individual’s voice for
identification or authentication purposes.
This technique is text-dependent, which means that the system cannot verify
any phrase spoken by the user, but rather a specific phrase associated with
that user’s account.
Voice is also physiological trait because every person has different pitch, but
voice recognition is mainly based on the study of the way a person speaks,
commonly classified as behavioral.
Your voice can vary with age, illness and emotions.
Speaker recognition uses a microphone to record the voice.
The most common use of voice scan biometric systems is where a telephone
is already being used.
For instance home arrest verification is a very common use. Any time of the
day or night a computer calls the home of a person under home arrest, and
that person has to answer the phone and speak a passphrase to be
authenticated.

Figure: Voice print

Slide-55
 Biometric Technology: Signature Scan
This technology uses the human written signature for identity verification.
In the case of signature scan, it measures the speed, pressure, direction,
acceleration, stroke order, length of the strokes and image of a signature.
So it is not only the signature image as it is commonly believed.
If a signature from a user is already captured, this biometric technology adds
an extra level of security with non-repudiation.
The most obvious and important advantage of this technique is that a
fraudster cannot glean any information on how to write the signature by
simply looking at one that has been previously written.
There are various kinds of devices used to capture the signature dynamics.
These are either traditional tablets or special purpose devices.
Figure below shows a signature taken using Tablet.

Figure: A Signature taken using Tablet.

Slide-56
 Biometric Technology Still in Drawing Board
Vein scan :
Another fairly new technology that uses the vein patterns on the back of the
hand for identification and authentication.
The technology has the potential of delivering high accuracy, in addition to
the advantage of being non-intrusive to the user.
Vein identification has been recently implemented in commercial products,
such as VeinID.
Lip movement :
camera captures images of how user lips move while user speaks a
passphrase.
Body Odor:
The body odor biometrics is based on the fact that virtually each human smell
is unique. The smell is captured by sensors that are capable to obtain the
odor from nonintrusive parts of the body such as the back of the hand. The
use of body odor sensors brings up the privacy issue as the body odor carries
a significant amount of sensitive personal information. It is possible to
diagnose some diseases or activities in the last hours (like sex, for example)
by analyzing the body odor.

Slide-57
 Biometric Technology Still in Drawing Board
DNA:
A relatively new technology that relies on the analysis of DNA sequences for
identification and authentication.
DNA sampling is rather intrusive at present and requires a form of tissue,
blood or other bodily sample.
This method of capture still has to be refined. So far the DNA analysis has not
been sufficiently automatic to rank the DNA analysis as a biometric
technology.
The analysis of human DNA is now possible within 10 minutes. As soon as the
technology advances so that DNA can be matched automatically in real time,
it may become more significant. At present Biometric Systems DNA is very
entrenched in crime detection and so will remain in the law enforcement area
for the time being.
The DNA technology raises many concerns over “privacy issues, invasiveness
and data misuse and currently cannot be done fully automated.

Slide-58
 Biometric Application
Biometric authentication is highly reliable, because physical
human characteristics are much more difficult to forge than
security codes, passwords, hardware keys sensors, fast
processing equipment and substantial memory capacity, so
the system are costly.
Biometric-based authentication applications include
workstation and network access, single sign-on, application
logon, data protection, remote access to resources,
transaction security, and Web security.
The promises of e-commerce and e-government can be
achieved through the utilization of strong personal
authentication procedures using biometric application.

Slide-59
 Biometric Application
Secure electronic banking, investing and other financial
transactions, retail sales, law enforcement, and health and
social services are already benefiting from these technologies.
Biometric technologies are expected to play a key role in
personal authentication for large scale enterprise network
authentication environments, Point-of-Sale and for the
protection of all types of digital content such as in Digital
Rights Management and Health Care applications.
Utilized alone or integrated with other technologies such as
smart cards, encryption keys and digital signatures,
biometrics is anticipated to pervade nearly all aspects of the
economy and our daily lives.

Slide-60