Using Voice and Other Biometrics - User Friendly Authentication and ...

nauseatingcynicalΑσφάλεια

22 Φεβ 2014 (πριν από 3 χρόνια και 5 μήνες)

50 εμφανίσεις

Using  Voice  and  Other  Biometrics    
-­‐
User  Friendly  Authentication  and  Authorization  Architecture
 
1
 
 
 
 
Guy  Huntington,  President  Huntington  Ventures  Ltd.
 
 
 
 
Using Voice and Other Biometrics
-

User Friendly Authentication

and Authorization Architecture


Background

The world of authentication is beginning to rapidly change with all sorts of new
authentication methods, many of which are biometric.

One of the
e
asy to use
ones

is voice authentication

where
the user
can either say the password or
simply talk and the software will then authenticate
them
.


In parallel to this development, is the upcoming Siri release from Apple applied
across all their hardware pla
tforms.

This will allow the user to use their voice to
control their compu
ter, iPad or iPhone.

Th
e author believes this
will
radically
transform how
people

interact with software apps over the next five or so
years.

They will
talk to
their computing

dev
ices rather than use
a
keyboard to do
this.


However, there is a new degree of risk that comes with this.

A biometric is not a
secret.

Therefor
e, if the user's biometric is stolen and successfully used to
masquerade as the identity, t
hen the user is

prev
ented from using this to
authenticate
.

Further
,

some forms of biometrics are more tightly linked to the
identity than others (e.g. an Iris scan versus a voice biometric or
,

a digital
fingerprint versus a finger scan). Thus, it makes sense to partner the
use of
different biometrics with stronger forms of authentication for higher risk
transactions
and/
or access to more sensitive networks, applications or content.



However, a number of questions arise:



What is the architecture an enterprise should use pro
viding them with
flexibility as new forms of authentication are developed?



How can an enterprise offer different authentication methods to a user at
the same time?



What happens if the user’s biometric is stolen or used successfully in a
masquerade attack
?



What kind of low cost

easy to use
alternatives exist for an enterprise to
use stronger authentication?



What kind of new or additional
privacy and governance constraints does
the use of biometrics bring to the enterprise?



How does the user on the move wit
h a mobile device affect my
authentication and authorization architecture?



Does the user mobility introduce new types of contextual authentication
and authorization?

Using  Voice  and  Other  Biometrics    
-­‐
User  Friendly  Authentication  and  Authorization  Architecture
 
2
 
 
 
 
 
Guy  Huntington,  President  Huntington  Ventures  Ltd.
 
 
 
 

This paper will present a flexible architecture for enterprises to use with
biometrics an
d other forms of authentication while at the same time answering
the above questions.




Architecture

Given the above, a

authentication and authorization architecture must
:

1.

B
e flexible


i
t should allow for development and easy insertion into the
existing

architecture of new authentication and authorization technologies

as they develop
.

2.

A
llow for multiple forms of authentication concurrently


this offers users
potential multiple choices depending on where they are and what types of
communication and compu
ter interaction devices they have available.

3.

Allow

for contextual authentication and authorization


the user is now
mobile and this potentially creates authentication and access decisions not
only based on the user BUT on the degree of trust given where t
he user is
and in what circumstance they are in.

4.

Be designed such that if a user’s biometric is stolen
and successfully used
to masquerade the identity,
alternate forms of authentication are easily
and quickly available.

5.

Be based on risk
-

Low forms of ris
k require low authentication strength
while high risk requires a greater degree of certainty the identity is who
they are claiming themselves to be.

6.

Have excellent identity registration, role and attribute changes, termina
tion
and archival capabilities
-

r
egistration is very important

with biometrics
.

7.

Have excellent identity governance that ensures user privacy and
regulatory compliance.


Authentication Architecture:

There are three main components:



Risk assessment for networks, application and content



Auth
entication strength chart



Numeric based authentication policies


Risk Assessment:

Enterprises
should
perform a risk assessment for all their networks, application
and content. The risk must then be assigned a numeric number from 0 to 100
with 100 being th
e highest level of risk.


Using  Voice  and  Other  Biometrics    
-­‐
User  Friendly  Authentication  and  Authorization  Architecture
 
3
 
 
 
 
Guy  Huntington,  President  Huntington  Ventures  Ltd.
 
 
 
 
Authentication Strength Chart:

The enterprise must prepare their own internal authentication strength chart with
the weakest forms of authentication at the bottom of the chart and the strongest
forms of authentication at the top o
f the chart.
Against this, a numeric number will
be assigned.


For example, most enterprise authentication strength charts place usernames
and passwords at the bottom of the list as being weakest. Some forms of
biometri
cs might also be here such as
voice
recognition. Stronger forms of
authentication might include tokens the user carries (e.g. their cell phone with a
digital cert, or the ability to respond to an SMS message), stronger forms of
biometrics, etc. At the top of the list will be multi
-
factor au
thentication i.e.
something you know, something you have and something you are.


The enterprise would then assign numbers to the chart. For example, a
username and password or a voice biometric might be given a rating of 20.
Stronger forms of authenticat
ion might be rated at 40
-
60. Multi
-
factor
authentication might be rated from 70
-
90.


Numeric Based Authentication Policies:

Authentication polices should then be done numerically. For example, if the
portal access is a relatively low risk, then a numeric

authentication policy might
specify a score of 20 to be required while a higher risk network or piece of
content might be 60.


Let’s use an example to illustrate this. Jane Doe wants to log on to the enterprise
portal. The portal risk is a “20”. Jane c
an then log on using a variety of ways.
She could user her username and password, or she could use a keyboard
biometric authentication or, she could use a voice authentication.


Jane presents her “credentials” to the enterprise. The authentication syst
em then
validates her credentials. As a post authentication action, the identity
management authentication software then checks to see what the authentication
level is for the portal. It’s 20. Since Jane has used one of these methods, each
with a rating

of 20, the authentication software then “accepts” her identity and
proceeds on to authorization.


Now
let’s
Jane
is using
the portal to access two pieces of content
; one

low risk
and the other is higher risk.


When she either clicks on the low risk cont
ent or, in the future, directs her digital
device to access the low risk content using her voice, the identity management
authentication policy first checks the authentication level required. It’s 20. It
know J
ane has already authenticated for this and t
hen proceeds to authorization.

Using  Voice  and  Other  Biometrics    
-­‐
User  Friendly  Authentication  and  Authorization  Architecture
 
4
 
 
 
 
 
Guy  Huntington,  President  Huntington  Ventures  Ltd.
 
 
 
 

However, for the higher risk content, the authentication policy is 40. Jane needs
to provide stronger authentication. The authentication software will then offer
Jane a number of choices. It could send her cell a SMS
message, which

she can
respond to. This is essentially a token that Jane carries tying her more closely to
the
identity o
r, she could say a password into her phone or, her smartphone
could have a digital cert on it or,
sh
e could in the future do a facial

scan to the
smartphone or,
she could flash her security badge at a scanner o
,
r
enter a
password or
,

whatever
else
the enterprise offers.


So Why Use All of T
his?


It offers the user ease of use. By deploying easy to use authentication methods
such as voi
ce recognition and authentication, it eliminates the need for the user
to use a password for low risk access.
This helps the user since they are often

forced to
keep password lists since they have to deal with so many enterprises
requiring them to use pas
swords.


By using tokens the user already carries, like their smart phone, it enables easy
ways to provide stronger authentication at low enterprise management costs. In
the future, smart phones will be enabled with facial recognition and finger
scannin
g capabilities. The ability to use this as well as the ability for the smart
phone to store digital certs
provides

the enterprise
with
multi
-
factor authentication
for higher risk at low costs.


The system offers flexibility as new forms of authentication
are developed. The
enterprise would first evaluate the new form of authentication
. I
f approved,
it
would assign
it
authentication strength and then deploy it without having to
change any of their authentication policies.


The architecture allows for use
r choices. If the user
were

accessing the
enterprise from an old fashioned computer with a keyboard and no voice
capability, they would enter their username and password to access low risk
networks, apps and content. If they’re on their smartphone, they
could simply
speak into the phone and the voice recognition is used.


If the user’s biometric is “hacked” or stolen,
or say the user has laryngitis,
then
the user still has ways to access the network. Remember, a biometric is not a
secret. While biometri
c manufacturers tout their wares telling you that
masquerading isn’t possible with a stolen biometric
,

the enterprise nor the user
can’t be 100%
certain. This architecture means that choices can be designed
into the architecture mitigating the risk to the

end user and the enterprise. Thus
Jane could still log on using a password or something else.

Using  Voice  and  Other  Biometrics    
-­‐
User  Friendly  Authentication  and  Authorization  Architecture
 
5
 
 
 
 
Guy  Huntington,  President  Huntington  Ventures  Ltd.
 
 
 
 
Contextual Authentication

and Authorization

Many years ago, I was working with a large US defense contractor. They wanted
to have different authentication and
authorization requirements for the user
depending on where they were. For example, if the user was in Russia, then
stronger authentication and authorization would be required than if they were in
the US accessing the system from home than if they were ins
ide the enterprise
network.


I also worked with a large US health provider. The security architects were
designing a system whereby normal health record access had all sorts of checks
and balances in it. However, when a doctor walked into an emergency ro
om,
they wanted to have immediate access to all information. So they gave the
doctor’s proximity badges. When the doctor walked into the emergency room,
the badge would be flashed by a proximity reader and then, because the doctor
was in the emergency ro
om, all medical information would be instantly available
to help them deal with a life of death situation.


Both of these are examples of what I call contextual authentication and
authorization. So now fast forward to today and tomorrow.


Many people no
w carry smart phones. They are using them more and more as
computers to access networks, apps and content, wherever they may be. This
introduces new complexities to the enterprise since now they must consider what
the risk is for a given access.


Like t
he defense and health provider
, system
s that ordinarily weren’t affected by
location
must consider if there are any contextual authentication and
authoriz
ation risks and their i
mplications.

Examples of this could include a
teacher or education administrat
or in a
school
lock
down
situation accessing
student records, a petroleum employee accessing sensitive documen
ts from a
public location with
their smart phone, or a medical person stopping beside a
person who’s in anaphylactic shock who then commands their

phone to provide
information on the person they are treating.


Their architecture must then allow for this to occur. Jane Doe may be able to
access the higher risk content inside her office on the enterprise network with a
lower strength authentication th
an possibly if she is outside the office on a bus or
subway where she might require higher strength access. Conversely, if Jane is
in an emergency situation, then like the doctors, she might be given all or most
access to the information.





Using  Voice  and  Other  Biometrics    
-­‐
User  Friendly  Authentication  and  Authorization  Architecture
 
6
 
 
 
 
 
Guy  Huntington,  President  Huntington  Ventures  Ltd.
 
 
 
 
Contextual
authentication and authorization requires the following components:



Identity management software that allows for configuring what’s called
“fine grained” authentication and authorization policies.



Ability to leverage role based information



Ability to leve
rage attribute based information



Excellent governance to control, monitor, archive and audit the use of
contextual authentication and authorization



Contextual authorization usually requires more information than the role the
person is playing. It requir
es attributes to help the identi
ty management system
determine i
f the role plus the attributes is sufficient to grant them access.
Today’s smart phone can provide geo
-
location information as well as the identity
can speak a key word like “emergency”.


Ex
amples:

Jane Doe is a medical physician or nurse
who’s come across a
person having a
severe allergy reaction. As they begin treatment, they could, in the near future,
command their cell phone to dial 911 and state that it’s an emergency requiring
informat
ion on John Smith taken from his wallet.
The cell phone provides the
geo
-
location information, and also it could be mapped to the user who has a role
of doctor or nurse. The fact that they state it’s an emergency may automatically
be used to find John
Smith’s medical records and then provide Jane with
information.


Jane Doe is a petroleum ent
erprise employee who’s now tryi
ng to access some
sensitive content from their smart phone
while

on a train out of their office. The
architecture must first of all recognize that Jane is out of the office from their
smart phone, then determine if what the authentication and authorization policies
are for this context. It may require Jane to provide

stronger authentication and
the authorization might be to only show Jane some of the digital content but not
the most sensitive portions due to the fact that she’s in a public place.


Jane does

is a
schoolteacher

who’s a substitute in a room
with students

where
the school is being locked down for several hours. She might be given greater
access to the student records from her smart phone than otherwise because it’s
an emergency.


Enterprises

should reflect on the operational and risk impacts
of h
aving use
rs
use

smart phones to access almost all of an enterprise’s digital content, apps and
networks and think of their own examples where contextual authentication and
authorization requirements will be different than they normally would be if the
person is acc
essing it from inside their enterprise network.


Using  Voice  and  Other  Biometrics    
-­‐
User  Friendly  Authentication  and  Authorization  Architecture
 
7
 
 
 
 
Guy  Huntington,  President  Huntington  Ventures  Ltd.
 
 
 
 
Contextual authentication and authorization

requires excellent governance, audit
and archival. The
enterprise

and regulatory agencies

don’t

want

this
information
to be mis
used.
The architecture must ensure

that regulatory compliance re the
use of an identity’s biometrics, the authorization and the content they accessed is
appropriate.


Registration

Biometric devices require an excellent registration and de
-
registration process.
For example, in the past a
t certain enterprises I worked in, I would go to one of
their security offices to register my biometric with. This was usually a digital
finger print.


The digital finger print was then submitted to the law enforcement’s finger print
records to validate

that I didn’t have a criminal record and/or a bankruptcy (which
financial institutions
are required to

check). The registration process is tying the
identity more closely to who they sat they are. Now fast forward to today.


The person who is shopping

and wanting to use their voice or a finger scan to
pay for goods or a worker who’s wanting to access a physical door or some
content protected by a biometric authentication, needs some form of both
identification registration as well as enrolling their bi
ometric in the enterprise’s
biometric identity management system

to be used for authentication
.


A biometric registration process is not always
straightforward
. For example, a
person might have some difficulties rotating their fingers for a finger scan through
their smart phone or at
retail

till, or, thei
r

voice speech might not be clear. So,
any registration process must have alternate processes in place for
people who
have difficulty in registering.

Then there is the issue
of false
positives
/acceptance and false rejection/negative
.


False Acceptance Rate

A false positive or false acceptance is where the identity who’s providing the
biometric is falsely tied

to another identity other than their own. This is called a

False Acceptance Rate


(FAR).


False Rejection Rate

A false rejection or false negative is where the identity using the biometric isn’t
accepted. This is
called the

False Reject Rate


(FRR).


Using  Voice  and  Other  Biometrics    
-­‐
User  Friendly  Authentication  and  Authorization  Architecture
 
8
 
 
 
 
 
Guy  Huntington,  President  Huntington  Ventures  Ltd.
 
 
 
 

Cross
-
over Error Rate

Enterprises evaluating different forms of biometrics often use what’s called a
“Cross
-
over Error Rate” or CER. This is a measurement between the FAR and
the FRR represented as a number or a percentage. The lower the number or
perce
ntage, the more accurate the biometrics system is.


What Does This Mean to an Enterprise and its U
sers?

As
the use of
biometrics
for authentication
becomes increasingly common
, it
means that enterprises must have processes in place to deal with FAR and
FRR’s and also to not frustrate their end user or customer with this.


So, let’s use Jane Doe as an example. She provides her voice biometric and her
identity is mistakenly ma
pped to Sally Smith (FAR). Now Jane may or may not
be ethical. Let’s assume she isn’t and she’s granted access to some of Sally’s
personal information. As she tries to dive deeper say into Sally’s financial
records and transfer some money, the identity
management system would
require stronger authentication
,

which Jane won’t
know,

as she isn’t Sally.


Now let’s assume that Jane tries to authenticate using her voice and she’s
rejected (FRR). The enterprise needs to have easy to use processes to allow
Jan
e to deal with this.
Perhaps she has a bad
case of laryngitis
.
If it’s a voice
biometric, which is a low
risk authentication mechanism,
the enterprise could
offer Jane to use her password or do a finger scan or some other process or, to
call a 1
-
8000 hel
p desk number or something else.


De
-
registration is also equally important. For example, let’s say that Jane stops
using a credit card tied in the future to voice authentication

or leaves the
enterprise she’s working at both of which use biometrics to
authenticate Jane.
There must be
well
-
designed

business and technical processes that ensure that
Jane’s biometric information is deleted and/or securely archived. Remember,
that a biometric is a piece of a person i.e. something you are. Therefore, it’s
e
ssential that the enterprise can prove to its auditors and to regulatory authorities
that it is taking all the correct steps to prevent the continued storage of Jane’s
biometrics without her permission.


On
-
going storage of active users biometrics MUST B
E SECURE as well as
having EXCELLENT BUSINESS AND TECHNICAL MANAGEMENT
PROCESSES. Without this, the enterprise might one day be breached resulting
in the enterprise having to notify their users that something they are has been
stolen.



Using  Voice  and  Other  Biometrics    
-­‐
User  Friendly  Authentication  and  Authorization  Architecture
 
9
 
 
 
 
Guy  Huntington,  President  Huntington  Ventures  Ltd.
 
 
 
 
Summary


Biometrics is not a silver bullet. Each type of biometric technology comes with
it’s own FRR and FAR’s and require different types of registration processes.
Used in conjunction with smart phones, t
hey also offer new risks as the user is
now potentially
on the move, creating new contextual authentication and
authorization situations. Is your enterprise architecture ready for this?


This paper outlines a
risk
-
based

architecture that offers flexibility for the end user
as well as the enterprise. Assigning

a

numeric risk number, creating
an
authentication risk chart and then creating authentication policies based on
numeric numbers brings the enterprise a flexibly architecture.


It provides for the user:



Easy to use biometric authentication requiring no p
asswords to initially log
on to low risk systems, applications or access low risk content



Choices authenticating



Options f their biometric doesn’t work



Easy to use stronger forms of authentication by leveraging their smart
phone they carry i.e. a token


I
t provides for the enterprise:



A flexible architecture that is relatively easy to insert new authentication
technologies as they develop



Stronger authentication deployed at reduced costs by leveraging devices
that the user already carries with them (their
smart phone)



Options in dealing with FRR and FAR



Happier end users by reducing the need to memorize passwords


The enterprise can and likely will still use passwords but in a less frequent way
as they now become a stronger form of authentication
. The ente
rprise will also
likely continue to use tokens th
ey issue (e.g. numeric tokens,
proximity badges,
digital certs,
etc.
). However, these will now be used in a mix with biometrics and
tokens the user is already carrying with them i.e. their smart phones.


A
flexible architecture is required that has excellent identity registration and
biometric enrollment processes as well as strong governance and de
-
registration
processes.


About the Author

Guy Huntington, President of Huntington Ventures Ltd, has lead man
y large
complex Fortune 500 identity projects. Guy can be contacted at
guy@hvl.net
,
www.authenticationworld.com

or 604
-
861
-
6804.