Skip to main content

User Authentication—Passwords, Biometrics and Alternatives

  • 1110 Accesses

Part of the Information Security and Cryptography book series (ISC)

Abstract

This chapter is on user authentication—humans being authenticated by a computer system. Chapter 4 addresses machine-to-machine authentication and related cryptographic protocols. The main topics of focus herein are passwords, hardware-based tokens, and biometric authentication. We also discuss password managers, CAPTCHAs, graphical passwords, and background on entropy relevant to the security of user-chosen passwords.

This is a preview of subscription content, access via your institution.

Buying options

Chapter
USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-030-83411-1_3
  • Chapter length: 36 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
eBook
USD   59.99
Price excludes VAT (USA)
  • ISBN: 978-3-030-83411-1
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Hardcover Book
USD   79.99
Price excludes VAT (USA)

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. M. Abadi, T. M. A. Lomas, and R. Needham. Strengthening passwords. SRC Technical Note 1997-033, DEC Systems Research Center, Palo Alto, CA, 1997. September 4 with minor revision December 16.

    Google Scholar 

  2. L. Ballard, S. Kamara, F. Monrose, and M. K. Reiter. Towards practical biometric key generation with randomized biometric templates. In ACM Comp. & Comm. Security (CCS), pages 235–244, 2008.

    Google Scholar 

  3. L. Ballard, F. Monrose, and D. P. Lopresti. Biometric authentication revisited: Understanding the impact of wolves in sheep’s clothing. In USENIX Security, 2006.

    Google Scholar 

  4. R. Biddle, S. Chiasson, and P. C. van Oorschot. Graphical passwords: Learning from the first twelve years. ACM Computing Surveys, 44(4):19:1–19:41, 2012.

    Google Scholar 

  5. A. Biryukov, D. Dinu, and D. Khovratovich. Argon2: New generation of memory-hard functions for password hashing and other applications. In IEEE Eur. Symp. Security & Privacy, pages 292–302, 2016.

    Google Scholar 

  6. D. Boneh, H. Corrigan-Gibbs, and S. E. Schechter. Balloon hashing: A memory-hard function providing provable protection against sequential attacks. In ASIACRYPT, 2016.

    Google Scholar 

  7. J. Bonneau. Guessing Human-Chosen Secrets. PhD thesis, University of Cambridge, U.K., 2012.

    Google Scholar 

  8. J. Bonneau. The science of guessing: Analyzing an anonymized corpus of 70 million passwords. In IEEE Symp. Security and Privacy, pages 538–552, 2012.

    Google Scholar 

  9. J. Bonneau, E. Bursztein, I. Caron, R. Jackson, and M.Williamson. Secrets, lies, and account recovery: Lessons from the use of personal knowledge questions at Google. In WWW—Int’l Conf. on World Wide Web, pages 141–150, 2015.

    Google Scholar 

  10. J. Bonneau, C. Herley, P. C. van Oorschot, and F. Stajano. The quest to replace passwords: A framework for comparative evaluation of web authentication schemes. In IEEE Symp. Security and Privacy, pages 553–567, 2012

    Google Scholar 

  11. W. E. Burr, D. F. Dodson, E. M. Newton, R. A. Perlner, W. T. Polk, S. Gupta, and E. A. Nabbus. NIST Special Pub 800-63-1: Electronic Authentication Guideline. U.S. Dept. of Commerce. Dec 2011 (121 pages), supersedes [12]; superseded by SP 800-63-2, Aug 2013 (123 pages), itself superseded by [29].

    Google Scholar 

  12. W. E. Burr, D. F. Dodson, and W. T. Polk. NIST Special Pub 800-63: Electronic Authentication Guideline. U.S. Dept. of Commerce. Ver. 1.0, Jun 2004 (53 pages), including Appendix A: Estimating Password Entropy and Strength (8 pages). Superseded by [11].

    Google Scholar 

  13. C. Cachin. Entropy Measures and Unconditional Security in Cryptography. PhD thesis, Swiss Federal Institute of Technology Zurich, Switzerland, May 1997.

    Google Scholar 

  14. S. Chiasson and P. C. van Oorschot. Quantifying the security advantage of password expiration policies. Designs, Codes and Cryptography, 77(2-3):401–408, 2015.

    Google Scholar 

  15. S. Chiasson, P. C. van Oorschot, and R. Biddle. A usability study and critique of two password managers. In USENIX Security, 2006.

    Google Scholar 

  16. J. Daugman. How iris recognition works. IEEE Trans. Circuits Syst. Video Techn., 14(1):21–30, 2004.

    Google Scholar 

  17. X. de Carn´e de Carnavalet and M. Mannan. A large-scale evaluation of high-impact password strength meters. ACM Trans. Inf. Systems and Security, 18(1):1:1–1:32, 2015.

    Google Scholar 

  18. P. J. Denning, editor. Computers Under Attack: Intruders, Worms, and Viruses. Addison-Wesley, 1990. Edited collection (classic papers, articles of historic or tutorial value).

    Google Scholar 

  19. DoD. Password Management Guideline. Technical Report CSC-STD-002-85 (Green Book), U.S. Department of Defense. 12 April 1985.

    Google Scholar 

  20. M. D¨urmuth and T. Kranz. On password guessing with GPUs and FPGAs. In PASSWORDS 2014, pages 19–38.

    Google Scholar 

  21. M. Egele, L. Bilge, E. Kirda, and C. Kruegel. CAPTCHA smuggling: hijacking web browsing sessions to create CAPTCHA farms. In ACM Symp. Applied Computing (SAC), pages 1865–1870, 2010.

    Google Scholar 

  22. M. W. Eichin and J. A. Rochlis. With microscope and tweezers: An analysis of the Internet virus of November 1988. In IEEE Symp. Security and Privacy, pages 326–343, 1989.

    Google Scholar 

  23. N. Ferguson and B. Schneier. Practical Cryptography. Wiley, 2003.

    Google Scholar 

  24. D. Florˆencio, C. Herley, and P. C. van Oorschot. An administrator’s guide to Internet password research. In Large Installation Sys. Admin. Conf. (LISA), pages 35–52. USENIX, 2014.

    Google Scholar 

  25. D. Florˆencio, C. Herley, and P. C. van Oorschot. Password portfolios and the finite-effort user: Sustainably managing large numbers of accounts. In USENIX Security, pages 575–590, 2014.

    Google Scholar 

  26. S. L. Garfinkel and H. R. Lipford. Usable Security: History, Themes, and Challenges. Synthesis Lectures (mini-book series). Morgan and Claypool, 2014.

    Google Scholar 

  27. P. Garrett. The Mathematics of Coding Theory. Pearson Prentice Hall, 2004.

    Google Scholar 

  28. N. Gelernter, S. Kalma, B. Magnezi, and H. Porcilan. The password reset MitM attack. In IEEE Symp. Security and Privacy, pages 251–267, 2017.

    Google Scholar 

  29. P. A. Grassi et al. NIST Special Pub 800-63-3: Digital Identity Guidelines. U.S. Dept. of Commerce. Jun 2017, supersedes [11]. Additional parts SP 800-63A: Enrollment and Identity Proofing, SP 800- 63B: Authentication and Lifecycle Management, SP 800-63C: Federation and Assertions.

    Google Scholar 

  30. N. Haller. The S/KEY One-Time Password System. In Netw. Dist. Sys. Security (NDSS), 1994.

    Google Scholar 

  31. N. Haller and C. Metz. RFC 1938: A one-time password system, May 1996. Cf. RFC 1760 (Feb 1995).

    Google Scholar 

  32. F. Hao, R. J. Anderson, and J. Daugman. Combining crypto with biometrics effectively. IEEE Trans. Computers, 55(9):1081–1088, 2006.

    Google Scholar 

  33. G. Hatzivasilis. Password-hashing status. Cryptography, 1(2):10:1–10:31, 2017.

    Google Scholar 

  34. J.M. G. Hidalgo and G. A´ .Maran˜o´n. CAPTCHAs: An artificial intelligence application to web security. Advances in Computers, 83:109–181, 2011.

    Google Scholar 

  35. A. K. Jain, A. Ross, and S. Pankanti. Biometrics: a tool for information security. IEEE Trans. Info. Forensics and Security, 1(2):125–143, 2006.

    Google Scholar 

  36. A. K. Jain, A. Ross, and S. Prabhakar. An introduction to biometric recognition. IEEE Trans. Circuits Syst. Video Techn., 14(1):4–20, 2004.

    Google Scholar 

  37. H. Khan, U. Hengartner, and D. Vogel. Targeted mimicry attacks on touch input based implicit authentication schemes. In MobiSys 2016 (Mobile Systems, Applic. and Services), pages 387–398, 2016.

    Google Scholar 

  38. J. Lang, A. Czeskis, D. Balfanz, M. Schilder, and S. Srinivas. Security Keys: Practical cryptographic second factors for the modern web. In Financial Crypto, pages 422–440, 2016.

    Google Scholar 

  39. P. J. Denning, editor. Computers Under Attack: Intruders, Worms, and Viruses. Addison-Wesley, 1990. Edited collection (classic papers, articles of historic or tutorial value).

    Google Scholar 

  40. U. Manber. A simple scheme to make passwords based on one-way functions much harder to crack. Computers & Security, 15(2):171–176, 1996.

    Google Scholar 

  41. T. Matsumoto, H. Matsumoto, K. Yamada, and S. Hoshino. Impact of artificial “gummy” fingers on fingerprint systems. In Proc. SPIE 4677, Optical Security and Counterfeit Deterrence Techniques IV, pages 275–289, 2002.

    Google Scholar 

  42. R. J. McEliece. The Theory of Information and Coding. In G.-C. Rota, editor, Encyclopedia of Mathematics and Its Applications, volume 3. Addison-Wesley, 1977.

    Google Scholar 

  43. A. J. Menezes, P. C. van Oorschot, and S. A. Vanstone. Handbook of Applied Cryptography. CRC Press, 1996. Openly available, http://cacr.uwaterloo.ca/hac/.

    Google Scholar 

  44. C. E. Metz. Basic Principles of ROC Analysis. Seminars in Nuclear Medicine, 8(4):283–298, Oct. 1978. See also: John Eng, “Receiver Operator Characteristic Analysis: A Primer”, Academic Radiology 12 (7):909–916, July 2005.

    Google Scholar 

  45. F. Monrose, M. K. Reiter, and S. Wetzel. Password hardening based on keystroke dynamics. Int. J. Inf. Sec., 1(2):69–83, 2002.

    Google Scholar 

  46. M. Motoyama, K. Levchenko, C. Kanich, D. McCoy, G. M. Voelker, and S. Savage. Re:CAPTCHAs— Understanding CAPTCHA-solving services in an economic context. In USENIX Security, 2010.

    Google Scholar 

  47. J. A. Muir and P. C. van Oorschot. Internet geolocation: Evasion and counterevasion. ACM Computing Surveys, 42(1):4:1–4:23, 2009.

    Google Scholar 

  48. A. Narayanan and V. Shmatikov. Fast dictionary attacks on passwords using time-space tradeoff. In ACM Comp. & Comm. Security (CCS), pages 364–372, 2005.

    Google Scholar 

  49. NIST. FIPS 112: Password Usage. U.S. Dept. of Commerce, May 1985.

    Google Scholar 

  50. P. Oechslin. Making a faster cryptanalytic time-memory trade-off. In CRYPTO, pages 617–630, 2003.

    Google Scholar 

  51. B. Pinkas and T. Sander. Securing passwords against dictionary attacks. In ACM Comp. & Comm. Security (CCS), pages 161–170, 2002.

    Google Scholar 

  52. N. Provos and D. Mazi`eres. A future-adaptable password scheme. In USENIX Annual Technical Conf., pages 81–91, 1999. FREENIX Track.

    Google Scholar 

  53. J. A. Rochlis and M. W. Eichin. With microscope and tweezers: The Worm from MIT’s perspective. Comm. ACM, 32(6):689–698, 1989. Reprinted as [18, Article 11]; see also more technical paper [22].

    Google Scholar 

  54. A. D. Rubin. White-Hat Security Arsenal. Addison-Wesley, 2001.

    Google Scholar 

  55. C. Shannon. A mathematical theory of communication. The Bell System Technical Journal, vol.27, 1948. Pages 379–423 (Jul) and 623–656 (Oct).

    Google Scholar 

  56. E. H. Spafford. Crisis and aftermath. Comm. ACM, 32(6):678–687, 1989. Reprinted: [18, Article 12].

    Google Scholar 

  57. B. Ur, S. M. Segreti, L. Bauer, N. Christin, L. F. Cranor, S. Komanduri, D. Kurilova, M. L. Mazurek, W. Melicher, and R. Shay. Measuring real-world accuracies and biases in modeling password guessability. In USENIX Security, pages 463–481, 2015.

    Google Scholar 

  58. P. C. van Oorschot and S. G. Stubblebine. On countering online dictionary attacks with login histories and humans-in-the-loop. ACM Trans. Inf. Systems and Security, 9(3):235–258, 2006.

    Google Scholar 

  59. P. C. van Oorschot and J. Thorpe. On predictive models and user-drawn graphical passwords. ACM Trans. Inf. Systems and Security, 10(4):1–33 (Article 17), 2008.

    Google Scholar 

  60. M. Weir, S. Aggarwal, M. P. Collins, and H. Stern. Testing metrics for password creation policies by attacking large sets of revealed passwords. In ACM Comp. & Comm. Security (CCS), 2010.

    Google Scholar 

  61. D. L. Wheeler. zxcvbn: Low-budget password strength estimation. In USENIX Security, pages 157– 173, 2016.

    Google Scholar 

  62. Y. Zhang, F. Monrose, and M. K. Reiter. The security of modern password expiration: an algorithmic framework and empirical analysis. In ACM Comp. & Comm. Security (CCS), pages 176–186, 2010.

    Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Rights and permissions

Reprints and Permissions

Copyright information

© 2021 The Author(s)

About this chapter

Verify currency and authenticity via CrossMark

Cite this chapter

van Oorschot, P.C. (2021). User Authentication—Passwords, Biometrics and Alternatives. In: Computer Security and the Internet. Information Security and Cryptography. Springer, Cham. https://doi.org/10.1007/978-3-030-83411-1_3

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-83411-1_3

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-83410-4

  • Online ISBN: 978-3-030-83411-1

  • eBook Packages: Computer ScienceComputer Science (R0)