The use of biometric data in remote user authentication is becoming more common. Remote user authentication is one of the most functional and convenient authentication schemes. In this paper, a research idea is proposed to enhance the security of biometric data in remote user authentication systems. The paper includes proposed research aims and objectives. The rationale for the proposed research idea is provided. A small literature review is included. The relevance and feasibility of the proposed research are discussed.
Keywords: biometric, remote user authentication, security, vulnerability.
Project: The Use of Biometric Data in Remote User Authentication
Remote user authentication remains one of the most appropriate, convenient, and the simplest authentication mechanisms. According to Kumar (2010), the goal of remote user authentication is to confirm that the user has the rights and privileges necessary to enter and use the system or network. Recently, biometric data have been proposed to be used in remote user authentication, in order to enable effective and cryptographically secure user authentication without requiring the users to remember the key (Boyen et al., 2005). The user authentication potentials of biometric data are virtually enormous, mainly due to their uniqueness and difficulty to find a similar match. Unfortunately, in its current state, biometric data systems in user authentication raise many security issues. Therefore, new models to fulfill the security promise of biometrics in remote user authentication have to be invented.
The aim of the proposed research is to develop a model to enhance the security of the biometric data used in remote user authentication systems. In other words, the expected outcome of the proposed study is a comprehensive and applicable model that will help protect the systems of remote user authentication from the most common security vulnerabilities and, at the same time, ensure the secrecy and confidentiality of the biometric data provided by users.
The main objectives of the proposed research include:
- Define the most essential criteria of data security in biometrics-based systems of remote user authentication;
- Define the chief obstacles to secure data transmission in remote user authentication;
- Develop a model to overcome the most serious obstacles to security in systems of remote user authentication.
The relevance of the proposed research is justified by the growing use of biometric data in remote user authentication and, at the same time, consistent failure to address the most common security vulnerabilities facing such systems. Authentication is the main challenge presented by user authentication systems. Social engineering attacks are intended to uncover users’ biometric data (Bringer, Chabanne, Pointcheval & Zimmer, 2008). However, because personal biometric data are neither uniformly distributed nor exactly reproducible, “traditional security protocols will not guarantee correctness when the parties use a shared secret generated from the biometric data” (Boyen et al., 2005, p.1). The current state of literature provides an extensive overview of the most serious problems associated with the use of biometric data for remote user authentication, and only few models have been proposed to solve these problems, which certainly do not satisfy the growing demand for biometric-based systems.
The use of biometric data in remote user authentication has become a popular topic of professional research. Matyas and Riha (2003) write that biometrics is the third and latest method of user identification, apart from the authentication methods based on something the user has (e.g. a smart card) or something the user knows (e.g. PIN or password). According to Matyas and Riha (2003), “biometrics are automated methods of authentication based on measurable human physiological or behavioral characteristics such as a fingerprint, iris pattern, or voice sample” (p.45). Only biometric characteristics that are not duplicable should be used to authenticate users.
Biometric data are used to facilitate and, at the same time, enhance the security of user authentication in complex networks. One of the main reasons of biometrics’ popularity is in their huge potential to offer secret, high-entropy information (Boyen et al., 2005). The use of biometrics in user authentication can be regarded as the triumph of information and networks evolution in the context of remote user authentication. It is interesting that the first remote user authentication scheme was proposed in 1981 by Lamport (Li & Hwang, 2010). Since then, traditional remote user authentication schemes had been developed, based on passwords (Li & Hwang, 2010). The main disadvantage of password-based user authentication systems was in that passwords and other cryptographic keys could be forgotten and lost, and there would be no way to learn the user’s identity (Li & Hwang, 2010). Today, biometrics-based user authentication is believed to be much securer and more reliable than traditional password-based systems. The advantages of using biometrics in remote user authentication will be noted later.
Several types of biometric user authentication systems currently exist. Matyas and Riha (2003) speak about the difference between identity verification (one-to-one matching) and identification, or recognition. The researchers also mention the difference between automated identification systems and biometric access control systems. The former are used mainly by law enforcement agencies to identify suspects and victims, whereas the latter function to give users access and privilege to use secret information (data) (Matyas & Riha, 2003). Monrose and Rubin (2000) provide a detailed description of biometric systems and suggest that these systems can be based on different patterns of identification, which include face thermal patterns, blood vessel patterns in the hand and retina, hand geometry, and even handwritten signatures. Monrose and Robin (2000) also propose using keystroke dynamics as a method of biometric-based user identification.
The advantages of using biometric data in remote user authentication have been highlighted by Li and Hwang (2010). First, users cannot lose or forget their biometric data. Second, biometric keys are extremely difficult to share, copy, or imitate. Third, biometric keys present considerable distribution and forging difficulties, which make them more reliable than traditional user authentication mechanisms. Fourth, no one can easily guess a biometric key. Fifth, it is not that easy to break someone’s biometric code (Li & Hwang, 2010). These are just some of the main reasons why biometrics-based authentication systems are potentially more effective and reliable than traditional password-based identification. Unfortunately, contemporary researchers are much more willing to elaborate on the problems of using biometric data in user authentication than focus on the analysis of biometrics’ strong sides.
Studies analyzing the major security gaps in biometrics-based user authentication systems are abundant. The basic idea is that biometrics-based remote user authentication systems are not as secure as they may seem. One of the main difficulties facing networking professionals is in the fact that biometric data are neither reproducible nor uniformly distributed across systems (Boyen et al., 2005). Another problem is that biometrics-based user authentication systems are still vulnerable to masquerade attacks (Li, Niu, Ma, Wang & Liu, 2011). Conspiring and server spoofing attacks are also a problem for biometrics-based remote user authentication systems (Li et al., 2011). Some remote user authentication systems that involve the use of biometric data fail to withstand insider attacks, reflection attacks, and guessing attacks, and may not be reparable once the secret information is revealed (Wang, Zhang, Zhang & Khan, 2007). Faundez-Zanuy (2004) also writes that, once the user’s biometric data is stolen, it cannot be replaced. Thus, the new owner of the biometric data gains a privilege to use the secure system, whereas the authentic user will continue facing network difficulties due to the fact that his/her biometric data is no longer secret.
Bolle, Connell and Ratha (2002) suggest that remote user authentication based on biometric data is vulnerable to a different set of security issues than traditional password-based systems. Actually, it is due to the fact that authentication is remote that potential attackers have ample time to implement their attacks (Bolle et al., 2002). Enhancing security of biometrics-based systems and making remote user authentication more secure is quite problematic, mainly due to the cost and other practical obstacles to implementing these systems. Biometric systems are not stable over time, and their integration with the existing systems and new security models presents numerous practical problems (Tang, Bringer, Chabanne & Pointcheval, 2008). Also, biometric data by itself is not insufficient for security, followed by numerous operational, system, and even human problems (Chandra & Calderon, 2005).
Despite the growing body of professional literature, numerous gaps continue to persist. One of the biggest problems facing contemporary scholars and practitioners is the growing amount of criticism regarding the use of biometrics in remote user authentication and, at the same time, failure to develop a single, comprehensive model to tackle these risks. Bearing in mind the reliability and efficiency potentials of biometric data, it is high time a new security model for remote user authentication were developed. Certainly, security is not the only problem affecting biometric data systems. As mentioned previously, integration, scalability, changeability, and the human factor can facilitate or impede the implementation of biometrics-based systems of remote user authentication (Chandra & Calderon, 2005; Tang et al., 2008). However, at the heart of the proposed research is the issue of security, and a new model should be created to address the most common misunderstandings in the context of biometrics-related security risks. The results of the proposed research will also create a good basis for the future analysis of remote user authentication, the role and place of biometric data, and possible ways to reduce the existing and potential security risks. The proposed research may not solve all security problems inherent in remote user authentication but it can lead to considerable improvements in the latest user authentication technologies and networks that involve the use of biometric data.