Tokens
and Biometric Systems, which one is better?
The biometric
scans/analyzers, such as: scans of fingerprint or irises,
analysis of voiceprint, etc, attempt to prove "something
one is" while tokens, such as: key fob or smartcard,
attempt to prove "something one has". The accuracy
and the reliability of the formers are still unsatisfactory
or even questionable when compared to the latter. It had been
demonstrated in 2002 by Professor Tsutomu Matsumoto, a cryptographer
in Japan, that fingerprint can be collected by immerging the
finger into free-molding plastic to make a plastic mold. He
then melted and poured gelatin (the substance which makes
jellied soups and desserts) into the plastic mold and let
it harden. The fingerprint imprinted on the solidified gelatin
can fool the fingerprint detectors for about 80% of the time.
Nor have the reliability of the other forms of biometric systems
been shown to be comparable to or better than that of the
fingerprint reader. In particular, biometric systems are not
suitable for supporting persons with multiple roles requiring
different security levels of authentications on the same system
or for the same service. According to the CSI/FBI survey,
the adoption rate of biometric systems is about 10% and has
been flat for the last several years. Therefore most experts
in general agree that some form of physical tokens will be
much more widely deployed than the biometric systems in most
organizations.
Common
Forms of Tokens
Key fob;
smartcard; random codes generated from an algorithm running
on a computer, PDA, smartphone, etc.; and codes pre-printed
on a card, etc.
How
Do these Tokens Work?
There
are codes (which can be in the form of ID, access code, electronic
certificate, etc.) being either statically stored/printed
on these tokens, or dynamically generated by using a mutually
agreed algorithms running on a computer, PDA, smartphone,
or the processor inside the token. Some of these codes are
made time dependent (i.e., only valid at certain period or
only at current login time) and/or can only be used once.
These codes are either manually entered or read automatically
from the tokens by the authentication software and then sent
to the authorization server for validation. If the codes sent
match with those stored on or those calculated by the authentication
server, then the authentication is successful and the access
granted.
Summary
Two-factor
authentication should be considered for transactions that
need high assurance of the authentication. However, we should
access the cost and benefits and the impact to user convenience
before implementing it.
References