The use of biometrics for strong authentication
Par Fabien PERIGAUD, jeudi 7 janvier 2010 à 16:11 :: General :: #355 :: rss
More and more companies choose to use strong authentication to ensure security, which is no more assured by a simple password. It is indeed easy to find by an attacker, either through social engineering, keylogging, brute force cracking or rainbow table ...
What is called strong authentication is the combination of two authentication factors among these three:
- What I know: the password is in this category;
- What I own: it may be a smart card, magnetic stripe, RFID, or a USB token;
- What I am: this is biometrics, which may be the fingerprint, the iris, or the palm of the hand.
So, if you wish to implement a strong authentication mechanism, it must meet two of these factors. A combination often encountered is the combination of a smart card or USB token (containing the data identifying the user, usually an X.509 certificate), with a PIN code to unlock it (combination "What I have" + "What I know").
However, biometrics appears more and more in the chain, especially fingerprints, replacing the PIN to unlock the smart card (combination "What I have" + "What I am "). This biometrics has several advantages compared with the password:
- the user does not need to remember a complex password;
- it is more difficult to steal the user's fingerprint.
The user feels much more secure, in addition to acquire a certain ease of use. But is he really more secured?
Firstly, it has been proven that it is easy to reconstruct a fingerprint found e.g. on a glass, to spoof a simple fingerprint reader.
Secondly, the use of biometrics in France is regulated by the CNIL. Regarding access management by fingerprint, the CNIL states that a user's biometric information must not be centralized in a database. In our case, they must be stored on the smart card. This can then cause a problem when implementing the software for the strong authentication.
When strong authentication is based on a couple smart card / PIN, it may be interesting for the convenience of users to add the ability to unlock the smart card by using their fingerprint. The verification of biometric data can then be made in the application managing the authentication, on the user's host. This implementation raises the following issues:
- the user's biometric data must be available on the smart card for reading for everyone (so the program can access it for comparison). It may of course be encrypted, and the application has the key to decipher it;
- once the user identified, the application must be able to send information (e.g. PIN) to the card to unlock the information it contains, and thus authenticate the user. For this, the application must know this information. This is naturally stored, available for reading for everyone (encrypted again) on the smart card.
The introduction of biometrics then decreases the system's security, having the smart card is sufficient to retrieve information (often the PIN, having recovered the cryptographic key of the application ), and then authenticate.
A secure way to implement this type of strong authentication (biometric + smart card) is the Match On Card technology, which allows verification of the fingerprint directly within the chip. This ensures that the card manages the unlocking of the authentication certificate, only if the fingerprint presented corresponds to the one recorded.
Biometrics is an interesting technology with its advantages and limits to manage authentication, but as always, everything depends on implementation.