SlideShare a Scribd company logo

Access Control

Download as DOCX, PDF
Waseem Hamid Hussain
Waseem Hamid Hussain

The paper along with the powerpoint slide will provide you with an indepth analysis of how access control works.

Data & Analytics
1 of 18
1 Contents Abstract ........................................................................................................................................... 2 Access Control................................................................................................................................ 3 Common Practices for Access Control Methods ........................................................................ 3 Common Control Types for Access Control............................................................................... 3 Biometric Authentication................................................................................................................ 5 Biometric Behavior Associations and Behavior Measures ......................................................... 6 Biometric Controls & Psychological Analysis............................................................................ 6 Physiological Biometric Controls ................................................................................................... 7 i. Fingerprint Recognition....................................................................................................... 7 ii. Retinal Scan ......................................................................................................................... 7 iii. Iris Scan............................................................................................................................ 7 Keystroke & Control Dynamics Analysis................................................................................... 7 Risks of Biometric authentication................................................................................................... 8 Use of Tokens ................................................................................................................................. 9 One-Time Password (OTP) ..................................................................................................... 9 Importance................................................................................................................................... 9 Drawbacks of OTPs .................................................................................................................... 9 Time-Based One Time Password (TOTP)............................................................................. 10 OTP/TOTP Token Considerations............................................................................................ 10 Multi-Factor Authentication ......................................................................................................... 11 Importance................................................................................................................................. 11 MFA Authentication Considerations ........................................................................................ 12 Single Sign-On.............................................................................................................................. 13 Considerations for SSO............................................................................................................. 13 Potential Risks........................................................................................................................... 14 Public Key Infrastructure.............................................................................................................. 15 Risks of PKI .............................................................................................................................. 15 Strategic Planning ......................................................................................................................... 16 References..................................................................................................................................... 18
2 Abstract The digital age has seen a growing use of passwords everywhere, from social media websites to accounts on personal computers, passwords are everywhere to protect our documents and financial institutions. All this makes the growth and adaptation of security controls vital in an organization’s ability to grow and adapt and to be effective. Organizations should adopt suitable controls based on their needs and strategies as each control greatly impacts the organization’s strategies, safety and security.
3 Access Control Access control includes identification, authentication, authorization, and accountability (Kung et al., 2017) and is defined as the process that either denies or grants resources and services to a user in a network. Common Practices for Access Control Methods Some of the best practices for access control over the years include the following:  Should be based on determined roles as well as responsibilities  The principle of least privilege should be followed  They should be reviewed at various intervals and audits should occur  Logging of information Common Control Types for Access Control These methods can broadly be divided into the three following categories: Technical Controls: These include the use of biometrics, access control cards, usernames and passwords, protocols for remote access authentication, access control lists(ACL), account restrictions, encryptions, policy enforcements etc. (Dimov & Tistarelli, 2015) Administrative Controls: These include security awareness trainings, procedures, supervisory structures, personnel control and testing. Physical Controls:
4 These include computer security, perimeter security, guards and trained dogs and mantraps.
5 Biometric Authentication This method verifies users by identifying and measuring an individual’s unique behavioral and physiological features (Dimov et al., 2015). Biometric authentication provides stronger access control than pins and passwords as it cannot be forgotten, lost or shared. Biometric measures maximize between-individual random variances while simultaneously minimizing within-individual variability. The different types of biometric authentication include:  Face recognition  Fingerprint scanning  Iris/retinal scanning  Hand geometry  Vein infrared thermogram  Palm print and gait Another authentication method is voice identification which is to be measured in an ambient setting. Obstacles like auditory eavesdropping and/or manipulation has resulted in it not being used for specific multi factor systems (Kung et al., 2017). But it has been of great use in tending to the needs of the disabled. For example, visually impaired people have problems with authentication processes like Captcha (Dimov et al., 2015) thus being unable to visualize and input character sequences. Voice authentication can be used here to interact in an auditory fashion. Good biometric systems have low false rejection and false acceptance. Failure to comply with this results in bad user experience. Achieving 100% accuracy has been the biggest barrier in the commercialization of this technology. (Kung et al., 2017).
6 Biometric Behavior Associations and Behavior Measures Biometric techniques have proved to be more complex and costly as compared to other methods. They require uniqueness of eyes and fingers for validation. The accepted standards for biometric authentication include a speed of not more than five seconds, an enrolment time of not more than 2 minutes, and a throughput of 6 to 10 per min (Dimov et al., 2015). Biometric Controls & Psychological Analysis False Reject Rate (FRR) – Authorized individuals are erroneously denied access meaning there is a possibility of the system denying access to an individual who has been matched to the template. False Accept Rate – Unauthorized individuals, without a match template are erroneously allowed access. Cross Error Rate – It allows users to compare cross systems and remains the most accurate biometric system (Dimov et al., 2015).
7 Physiological Biometric Controls i. Fingerprint Recognition This cheap, non-intrusive method is used to develop images of ridges, whorls and fingerprint minutia. It can be both static and dynamic. (Kung et al., 2017). But it has the disadvantage of the sensor wearing off, it is affected by swellings and injuries and is prone to deception. (Dimov et al., 2015). ii. Retinal Scan This includes recording unique components in the blood vessels of the retina and identifying patterns on the rear eyeball. But is has the disadvantages of damaging the eye ball due to the laser and the retina patterns may change as a result of heart diseases or diabetes. The subject must remain still and the scanning unit must be directly before the eyes. It has the advantage of great accuracy. iii. Iris Scan Considered the most accurate among all biometric authentication as iris patterns remain constant throughout adulthood and vary between two eyes on an individual (Kung et al., 2017). Keystroke & Control Dynamics Analysis This involves analyzing and recognizing an individual’s unique typing rhythm. It uses flight time and dwell time. Signature Dynamic systems: These use user signatures for reference and recognition. They capture the way the pen is held and the amount of pressure exerted and signing speed. They have the advantage of being non-intrusive but speed wear and changing speed can be a barrier.
8 Risks of Biometric authentication Facial recognition accuracy can vary depending on camera sensitivity, lighting and angle. Accessories like glasses or sunglasses can make the person look different. Temperature or any problem with the finger can affect finger print scans. Apple’s impressive touch ID can been bypassed by the use of latex and accurate sensors (Dimov et al., 2015). Other systems use information like location. Problems with keystroke dynamics is that it may take people different time in case of a keyboard with a different interface, also right-handed people type slower with their left hands and vice versa. The index finger types faster due to its consistent use and instinctive ability. (Dimov et al., 2015).
9 Use of Tokens One-Time Password (OTP) This technology provides maximum security. Users are provided with a list of passwords and use every password in a sequence. Hackers could sniff the passwords from the network, but that technique is generally ineffective. Users authenticate themselves with a pin or token (Alfred, 2016). The users do not have to memorize or choose passwords, the token generates a onetime unique password for each process allowing access to protected resources (Roebuck, 2017). Importance They have been designed to replace session IDs, reducing server load, rationalizing permission management, and offering appropriate tools for supporting a cloud-based or distributed infrastructure. Tokens are generated when the user authenticates themselves (Roebuck, 2017). This process has the advantage of statelessness, the token generated by the server need not be stored anywhere. All user meta data is encoded directly in the token thus any user can be authenticated by nay machine and no sessions are required. This also has the advantage of scalability (Alfred, 2016). Using tokens for mobile application authentication allows users to easily control what APIs can access their devices. They are easier than cookies when deployed on Android or iOS and require no extra effort from the development team. Drawbacks of OTPs SMS OTPs involve sending the OTP to a phone number configured to the website. This has the disadvantage of trust, users will have to deal with the malware through the SMS as encryption on cellular networks is weak (Alfred, 2016). OTP can be inconvenient as the user has to copy the OTP from the device that received it to the login form (Roebuck, 2017). The copied
10 OTP has to be short printable hindering flexibility and resulting in diminished security (Alfred, 2016). Time-Based One Time Password (TOTP) This method consistently generates new passwords in a given time interval. The tokens and the server use this time to produce authentication numbers which are used by the user during login. Similar algorithms are used at the user and server side. The server and tokens generate OTP for a fixed time. OTP/TOTP Token Considerations The following should be considered when implementing OTP tokens:  Token are required for every user thus require more investment.  Users need to carry the token with them at all times as they won’t be allowed to access the system otherwise.  Users cannot use the system for a long time without the token.  Connections can be vulnerable to sniffing as once the original connection is authenticated all connectors are assumed to be authenticated (Alfred, 2016).  Users need to ensure the safety of their tokens.  Security tokens may not be compatible with all severs or applications.
11 Multi-Factor Authentication MFA also known as two step authentication is an authentication username, password, and additional authentication such as personal information or a physical token. It guarantees that the users are who they are (Stanislav, 2015). It requires that users identify themselves by presenting a minimum of 2-pieces of evidence through three major categories. If one factor is affected by a hacker it’s impact on other steps is minimal thus providing greater security (Sampson, 2015). Users’ choice of weak passwords make it easier for hackers (Dasgupta, Roy & Nag, 2017). MFA provides layers of protection to the user by preventing a ripple effect (Sampson, 2015). Some recognized MFA methods include pop-up notification or verification via text from mobile phone, inserting a card, and typing in unique codes created by a physical token (Stanislav, 2015). Some companies employ a MFA for every user this along with SSO makes it very secure and completely eliminates the need for passwords (Sampson, 2015). Importance MFA offers good end user experience and robust security. For example, an organization might need higher level of reassurance while accessing a human resource applications, banks permit clients to log into their account with their password and username, but a second authentication is required prior to any transactions, retailers can use MFA in case a vendor logs into its portal from a new system to ensure it is not a hacker attempting to gain access with a password that has been stolen (Stanislav, 2015). This type of MFA is referred to as contextual, risk-based, or adaptive MFA. It has the advantage of increasing the system’s security when needed (Dasgupta et al., 2017). Thus balancing convenience and security. Due to the magnitude of loss in case of violation MFA requires additional proof. If contextual MFA is used security maybe achieved without giving up usability (Sampson, 2015).
12 MFA Authentication Considerations  Users are locked out of their accounts in case of a single mistake.  Though used to keep hackers away, hackers can create their own two step authentication to keep users locked out.
13 Single Sign-On Users can identify themselves to servers only once through this method (Miller, 2015). Users can login multiple times with a single password but compromise in a single authentication can compromise all available resources. Considerations for SSO The following should be considered when implementing SSO.  Since one authentication regulates access to resources this process should be secure.  Smart cards and tokens maybe used to strengthen the authentication process.  Password policies need to be enforced implementing minimum password length, complexity of password, minimum time for renewal, and maximum frequency of attempts.  Encryption to protect against sniffing should be used. Logins should be used to detect suspicious login attempts.  Authentication servers must be used. SSO protocols often share session information, but a central domain exists, by which authentication is executed, and sessions are shared with some domains in certain manners (Dasgupta et al., 2017). For instance, a central domain can generate a signed JSON Web Token that is encrypted with JWE. This token can be passed to the customer and applied by the authentication domain. The token may be redirected and consists of all the data necessary to authenticate the user. Since the tokens are signed, the client cannot modify it (Miller, 2015). Users are redirected to the authentication domain every time authentication is required. Since the
14 users have already logged in, they can instantly redirect to the original domain through the authentication token. Potential Risks  Authentication and privacy keys are a security concern.  If the SSO server is unavailable the users cannot access any site.  SSO is not suitable for multi-user computers if they remain logged at all times.  They lack back up and better authentication.  If the password is weak it is easy to identify and hack accounts, once hacked all accounts will be compromised.
15 Public Key Infrastructure PKI is defined as a technology that uses mathematical processes and algorithms to facilitate secure transactions using data integrity, data confidentiality, and authentication by Kim (2016). PKI uses certificates, developed by a trusted certificate authority to prove an individual’s identity. The user is authenticated by the certificate authority’s private key. This certificate can be used for authentication to access many applications that check the identity through the digital signature from the CA. (Schmeh, 2016). PKI is valuable to applications that require no pre- registration like online transactions. Users only require a certificate from the certificate authority (Kim, 2016). Risks of PKI There is no governing body to enforce the standards of PKI (Schmeh, 2016). CAs are trusted third parties but limitations in security procedures over the years has resulted in less trust in PKI as any compromise in CA can expose the entire PKI security to risks (Kim, 2016).
16 Strategic Planning Strategic operations define an organization’s strategy or direction and the decisions it takes and the resources it allocates to pursue that strategy. Organizations need to keep in mind the following:  What the organization is currently doing  Who they are doing it for  How will they excel going forward Strategic decisions keep in view the next three to five years and consider any potential mishaps. These mishaps may also include untapped opportunities. These decisions are affected by factors that may be out of the organization’s control, e.g. wars, geopolitical shocks etc. Organizations’ strategies should also address how they intend to sustain their operations and provide quality products or services to their customers while including capabilities for future innovations. Strategic planning involves the following steps: Clarifying mission and vision statements This involves identifying and clarifying the company’s mission, vision, corporate values, culture and most importantly why the company exits and what success looks like to the company. Identifying current and future market position
17 This involves gathering data on internal strengths, weaknesses, external threat and external opportunities so the organization can develop an understanding of all the critical issues and deal with them accordingly. Prioritizing Creating priorities that need to be addressed and form strategies in dealing with those issues. It is the culmination of proper security controls, the understanding of the need for an organization’s assets to remain secure, and various strategic decisions that allow for an organization to properly plan for their long-term success. It is part of the constant struggle to create balance between security, accessibility, and strategic vision. Each of these acts as the driving force to enable the next, sparking creativity and hopefully, long-term success.
18 References Alfred, A. (2016). Node.js: Token-Based Authentication Part 3. Defining Routes and Implementing Token-Based Authentication. Dasgupta, D., Roy, A., & Nag, A. (January 01, 2017). Multi-Factor Authentication: More secure approach towards authenticating individuals. Dimov, D., & In Tistarelli, M. (2015). Biometric Authentication. Cham (Alemania: Springer. Kim, D. (2016). Access control, authentication, and public key infrastructure: Laboratory manual to accompany. Kung, S. Y., Mak, M.-W., & Lin, S.-H. (2017). Biometric authentication: A machine learning approach. Upper Saddle River: Prentice Hall. Miller, W. (2015). Foundations of iOS Security: Working with Single Sign-on Authentication. Roebuck, K. (2017). Security Tokens: High-impact Strategies - What You Need to Know: Definitions, Adoptions, Impact, Benefits, Maturity, Vendors. Dayboro: Emereo Pub. Schmeh, K. (2016). Cryptography and Public Key Infrastructure on the Internet. New York, NY: John Wiley & Sons. Sampson, A. (2015). Architecting Microsoft Azure Solutions: Multi-factor Authentication Overview. Stanislav, M. (2015). Two-factor authentication. Ely, Cambridgeshire, United Kingdom: It Governance Publishing.

Recommended

Case study on Usage of Biometrics (Cryptography)
Case study on Usage of Biometrics (Cryptography)Case study on Usage of Biometrics (Cryptography)
Case study on Usage of Biometrics (Cryptography)Bhargav Amin
 
Biometric Security Systems ppt
Biometric Security Systems pptBiometric Security Systems ppt
Biometric Security Systems pptOECLIB Odisha Electronics Control Library
 
Biometricstechnology in iot and machine learning
Biometricstechnology in iot and machine learningBiometricstechnology in iot and machine learning
Biometricstechnology in iot and machine learningAnkit Gupta
 
Biometric security tech
Biometric security techBiometric security tech
Biometric security techmmubashirkhan
 
Defending Biometric Security
Defending Biometric SecurityDefending Biometric Security
Defending Biometric SecurityNed Hayes
 
Using (Bio)Metrics To Predict Code Quality Online
Using (Bio)Metrics To Predict Code Quality OnlineUsing (Bio)Metrics To Predict Code Quality Online
Using (Bio)Metrics To Predict Code Quality Onlines-mueller
 
Biometric security
Biometric securityBiometric security
Biometric securityTanner Stuewe
 
Ecrime Practical Biometric
Ecrime Practical BiometricEcrime Practical Biometric
Ecrime Practical BiometricJorge Sebastiao
 

Recommended

Case study on Usage of Biometrics (Cryptography)
Case study on Usage of Biometrics (Cryptography)Case study on Usage of Biometrics (Cryptography)
Case study on Usage of Biometrics (Cryptography)Bhargav Amin
 
Biometric Security Systems ppt
Biometric Security Systems pptBiometric Security Systems ppt
Biometric Security Systems pptOECLIB Odisha Electronics Control Library
 
Biometricstechnology in iot and machine learning
Biometricstechnology in iot and machine learningBiometricstechnology in iot and machine learning
Biometricstechnology in iot and machine learningAnkit Gupta
 
Biometric security tech
Biometric security techBiometric security tech
Biometric security techmmubashirkhan
 
Defending Biometric Security
Defending Biometric SecurityDefending Biometric Security
Defending Biometric SecurityNed Hayes
 
Using (Bio)Metrics To Predict Code Quality Online
Using (Bio)Metrics To Predict Code Quality OnlineUsing (Bio)Metrics To Predict Code Quality Online
Using (Bio)Metrics To Predict Code Quality Onlines-mueller
 
Biometric security
Biometric securityBiometric security
Biometric securityTanner Stuewe
 
Ecrime Practical Biometric
Ecrime Practical BiometricEcrime Practical Biometric
Ecrime Practical BiometricJorge Sebastiao
 
Biometric Systems
Biometric SystemsBiometric Systems
Biometric SystemsSn Moddho
 
IRJET- Secure Vault System using Iris Biometrics and PIC Microcontroller
IRJET- Secure Vault System using Iris Biometrics and PIC MicrocontrollerIRJET- Secure Vault System using Iris Biometrics and PIC Microcontroller
IRJET- Secure Vault System using Iris Biometrics and PIC MicrocontrollerIRJET Journal
 
Biometrics Technology In the 21st Century
Biometrics Technology In the 21st CenturyBiometrics Technology In the 21st Century
Biometrics Technology In the 21st CenturyStar Link Communication Pvt Ltd
 
Biometrics
BiometricsBiometrics
BiometricsAlan Leewllyn Bivera
 
Biometric
Biometric Biometric
Biometric Vinay Gupta
 
Biometric
Biometric Biometric
Biometric Pratish Sardar
 
biometrics and cyber security
biometrics and cyber securitybiometrics and cyber security
biometrics and cyber securityKarthiga Manisekaran
 
Biometric security system
Biometric security systemBiometric security system
Biometric security systemMithun Paul
 
Biometrics For Security Systems
Biometrics For Security SystemsBiometrics For Security Systems
Biometrics For Security SystemsSuhas Deshpande
 
Presentation Fingervein Authentication
Presentation Fingervein AuthenticationPresentation Fingervein Authentication
Presentation Fingervein AuthenticationANEESH SASIDHARAN
 
“Enhancing Iris Scanning Using Visual Cryptography”
“Enhancing Iris Scanning Using Visual Cryptography”“Enhancing Iris Scanning Using Visual Cryptography”
“Enhancing Iris Scanning Using Visual Cryptography”iosrjce
 
Biometrics Starts
Biometrics StartsBiometrics Starts
Biometrics StartsYUSRA FERNANDO
 
Biometrics techniques
Biometrics techniquesBiometrics techniques
Biometrics techniquesjackofhearty1
 
Biometric Systems and Security
Biometric Systems and SecurityBiometric Systems and Security
Biometric Systems and SecurityShreyans Jain
 
IRIS Recognition Based Authentication System In ATM
IRIS Recognition Based Authentication System In ATMIRIS Recognition Based Authentication System In ATM
IRIS Recognition Based Authentication System In ATMIJTET Journal
 
Biometric slideshare
Biometric slideshareBiometric slideshare
Biometric slideshareprachi
 
Biometric security Presentation
Biometric security PresentationBiometric security Presentation
Biometric security PresentationPrabh Jeet
 
Biometrics research paper
Biometrics research paperBiometrics research paper
Biometrics research paperdesire120
 
4.report (biometric security system)
4.report (biometric security system)4.report (biometric security system)
4.report (biometric security system)JIEMS Akkalkuwa
 
Personal authentication using 3 d finger geometry (synopsis)
Personal authentication using 3 d finger geometry (synopsis)Personal authentication using 3 d finger geometry (synopsis)
Personal authentication using 3 d finger geometry (synopsis)Mumbai Academisc
 
Poster on biometrics
Poster on biometricsPoster on biometrics
Poster on biometricsShiva Krishna Chandra Shekar
 
Ranjith_Bm
Ranjith_BmRanjith_Bm
Ranjith_Bmbranjith
 

More Related Content

What's hot

Biometric Systems
Biometric SystemsBiometric Systems
Biometric SystemsSn Moddho
 
IRJET- Secure Vault System using Iris Biometrics and PIC Microcontroller
IRJET- Secure Vault System using Iris Biometrics and PIC MicrocontrollerIRJET- Secure Vault System using Iris Biometrics and PIC Microcontroller
IRJET- Secure Vault System using Iris Biometrics and PIC MicrocontrollerIRJET Journal
 
Biometric security system
Biometric security systemBiometric security system
Biometric security systemMithun Paul
 
Biometrics For Security Systems
Biometrics For Security SystemsBiometrics For Security Systems
Biometrics For Security SystemsSuhas Deshpande
 
Presentation Fingervein Authentication
Presentation Fingervein AuthenticationPresentation Fingervein Authentication
Presentation Fingervein AuthenticationANEESH SASIDHARAN
 
“Enhancing Iris Scanning Using Visual Cryptography”
“Enhancing Iris Scanning Using Visual Cryptography”“Enhancing Iris Scanning Using Visual Cryptography”
“Enhancing Iris Scanning Using Visual Cryptography”iosrjce
 
Biometrics techniques
Biometrics techniquesBiometrics techniques
Biometrics techniquesjackofhearty1
 
Biometric Systems and Security
Biometric Systems and SecurityBiometric Systems and Security
Biometric Systems and SecurityShreyans Jain
 
IRIS Recognition Based Authentication System In ATM
IRIS Recognition Based Authentication System In ATMIRIS Recognition Based Authentication System In ATM
IRIS Recognition Based Authentication System In ATMIJTET Journal
 
Biometric slideshare
Biometric slideshareBiometric slideshare
Biometric slideshareprachi
 
Biometric security Presentation
Biometric security PresentationBiometric security Presentation
Biometric security PresentationPrabh Jeet
 
Biometrics research paper
Biometrics research paperBiometrics research paper
Biometrics research paperdesire120
 
4.report (biometric security system)
4.report (biometric security system)4.report (biometric security system)
4.report (biometric security system)JIEMS Akkalkuwa
 
Personal authentication using 3 d finger geometry (synopsis)
Personal authentication using 3 d finger geometry (synopsis)Personal authentication using 3 d finger geometry (synopsis)
Personal authentication using 3 d finger geometry (synopsis)Mumbai Academisc
 

What's hot (20)

Biometric Systems
Biometric SystemsBiometric Systems
Biometric Systems
 
IRJET- Secure Vault System using Iris Biometrics and PIC Microcontroller
IRJET- Secure Vault System using Iris Biometrics and PIC MicrocontrollerIRJET- Secure Vault System using Iris Biometrics and PIC Microcontroller
IRJET- Secure Vault System using Iris Biometrics and PIC Microcontroller
 
Biometrics Technology In the 21st Century
Biometrics Technology In the 21st CenturyBiometrics Technology In the 21st Century
Biometrics Technology In the 21st Century
 
Biometrics
BiometricsBiometrics
Biometrics
 
Biometric
Biometric Biometric
Biometric
 
Biometric
Biometric Biometric
Biometric
 
biometrics and cyber security
biometrics and cyber securitybiometrics and cyber security
biometrics and cyber security
 
Biometric security system
Biometric security systemBiometric security system
Biometric security system
 
Biometrics For Security Systems
Biometrics For Security SystemsBiometrics For Security Systems
Biometrics For Security Systems
 
Presentation Fingervein Authentication
Presentation Fingervein AuthenticationPresentation Fingervein Authentication
Presentation Fingervein Authentication
 
“Enhancing Iris Scanning Using Visual Cryptography”
“Enhancing Iris Scanning Using Visual Cryptography”“Enhancing Iris Scanning Using Visual Cryptography”
“Enhancing Iris Scanning Using Visual Cryptography”
 
Biometrics Starts
Biometrics StartsBiometrics Starts
Biometrics Starts
 
Biometrics techniques
Biometrics techniquesBiometrics techniques
Biometrics techniques
 
Biometric Systems and Security
Biometric Systems and SecurityBiometric Systems and Security
Biometric Systems and Security
 
IRIS Recognition Based Authentication System In ATM
IRIS Recognition Based Authentication System In ATMIRIS Recognition Based Authentication System In ATM
IRIS Recognition Based Authentication System In ATM
 
Biometric slideshare
Biometric slideshareBiometric slideshare
Biometric slideshare
 
Biometric security Presentation
Biometric security PresentationBiometric security Presentation
Biometric security Presentation
 
Biometrics research paper
Biometrics research paperBiometrics research paper
Biometrics research paper
 
4.report (biometric security system)
4.report (biometric security system)4.report (biometric security system)
4.report (biometric security system)
 
Personal authentication using 3 d finger geometry (synopsis)
Personal authentication using 3 d finger geometry (synopsis)Personal authentication using 3 d finger geometry (synopsis)
Personal authentication using 3 d finger geometry (synopsis)
 

Similar to Access Control

Ranjith_Bm
Ranjith_BmRanjith_Bm
Ranjith_Bmbranjith
 
BIOMETRICS AUTHENTICATION TECHNIQUE FOR INTRUSION DETECTION SYSTEMS USING FIN...
BIOMETRICS AUTHENTICATION TECHNIQUE FOR INTRUSION DETECTION SYSTEMS USING FIN...BIOMETRICS AUTHENTICATION TECHNIQUE FOR INTRUSION DETECTION SYSTEMS USING FIN...
BIOMETRICS AUTHENTICATION TECHNIQUE FOR INTRUSION DETECTION SYSTEMS USING FIN...IJCSEIT Journal
 
Biometrics Presentation By Sachin Yadav (S/W Engineer)
Biometrics Presentation By Sachin Yadav (S/W Engineer)Biometrics Presentation By Sachin Yadav (S/W Engineer)
Biometrics Presentation By Sachin Yadav (S/W Engineer)sachin yadav
 
Biometric Security advantages and disadvantages
Biometric Security advantages and disadvantagesBiometric Security advantages and disadvantages
Biometric Security advantages and disadvantagesPrabh Jeet
 
Fingerprint Authentication Using Biometric And Aadhar Card Fingerprint
Fingerprint Authentication Using Biometric And Aadhar Card FingerprintFingerprint Authentication Using Biometric And Aadhar Card Fingerprint
Fingerprint Authentication Using Biometric And Aadhar Card FingerprintSonuSawant
 
International Journal of Engineering Research and Development (IJERD)
International Journal of Engineering Research and Development (IJERD)International Journal of Engineering Research and Development (IJERD)
International Journal of Engineering Research and Development (IJERD)IJERD Editor
 
A Comparison Based Study on Biometrics for Human Recognition
A Comparison Based Study on Biometrics for Human RecognitionA Comparison Based Study on Biometrics for Human Recognition
A Comparison Based Study on Biometrics for Human RecognitionIOSR Journals
 
Fingerprint detection
Fingerprint detectionFingerprint detection
Fingerprint detectionMudit Mishra
 

Similar to Access Control (20)

Poster on biometrics
Poster on biometricsPoster on biometrics
Poster on biometrics
 
Ranjith_Bm
Ranjith_BmRanjith_Bm
Ranjith_Bm
 
BIOMETRICS AUTHENTICATION TECHNIQUE FOR INTRUSION DETECTION SYSTEMS USING FIN...
BIOMETRICS AUTHENTICATION TECHNIQUE FOR INTRUSION DETECTION SYSTEMS USING FIN...BIOMETRICS AUTHENTICATION TECHNIQUE FOR INTRUSION DETECTION SYSTEMS USING FIN...
BIOMETRICS AUTHENTICATION TECHNIQUE FOR INTRUSION DETECTION SYSTEMS USING FIN...
 
Biometrics Presentation By Sachin Yadav (S/W Engineer)
Biometrics Presentation By Sachin Yadav (S/W Engineer)Biometrics Presentation By Sachin Yadav (S/W Engineer)
Biometrics Presentation By Sachin Yadav (S/W Engineer)
 
Biometric Security advantages and disadvantages
Biometric Security advantages and disadvantagesBiometric Security advantages and disadvantages
Biometric Security advantages and disadvantages
 
Biometrics
BiometricsBiometrics
Biometrics
 
Biometrics
BiometricsBiometrics
Biometrics
 
Iris scanning
Iris scanningIris scanning
Iris scanning
 
Biometrics for e-voting
Biometrics for e-votingBiometrics for e-voting
Biometrics for e-voting
 
Biometric technology
Biometric technologyBiometric technology
Biometric technology
 
Biometrics
BiometricsBiometrics
Biometrics
 
Biometrics
BiometricsBiometrics
Biometrics
 
Bio metrics
Bio metricsBio metrics
Bio metrics
 
Fingerprint Authentication Using Biometric And Aadhar Card Fingerprint
Fingerprint Authentication Using Biometric And Aadhar Card FingerprintFingerprint Authentication Using Biometric And Aadhar Card Fingerprint
Fingerprint Authentication Using Biometric And Aadhar Card Fingerprint
 
International Journal of Engineering Research and Development (IJERD)
International Journal of Engineering Research and Development (IJERD)International Journal of Engineering Research and Development (IJERD)
International Journal of Engineering Research and Development (IJERD)
 
E0364024030
E0364024030E0364024030
E0364024030
 
A Comparison Based Study on Biometrics for Human Recognition
A Comparison Based Study on Biometrics for Human RecognitionA Comparison Based Study on Biometrics for Human Recognition
A Comparison Based Study on Biometrics for Human Recognition
 
Fingerprint detection
Fingerprint detectionFingerprint detection
Fingerprint detection
 
kiran's slide info
kiran's slide infokiran's slide info
kiran's slide info
 
Fingerprint Based Biometric ATM Authentication System
Fingerprint Based Biometric ATM Authentication SystemFingerprint Based Biometric ATM Authentication System
Fingerprint Based Biometric ATM Authentication System
 

Recently uploaded

Digital Advertising Lecture for Advanced Digital & Social Media Strategy at U...
Digital Advertising Lecture for Advanced Digital & Social Media Strategy at U...Digital Advertising Lecture for Advanced Digital & Social Media Strategy at U...
Digital Advertising Lecture for Advanced Digital & Social Media Strategy at U...Valters Lauzums
 
FESE Capital Markets Fact Sheet 2024 Q1.pdf
FESE Capital Markets Fact Sheet 2024 Q1.pdfFESE Capital Markets Fact Sheet 2024 Q1.pdf
FESE Capital Markets Fact Sheet 2024 Q1.pdfMarinCaroMartnezBerg
 
Accredited-Transport-Cooperatives-Jan-2021-Web.pdf
Accredited-Transport-Cooperatives-Jan-2021-Web.pdfAccredited-Transport-Cooperatives-Jan-2021-Web.pdf
Accredited-Transport-Cooperatives-Jan-2021-Web.pdfadriantubila
 
Midocean dropshipping via API with DroFx
Midocean dropshipping via API with DroFxMidocean dropshipping via API with DroFx
Midocean dropshipping via API with DroFxolyaivanovalion
 
Call Girls Hsr Layout Just Call 👗 7737669865 👗 Top Class Call Girl Service Ba...
Call Girls Hsr Layout Just Call 👗 7737669865 👗 Top Class Call Girl Service Ba...Call Girls Hsr Layout Just Call 👗 7737669865 👗 Top Class Call Girl Service Ba...
Call Girls Hsr Layout Just Call 👗 7737669865 👗 Top Class Call Girl Service Ba...amitlee9823
 
Call Girls In Doddaballapur Road ☎ 7737669865 🥵 Book Your One night Stand
Call Girls In Doddaballapur Road ☎ 7737669865 🥵 Book Your One night StandCall Girls In Doddaballapur Road ☎ 7737669865 🥵 Book Your One night Stand
Call Girls In Doddaballapur Road ☎ 7737669865 🥵 Book Your One night Standamitlee9823
 
BDSM⚡Call Girls in Mandawali Delhi >༒8448380779 Escort Service
BDSM⚡Call Girls in Mandawali Delhi >༒8448380779 Escort ServiceBDSM⚡Call Girls in Mandawali Delhi >༒8448380779 Escort Service
BDSM⚡Call Girls in Mandawali Delhi >༒8448380779 Escort ServiceDelhi Call girls
 
Call Girls In Bellandur ☎ 7737669865 🥵 Book Your One night Stand
Call Girls In Bellandur ☎ 7737669865 🥵 Book Your One night StandCall Girls In Bellandur ☎ 7737669865 🥵 Book Your One night Stand
Call Girls In Bellandur ☎ 7737669865 🥵 Book Your One night Standamitlee9823
 
BigBuy dropshipping via API with DroFx.pptx
BigBuy dropshipping via API with DroFx.pptxBigBuy dropshipping via API with DroFx.pptx
BigBuy dropshipping via API with DroFx.pptxolyaivanovalion
 
Escorts Service Kumaraswamy Layout ☎ 7737669865☎ Book Your One night Stand (B...
Escorts Service Kumaraswamy Layout ☎ 7737669865☎ Book Your One night Stand (B...Escorts Service Kumaraswamy Layout ☎ 7737669865☎ Book Your One night Stand (B...
Escorts Service Kumaraswamy Layout ☎ 7737669865☎ Book Your One night Stand (B...amitlee9823
 
Discover Why Less is More in B2B Research
Discover Why Less is More in B2B ResearchDiscover Why Less is More in B2B Research
Discover Why Less is More in B2B Researchmichael115558
 
Mature dropshipping via API with DroFx.pptx
Mature dropshipping via API with DroFx.pptxMature dropshipping via API with DroFx.pptx
Mature dropshipping via API with DroFx.pptxolyaivanovalion
 
Halmar dropshipping via API with DroFx
Halmar dropshipping via API with DroFxHalmar dropshipping via API with DroFx
Halmar dropshipping via API with DroFxolyaivanovalion
 
CebaBaby dropshipping via API with DroFX.pptx
CebaBaby dropshipping via API with DroFX.pptxCebaBaby dropshipping via API with DroFX.pptx
CebaBaby dropshipping via API with DroFX.pptxolyaivanovalion
 
VIP Model Call Girls Hinjewadi ( Pune ) Call ON 8005736733 Starting From 5K t...
VIP Model Call Girls Hinjewadi ( Pune ) Call ON 8005736733 Starting From 5K t...VIP Model Call Girls Hinjewadi ( Pune ) Call ON 8005736733 Starting From 5K t...
VIP Model Call Girls Hinjewadi ( Pune ) Call ON 8005736733 Starting From 5K t...SUHANI PANDEY
 

Recently uploaded (20)

Digital Advertising Lecture for Advanced Digital & Social Media Strategy at U...
Digital Advertising Lecture for Advanced Digital & Social Media Strategy at U...Digital Advertising Lecture for Advanced Digital & Social Media Strategy at U...
Digital Advertising Lecture for Advanced Digital & Social Media Strategy at U...
 
FESE Capital Markets Fact Sheet 2024 Q1.pdf
FESE Capital Markets Fact Sheet 2024 Q1.pdfFESE Capital Markets Fact Sheet 2024 Q1.pdf
FESE Capital Markets Fact Sheet 2024 Q1.pdf
 
Accredited-Transport-Cooperatives-Jan-2021-Web.pdf
Accredited-Transport-Cooperatives-Jan-2021-Web.pdfAccredited-Transport-Cooperatives-Jan-2021-Web.pdf
Accredited-Transport-Cooperatives-Jan-2021-Web.pdf
 
Midocean dropshipping via API with DroFx
Midocean dropshipping via API with DroFxMidocean dropshipping via API with DroFx
Midocean dropshipping via API with DroFx
 
Call Girls Hsr Layout Just Call 👗 7737669865 👗 Top Class Call Girl Service Ba...
Call Girls Hsr Layout Just Call 👗 7737669865 👗 Top Class Call Girl Service Ba...Call Girls Hsr Layout Just Call 👗 7737669865 👗 Top Class Call Girl Service Ba...
Call Girls Hsr Layout Just Call 👗 7737669865 👗 Top Class Call Girl Service Ba...
 
Call Girls In Doddaballapur Road ☎ 7737669865 🥵 Book Your One night Stand
Call Girls In Doddaballapur Road ☎ 7737669865 🥵 Book Your One night StandCall Girls In Doddaballapur Road ☎ 7737669865 🥵 Book Your One night Stand
Call Girls In Doddaballapur Road ☎ 7737669865 🥵 Book Your One night Stand
 
BDSM⚡Call Girls in Mandawali Delhi >༒8448380779 Escort Service
BDSM⚡Call Girls in Mandawali Delhi >༒8448380779 Escort ServiceBDSM⚡Call Girls in Mandawali Delhi >༒8448380779 Escort Service
BDSM⚡Call Girls in Mandawali Delhi >༒8448380779 Escort Service
 
Sampling (random) method and Non random.ppt
Sampling (random) method and Non random.pptSampling (random) method and Non random.ppt
Sampling (random) method and Non random.ppt
 
Anomaly detection and data imputation within time series
Anomaly detection and data imputation within time seriesAnomaly detection and data imputation within time series
Anomaly detection and data imputation within time series
 
Call Girls In Bellandur ☎ 7737669865 🥵 Book Your One night Stand
Call Girls In Bellandur ☎ 7737669865 🥵 Book Your One night StandCall Girls In Bellandur ☎ 7737669865 🥵 Book Your One night Stand
Call Girls In Bellandur ☎ 7737669865 🥵 Book Your One night Stand
 
Predicting Loan Approval: A Data Science Project
Predicting Loan Approval: A Data Science ProjectPredicting Loan Approval: A Data Science Project
Predicting Loan Approval: A Data Science Project
 
BigBuy dropshipping via API with DroFx.pptx
BigBuy dropshipping via API with DroFx.pptxBigBuy dropshipping via API with DroFx.pptx
BigBuy dropshipping via API with DroFx.pptx
 
Escorts Service Kumaraswamy Layout ☎ 7737669865☎ Book Your One night Stand (B...
Escorts Service Kumaraswamy Layout ☎ 7737669865☎ Book Your One night Stand (B...Escorts Service Kumaraswamy Layout ☎ 7737669865☎ Book Your One night Stand (B...
Escorts Service Kumaraswamy Layout ☎ 7737669865☎ Book Your One night Stand (B...
 
Discover Why Less is More in B2B Research
Discover Why Less is More in B2B ResearchDiscover Why Less is More in B2B Research
Discover Why Less is More in B2B Research
 
Mature dropshipping via API with DroFx.pptx
Mature dropshipping via API with DroFx.pptxMature dropshipping via API with DroFx.pptx
Mature dropshipping via API with DroFx.pptx
 
Halmar dropshipping via API with DroFx
Halmar dropshipping via API with DroFxHalmar dropshipping via API with DroFx
Halmar dropshipping via API with DroFx
 
(NEHA) Call Girls Katra Call Now 8617697112 Katra Escorts 24x7
(NEHA) Call Girls Katra Call Now 8617697112 Katra Escorts 24x7(NEHA) Call Girls Katra Call Now 8617697112 Katra Escorts 24x7
(NEHA) Call Girls Katra Call Now 8617697112 Katra Escorts 24x7
 
CebaBaby dropshipping via API with DroFX.pptx
CebaBaby dropshipping via API with DroFX.pptxCebaBaby dropshipping via API with DroFX.pptx
CebaBaby dropshipping via API with DroFX.pptx
 
Call Girls In Shalimar Bagh ( Delhi) 9953330565 Escorts Service
Call Girls In Shalimar Bagh ( Delhi) 9953330565 Escorts ServiceCall Girls In Shalimar Bagh ( Delhi) 9953330565 Escorts Service
Call Girls In Shalimar Bagh ( Delhi) 9953330565 Escorts Service
 
VIP Model Call Girls Hinjewadi ( Pune ) Call ON 8005736733 Starting From 5K t...
VIP Model Call Girls Hinjewadi ( Pune ) Call ON 8005736733 Starting From 5K t...VIP Model Call Girls Hinjewadi ( Pune ) Call ON 8005736733 Starting From 5K t...
VIP Model Call Girls Hinjewadi ( Pune ) Call ON 8005736733 Starting From 5K t...
 

Access Control

  • 1. 1 Contents Abstract ........................................................................................................................................... 2 Access Control................................................................................................................................ 3 Common Practices for Access Control Methods ........................................................................ 3 Common Control Types for Access Control............................................................................... 3 Biometric Authentication................................................................................................................ 5 Biometric Behavior Associations and Behavior Measures ......................................................... 6 Biometric Controls & Psychological Analysis............................................................................ 6 Physiological Biometric Controls ................................................................................................... 7 i. Fingerprint Recognition....................................................................................................... 7 ii. Retinal Scan ......................................................................................................................... 7 iii. Iris Scan............................................................................................................................ 7 Keystroke & Control Dynamics Analysis................................................................................... 7 Risks of Biometric authentication................................................................................................... 8 Use of Tokens ................................................................................................................................. 9 One-Time Password (OTP) ..................................................................................................... 9 Importance................................................................................................................................... 9 Drawbacks of OTPs .................................................................................................................... 9 Time-Based One Time Password (TOTP)............................................................................. 10 OTP/TOTP Token Considerations............................................................................................ 10 Multi-Factor Authentication ......................................................................................................... 11 Importance................................................................................................................................. 11 MFA Authentication Considerations ........................................................................................ 12 Single Sign-On.............................................................................................................................. 13 Considerations for SSO............................................................................................................. 13 Potential Risks........................................................................................................................... 14 Public Key Infrastructure.............................................................................................................. 15 Risks of PKI .............................................................................................................................. 15 Strategic Planning ......................................................................................................................... 16 References..................................................................................................................................... 18
  • 2. 2 Abstract The digital age has seen a growing use of passwords everywhere, from social media websites to accounts on personal computers, passwords are everywhere to protect our documents and financial institutions. All this makes the growth and adaptation of security controls vital in an organization’s ability to grow and adapt and to be effective. Organizations should adopt suitable controls based on their needs and strategies as each control greatly impacts the organization’s strategies, safety and security.
  • 3. 3 Access Control Access control includes identification, authentication, authorization, and accountability (Kung et al., 2017) and is defined as the process that either denies or grants resources and services to a user in a network. Common Practices for Access Control Methods Some of the best practices for access control over the years include the following:  Should be based on determined roles as well as responsibilities  The principle of least privilege should be followed  They should be reviewed at various intervals and audits should occur  Logging of information Common Control Types for Access Control These methods can broadly be divided into the three following categories: Technical Controls: These include the use of biometrics, access control cards, usernames and passwords, protocols for remote access authentication, access control lists(ACL), account restrictions, encryptions, policy enforcements etc. (Dimov & Tistarelli, 2015) Administrative Controls: These include security awareness trainings, procedures, supervisory structures, personnel control and testing. Physical Controls:
  • 4. 4 These include computer security, perimeter security, guards and trained dogs and mantraps.
  • 5. 5 Biometric Authentication This method verifies users by identifying and measuring an individual’s unique behavioral and physiological features (Dimov et al., 2015). Biometric authentication provides stronger access control than pins and passwords as it cannot be forgotten, lost or shared. Biometric measures maximize between-individual random variances while simultaneously minimizing within-individual variability. The different types of biometric authentication include:  Face recognition  Fingerprint scanning  Iris/retinal scanning  Hand geometry  Vein infrared thermogram  Palm print and gait Another authentication method is voice identification which is to be measured in an ambient setting. Obstacles like auditory eavesdropping and/or manipulation has resulted in it not being used for specific multi factor systems (Kung et al., 2017). But it has been of great use in tending to the needs of the disabled. For example, visually impaired people have problems with authentication processes like Captcha (Dimov et al., 2015) thus being unable to visualize and input character sequences. Voice authentication can be used here to interact in an auditory fashion. Good biometric systems have low false rejection and false acceptance. Failure to comply with this results in bad user experience. Achieving 100% accuracy has been the biggest barrier in the commercialization of this technology. (Kung et al., 2017).
  • 6. 6 Biometric Behavior Associations and Behavior Measures Biometric techniques have proved to be more complex and costly as compared to other methods. They require uniqueness of eyes and fingers for validation. The accepted standards for biometric authentication include a speed of not more than five seconds, an enrolment time of not more than 2 minutes, and a throughput of 6 to 10 per min (Dimov et al., 2015). Biometric Controls & Psychological Analysis False Reject Rate (FRR) – Authorized individuals are erroneously denied access meaning there is a possibility of the system denying access to an individual who has been matched to the template. False Accept Rate – Unauthorized individuals, without a match template are erroneously allowed access. Cross Error Rate – It allows users to compare cross systems and remains the most accurate biometric system (Dimov et al., 2015).
  • 7. 7 Physiological Biometric Controls i. Fingerprint Recognition This cheap, non-intrusive method is used to develop images of ridges, whorls and fingerprint minutia. It can be both static and dynamic. (Kung et al., 2017). But it has the disadvantage of the sensor wearing off, it is affected by swellings and injuries and is prone to deception. (Dimov et al., 2015). ii. Retinal Scan This includes recording unique components in the blood vessels of the retina and identifying patterns on the rear eyeball. But is has the disadvantages of damaging the eye ball due to the laser and the retina patterns may change as a result of heart diseases or diabetes. The subject must remain still and the scanning unit must be directly before the eyes. It has the advantage of great accuracy. iii. Iris Scan Considered the most accurate among all biometric authentication as iris patterns remain constant throughout adulthood and vary between two eyes on an individual (Kung et al., 2017). Keystroke & Control Dynamics Analysis This involves analyzing and recognizing an individual’s unique typing rhythm. It uses flight time and dwell time. Signature Dynamic systems: These use user signatures for reference and recognition. They capture the way the pen is held and the amount of pressure exerted and signing speed. They have the advantage of being non-intrusive but speed wear and changing speed can be a barrier.
  • 8. 8 Risks of Biometric authentication Facial recognition accuracy can vary depending on camera sensitivity, lighting and angle. Accessories like glasses or sunglasses can make the person look different. Temperature or any problem with the finger can affect finger print scans. Apple’s impressive touch ID can been bypassed by the use of latex and accurate sensors (Dimov et al., 2015). Other systems use information like location. Problems with keystroke dynamics is that it may take people different time in case of a keyboard with a different interface, also right-handed people type slower with their left hands and vice versa. The index finger types faster due to its consistent use and instinctive ability. (Dimov et al., 2015).
  • 9. 9 Use of Tokens One-Time Password (OTP) This technology provides maximum security. Users are provided with a list of passwords and use every password in a sequence. Hackers could sniff the passwords from the network, but that technique is generally ineffective. Users authenticate themselves with a pin or token (Alfred, 2016). The users do not have to memorize or choose passwords, the token generates a onetime unique password for each process allowing access to protected resources (Roebuck, 2017). Importance They have been designed to replace session IDs, reducing server load, rationalizing permission management, and offering appropriate tools for supporting a cloud-based or distributed infrastructure. Tokens are generated when the user authenticates themselves (Roebuck, 2017). This process has the advantage of statelessness, the token generated by the server need not be stored anywhere. All user meta data is encoded directly in the token thus any user can be authenticated by nay machine and no sessions are required. This also has the advantage of scalability (Alfred, 2016). Using tokens for mobile application authentication allows users to easily control what APIs can access their devices. They are easier than cookies when deployed on Android or iOS and require no extra effort from the development team. Drawbacks of OTPs SMS OTPs involve sending the OTP to a phone number configured to the website. This has the disadvantage of trust, users will have to deal with the malware through the SMS as encryption on cellular networks is weak (Alfred, 2016). OTP can be inconvenient as the user has to copy the OTP from the device that received it to the login form (Roebuck, 2017). The copied
  • 10. 10 OTP has to be short printable hindering flexibility and resulting in diminished security (Alfred, 2016). Time-Based One Time Password (TOTP) This method consistently generates new passwords in a given time interval. The tokens and the server use this time to produce authentication numbers which are used by the user during login. Similar algorithms are used at the user and server side. The server and tokens generate OTP for a fixed time. OTP/TOTP Token Considerations The following should be considered when implementing OTP tokens:  Token are required for every user thus require more investment.  Users need to carry the token with them at all times as they won’t be allowed to access the system otherwise.  Users cannot use the system for a long time without the token.  Connections can be vulnerable to sniffing as once the original connection is authenticated all connectors are assumed to be authenticated (Alfred, 2016).  Users need to ensure the safety of their tokens.  Security tokens may not be compatible with all severs or applications.
  • 11. 11 Multi-Factor Authentication MFA also known as two step authentication is an authentication username, password, and additional authentication such as personal information or a physical token. It guarantees that the users are who they are (Stanislav, 2015). It requires that users identify themselves by presenting a minimum of 2-pieces of evidence through three major categories. If one factor is affected by a hacker it’s impact on other steps is minimal thus providing greater security (Sampson, 2015). Users’ choice of weak passwords make it easier for hackers (Dasgupta, Roy & Nag, 2017). MFA provides layers of protection to the user by preventing a ripple effect (Sampson, 2015). Some recognized MFA methods include pop-up notification or verification via text from mobile phone, inserting a card, and typing in unique codes created by a physical token (Stanislav, 2015). Some companies employ a MFA for every user this along with SSO makes it very secure and completely eliminates the need for passwords (Sampson, 2015). Importance MFA offers good end user experience and robust security. For example, an organization might need higher level of reassurance while accessing a human resource applications, banks permit clients to log into their account with their password and username, but a second authentication is required prior to any transactions, retailers can use MFA in case a vendor logs into its portal from a new system to ensure it is not a hacker attempting to gain access with a password that has been stolen (Stanislav, 2015). This type of MFA is referred to as contextual, risk-based, or adaptive MFA. It has the advantage of increasing the system’s security when needed (Dasgupta et al., 2017). Thus balancing convenience and security. Due to the magnitude of loss in case of violation MFA requires additional proof. If contextual MFA is used security maybe achieved without giving up usability (Sampson, 2015).
  • 12. 12 MFA Authentication Considerations  Users are locked out of their accounts in case of a single mistake.  Though used to keep hackers away, hackers can create their own two step authentication to keep users locked out.
  • 13. 13 Single Sign-On Users can identify themselves to servers only once through this method (Miller, 2015). Users can login multiple times with a single password but compromise in a single authentication can compromise all available resources. Considerations for SSO The following should be considered when implementing SSO.  Since one authentication regulates access to resources this process should be secure.  Smart cards and tokens maybe used to strengthen the authentication process.  Password policies need to be enforced implementing minimum password length, complexity of password, minimum time for renewal, and maximum frequency of attempts.  Encryption to protect against sniffing should be used. Logins should be used to detect suspicious login attempts.  Authentication servers must be used. SSO protocols often share session information, but a central domain exists, by which authentication is executed, and sessions are shared with some domains in certain manners (Dasgupta et al., 2017). For instance, a central domain can generate a signed JSON Web Token that is encrypted with JWE. This token can be passed to the customer and applied by the authentication domain. The token may be redirected and consists of all the data necessary to authenticate the user. Since the tokens are signed, the client cannot modify it (Miller, 2015). Users are redirected to the authentication domain every time authentication is required. Since the
  • 14. 14 users have already logged in, they can instantly redirect to the original domain through the authentication token. Potential Risks  Authentication and privacy keys are a security concern.  If the SSO server is unavailable the users cannot access any site.  SSO is not suitable for multi-user computers if they remain logged at all times.  They lack back up and better authentication.  If the password is weak it is easy to identify and hack accounts, once hacked all accounts will be compromised.
  • 15. 15 Public Key Infrastructure PKI is defined as a technology that uses mathematical processes and algorithms to facilitate secure transactions using data integrity, data confidentiality, and authentication by Kim (2016). PKI uses certificates, developed by a trusted certificate authority to prove an individual’s identity. The user is authenticated by the certificate authority’s private key. This certificate can be used for authentication to access many applications that check the identity through the digital signature from the CA. (Schmeh, 2016). PKI is valuable to applications that require no pre- registration like online transactions. Users only require a certificate from the certificate authority (Kim, 2016). Risks of PKI There is no governing body to enforce the standards of PKI (Schmeh, 2016). CAs are trusted third parties but limitations in security procedures over the years has resulted in less trust in PKI as any compromise in CA can expose the entire PKI security to risks (Kim, 2016).
  • 16. 16 Strategic Planning Strategic operations define an organization’s strategy or direction and the decisions it takes and the resources it allocates to pursue that strategy. Organizations need to keep in mind the following:  What the organization is currently doing  Who they are doing it for  How will they excel going forward Strategic decisions keep in view the next three to five years and consider any potential mishaps. These mishaps may also include untapped opportunities. These decisions are affected by factors that may be out of the organization’s control, e.g. wars, geopolitical shocks etc. Organizations’ strategies should also address how they intend to sustain their operations and provide quality products or services to their customers while including capabilities for future innovations. Strategic planning involves the following steps: Clarifying mission and vision statements This involves identifying and clarifying the company’s mission, vision, corporate values, culture and most importantly why the company exits and what success looks like to the company. Identifying current and future market position
  • 17. 17 This involves gathering data on internal strengths, weaknesses, external threat and external opportunities so the organization can develop an understanding of all the critical issues and deal with them accordingly. Prioritizing Creating priorities that need to be addressed and form strategies in dealing with those issues. It is the culmination of proper security controls, the understanding of the need for an organization’s assets to remain secure, and various strategic decisions that allow for an organization to properly plan for their long-term success. It is part of the constant struggle to create balance between security, accessibility, and strategic vision. Each of these acts as the driving force to enable the next, sparking creativity and hopefully, long-term success.
  • 18. 18 References Alfred, A. (2016). Node.js: Token-Based Authentication Part 3. Defining Routes and Implementing Token-Based Authentication. Dasgupta, D., Roy, A., & Nag, A. (January 01, 2017). Multi-Factor Authentication: More secure approach towards authenticating individuals. Dimov, D., & In Tistarelli, M. (2015). Biometric Authentication. Cham (Alemania: Springer. Kim, D. (2016). Access control, authentication, and public key infrastructure: Laboratory manual to accompany. Kung, S. Y., Mak, M.-W., & Lin, S.-H. (2017). Biometric authentication: A machine learning approach. Upper Saddle River: Prentice Hall. Miller, W. (2015). Foundations of iOS Security: Working with Single Sign-on Authentication. Roebuck, K. (2017). Security Tokens: High-impact Strategies - What You Need to Know: Definitions, Adoptions, Impact, Benefits, Maturity, Vendors. Dayboro: Emereo Pub. Schmeh, K. (2016). Cryptography and Public Key Infrastructure on the Internet. New York, NY: John Wiley & Sons. Sampson, A. (2015). Architecting Microsoft Azure Solutions: Multi-factor Authentication Overview. Stanislav, M. (2015). Two-factor authentication. Ely, Cambridgeshire, United Kingdom: It Governance Publishing.