If you receive errors when attempting to view this white paper, please install the latest version of
Adobe Reader.
"Think Authentication Corporation. DBA Think Security®was founded in 2003.
Think Security® has set out to solve the true problem of fraud; the inability to verify the presence of the authorized person prior to permitting access to
sensitive data or performing transactions in a cost effective way."
Source : Think Security
Password Fortification for Cost-Effective Person-Present Authentication
Password Fortification for Person-Present Authentication is also known as :
deterring password sharing ,
user authentication,
on password-based ,
authentication strategies,
authenticated key exchange ,
password authentication stronger,
fortify user authentication,
method and system for fortifying software,
plugging the last password security hole,
two-factor authentication strategies,
single factor authentication,
security fortifying traditional authentication,
traditional authentication schemes,
one-time-password,
finger print based authentication,
key exchange system secure,
fortifying network security,
new authentication programs,
fortified servers on perimeter network,
forgotten password.
Abstract
The Internet is having an identity crisis. Long regarded as a powerful tool for cost
reduction and service enhancement, the internet is falling short of its promise because of
the real and perceived threat of identity theft. Financial losses and insurance costs are
mounting, as organizations struggle to protect their information perimeters and improve
the strength of their authentication systems to ensure that the authorized user is present
during the signin process. The widespread use and misuse of passwords as authentication
tokens is generally cited as a cause of the accelerating erosion of user confidence and the
increasing incidence of identity theft. Passwords, it is generally agreed, are not enough.
Much has been lost, however, in the race toward person-present authentication systems.
While the application of passwords is fraught with risk, the introduction of complex
authentication infrastructures and cumbersossme end-user technology has eroded usability
and increased the cost of security dramatically.
This paper describes a new authentication approach that retains the simplicity and low
cost of passwords, while gracefully introducing as much person-present assurance as is
required by the application.
Wetmetrics is a powerful application of psychometric models of human memory to
achieve unprecedented levels of identity protection through arbitrarily strong
authentication, without giving up the economy and convenience associated with simple
passwords.
Easily and quickly integrated into any existing password-authenticated application,
Wetmetrics solutions are scalable, cost-effective and minimally intrusive.
Table of Contents
- Introduction: Identification and Authentication
- The Product: Technical Overview
- How Secure is THINK IN! ?
- Scalable Security Levels
- Simple Low Impact Integration
- Enhanced System Reporting
- High Availability Robust Backend
- Simple User Administration
- Privacy of Information
- Background
- The Problems with Passwords
- Problem 1: Short Passwords
- Problem 2: Constancy in Password Selection
- Problem 3: Secrecy of Passwords
- Problem 4: Lack of Entropy in Passwords
- Susceptibility to attacks
- Wetmetrics as Cryptography
- Other Approaches to Authentication
Introduction: Identification and Authentication
Authenticating the user of a computer system is the process of determining that the user
is who they claim to be. Secret codes have been used for authentication since the birth of
written language. A password is the traditional secret code used to separate those who
belong "inside" from those who must remain "outside" the castle walls, or the secret
society. While many methods of authentication have been developed over the millennia,
the most pervasive and familiar form of authentication by secret code today is the
username and password combination, wherein the former provides identity credentials,
and the latter provides authentication credentials.
While simple to use and well understood by its users, this method has always been
plagued by problems that are well understood by experts but rarely solved in practice in
the community of users. System administrators can no better convince people today to
choose complex and strong passwords than could the Romans: people use the same,
simple passwords again and again - sometimes on many different systems, entirely
compromising the security they are intended to provide.
Complex and sophisticated techniques are available for authenticating users of
computational systems. Hardware tokens of various sorts, in combination with matching
devices to read them, can provide very strong authentication at significant incremental
cost, complexity and inconvenience. Dynamic signature biometrics, perhaps in combination
with cryptographic infrastructures, are among the most reliable indicators of
person presence, but cost and inconvenience still militate against these implementations.
What is clearly needed in the marketplace is a mechanism as simple and as easy to use as
a password, but closer to the elusive goal of person-presence. We refer to this highly
desirable objective as password fortification.
Passwords remain the most widely used authentication method despite their well-known
security weaknesses. Passwords are the most common method of authenticating users,
and will most likely continue to be widely used for the foreseeable future, due to their
convenience, economy and practicality for service providers and end-users. This paper
describes a technique that completely addresses the shortcomings of passwords at
economies and complexities that are proportionate to the value of the data being
protected.
We introduce Wetmetrics as the means to economically fortify existing password
protection to any desired degree of authentication-up to and including person-presence.
This paper continues with an examination of the previously insurmountable problems and
limitations associated with the use of passwords, followed by a short survey of alternative
technologies, before describing in some detail the use of Wetmetrics for Password
Fortification.
THINK IN! is an easy-to-use, easy-to-implement and cost-effective extension to traditional
username/password authentication systems. It can be integrated into the authentication
systems of any enterprise, or it can be accessed as a third-party service delivered by
Queue Global Information Systems. The user experience is the same regardless of
whether the password fortification function is implemented within the enterprise or by
Queue Global.
As part of, or following the initial, familiar password-based login process, users are
prompted by THINK IN! for the answers to additional questions before the desired level of
access is granted. These additional questions are drawn from an evolving database on the
THINK IN! server and rely on previous knowledge of the user or on psychometric models
of the user's predicted responses. Typically the questions are multiple choice and must be
answered in a short time frame.
After successfully answering the THINK IN! questions the system occasionally prompts
the user to answer additional training questions in order to keep an accurate and evolving
model of the user. The THINK IN! system, in other words, learns as it goes.
Yet another unique feature of the THINK IN! system is its ability to create new memories
of events known only to the system and the user. The combination of these features
make it uniquely reliable as an authentication protocol.
Still another method of further strengthening the authentication protocol is to develop the
questions and their respective answers off-line, and communicate them out-of-band. For
instance, users opening bank accounts could develop the questions and their answers
while at their branch, after having been personally identified by a customer service
representative who verifies their signature. Such off-line, in-person approaches to
registering users increases costs, but is the most secure way to bootstrap the system.
How Secure is THINK IN! ?
In the limit, for high-value transaction authentication, the security of the authentication
exchange approaches that of a one-time-pad (OTP), the most difficult of codes to break.
An installation of THINK IN! that lived up to this standard would require the out of band
registration of an adequate number of questions on a per user basis, with the further
restriction that some or all of these questions would be used only once and then
discarded. Such an authentication system is essentially immune from attack, but would
of course introduce incremental management costs.
The level of security that THINK IN! provides can be tailored by increasing the
complexity and number of questions the system asks the user or by using more complex
psychometric models.
Scalable Security Levels
For systems that require a higher level of security THINK IN! can be integrated into every
page or object request allowing very fine grained access control. Requests can be
analyzed over a session's lifetime in order to detect hijacking attempts and other misuse
of the system. Periodic, quick revalidation can be introduced to ensure that not only was
the user present during the initial login but that they continue to be present throughout the
session. Additionally, the number of questions that are asked by THINK IN! is
configurable and arbitrary degrees of security can be had by increasing the number until
you reach the desired level of security.
Simple Low Impact Integration
Integrating new authentication methods into existing services is usually a costly and
complex task, often requiring special hardware or radical changes to the way that users
interact with systems. THINK IN! provides an easy to integrate, cross platform solution
that can be used with all the dominant web programming languages. Any server with an
existing username/password login page and a user database is ready to plug in THINK IN!
authentication. Integration with some stand-alone applications is also possible using
THINK IN! 's very simple API-available in Java, C++, JSP, ASP and PHP-allowing a
homogeneous authentication layer to be shared with intranets and extranets.
Enhanced System Reporting
A variety of reports are built into THINK IN! , and of course, any database reporting tool
can be used by the enterprise to create and generate arbitrary reports. Many of the
bundled reports are designed to expose subversion attempts or give insight into behavior
that might foreshadow compromises. Analysis of logins, both failed and successful, can
be correlated with geographic location, network of origin, timing patterns and collected
psychometric data. Even though THINK IN! stops such attempts, these reports provide a
powerful tool to combat security breaches and allow the proactive identification of
accounts that might be subject to Identity theft or compromised before malicious activity
can spread.
High Availability Robust Backend
THINK IN! uses multiple geographically distributed backend systems to assure that
authentication requests are always handled quickly and reliably. Communication
between the customer site and the THINK IN! data centers is handled by the API using an
SSL-secured transactional HTTP connection. All backend modules are built in C++.
Fault tolerance is engineered into every component. In the event that the customer site
loses network access, THINK IN! can fail over seamlessly to a less secure single-factor
login which allows the customer the option of supporting a degraded security mode
within their application.
The THINK IN! Data Centres each contain a large scale enterprise database server that
houses all the user profile data in high security storage. The backend system is modular
and each individual component is discreet, well defined, and auditable. All backend
modules are written in C++ which isolates them from the host OS and provides additional
security. All entry points into the data centre provide only encrypted access. The secure
logging database can provide auditable, digitally signed logs.
Simple User Administration
THINK IN! provides a comprehensive web based administration interface that allows
complete control over user accounts and provides extensive reporting on system
activities.
Privacy of Information
Privacy and consumer disclosure issues are becoming the subject of increased scrutiny as
privacy advocacy groups and governments begin to build laws around how personal
information can be stored and handled by businesses. Some of the most stringent laws
are from the European Union
where it is required that any data shared between
organizations not only be disclosed to end-users but also that the end-users explicitly
permit it. THINK IN! provides a way to meet even these difficult guidelines by strictly
cleaning all personal data that is passed to the THINK IN! servers of any personal
identification. The data that is collected by the backend is attached to user-identifiable
information by randomly generated identifiers that the client site provides. An audit (or
even a malicious compromise of the THINK IN! servers) would not allow a connection to
be built between user models or psychometric data and the users' identities.
Background
This section provides the necessary background to fully appreciate the benefits of
Wetmetrics for Password Fortification. We relate the well-known problems with the use
of traditional username password authentication, all of which are solved with Wetmetrics.
We then pursue some simple cryptographic concepts and describe a biometric attribute
which is particularly useful in the pursuit of person-present authentication. Finally, we
will show that Wetmetrics combines elements of both biometrics and cryptography to
yield a solution with the simplicity and economy of password authentication, yet without
its traditional limits.
The Problems with Passwords
Problem 1: Short Passwords
Though computers are excellent at remembering long strings of random information,
people are notoriously poor at it. When presented with the chance to choose a possible
password 5-10 characters long, composed of letters and numbers, the majority of people
choose short, simple passwords that they can remember easily. And who can blame
them? The problem is that modern computers can "guess," or "crack" such passwords
very easily.
Short, simple, readable passwords are memorable but useless.
Problem 2: Constancy in Password Selection
Using the same password for long periods of time or on multiple systems increases the
risk of that password being compromised. Most modern password authentication systems
prevent people from guessing and failing a password repeatedly but are still vulnerable to
slow guessing schemes. Some systems attempt to force the user to rotate or change their
passwords on a regular basis but this makes the memory burden of a password system
much larger and people tend to make less secure password choices if they are forced to
make them often.
Password rotation is inconvenient to users and promotes use of short passwords.
Problem 3: Secrecy of Passwords
Social engineering tactics have been wildly successful in recent years as the current
waves of phishing scams (fraudulent emails claiming to be from banks and requesting
login details, etc.) have been shown to have acquired passwords from over 5% of victims.
Preventing people from unknowingly divulging their passwords to malicious (or even
benign) parties has proven very difficult. Aside from malicious password sharing, people
also share passwords for convenience; secretaries often know their boss? passwords,
spouses often share bank pins. Even benign password sharing compromises the ability a
system to uniquely identify an individual and increases the chance that a password will be
misused.
Remarkably little social engineering is needed to reveal supposedly secret passwords. In
a much-publicized experiment, almost three quarters of office workers in an impromptu
man-on-the-street survey were willing to give up their passwords in exchange for a
chocolate bar.
Problem 4: Lack of Entropy in Passwords
The strength of a password is critically limited by the amount of entropy it contains.
Entropy is a measure of the randomness of the password. A maximally secure password
would be one with maximum entropy: it would consist of a string as long as the password
system allows, comprised of characters selected from all those allowed by the system,
and selected in a manner that is totally random.
For instance "y*3Pha34!&fQz.:" is a much stronger password than "bubbles" but it is
also undeniably harder to remember. This additional memory burden can sometimes be
reduced by using mnemonics to aid recall of seemingly random data but ultimately the
human mind is not suited to remembering very good passwords.
Passwords based on mnemonic phrases are just as hard to crack as random passwords yet
just as easy to remember as naive user selections. Some passwords are very easy to
remember (e.g., single words in the user?s native language), but also very easy to guess
with dictionary searches. In contrast, some passwords are very secure against guessing
but difficult to remember. In the latter case the security of a superior password may be
compromised due to human limitations, because the user may keep an insecure written
record of it or resort to insecure backup and restore procedures after forgetting it. THINK
IN! provides a maximally memorable and highly entropic authentication mechanism.
Wetmetrics completely eliminates all of the aforementioned problems with passwords
without compromising economy or simplicity.
Susceptibility to attacks
Phishing is a term applied to attacks which rely on the user submitting their
authentication information over the internet, thereby relinquishing their identity to a
remote attacker. THINK IN! is inherently very resistant to phishing. Even if a phisher knows that THINK IN!
is being used to protect a site, and knows how the system works, and
knows what questions to ask (recall that questions are user-specific, and
sometimes based on events shared only by the user and the system), and
even if the user is fooled into attempting a login at a fraudulent site,
attackers can gain knowledge of only a single set of challenge questions (and their
responses). If the attacker were to attempt illegitimate access to the enterprise using
information gleaned in this fashion, he or she would be foiled when challenged with a
new set of questions. The phisher?s probability of penetration is so low as to be rendered
nigh impossible.
THINK IN! is no less resistant to more sophisticated attacks. In iterated phishing attacks,
users repeatedly attempt to log in at one or more fraudulent web sites, either at one time
("Your login attempt was unsuccessful---please try again!") or more subtly, the phisher
could correlate information collected over multiple phishing expeditions to multiple
fraudulent sites over extended periods of time. Similarly, in a Trojan Horse attack,
malicious code infiltrates the user?s desktop and monitors activity at the keyboard level,
collecting and sending this information periodically to the phisher.
THINK IN! greatly enhances authentication security while providing the user with an
engaging and interactive twist on a familiar authentication method.
Wetmetrics as Cryptography
From Wikipedia, the free encyclopedia:
A book cipher is a cipher in which the key is the identity of a book.
Traditionally book ciphers work by replacing words in the plaintext of a message with the
location of words from a book. In this mode, book ciphers are more properly called
codes. This can be problematic because if a word appears in the plaintext that doesn?t
appear in the book then it can?t be encoded. An alternative approach which gets around
this problem is to replace individual letters rather than words, in which case the book
cipher is properly a cipher.
For example, suppose the key text is some book titled A Dark and Stormy Night, and the
first text in the book is as follows:
It was a dark and stormy night. Every now and then, the ungodly quiet was broken by
a crash of lightning that split the darkness outside. Inside the house, midnight
approached.
Given this key text, then a simple plaintext message such as hide all the loot becomes the
cipher text: 29 27 4 8 18 21 21 11 29 8 21 26 26 12.
Slow and cumbersome for humans, the dictionary cipher is easy for computers to use. If
the dictionary is kept securely secret, it is a difficult cipher to break.
Interpretation: One interesting and insightful way to understand the use of Wetmetrics
for Password Fortification is by analogy to the Dictionary Cipher described above. The
interaction between the user (U) and the authentication system (S) is essentially an
enciphered conversation, with a twist: instead of trying to communicate a secret message
between two agents as in the earlier cipher example, here one agent is trying to validate
the identity of the other by determining whether they share the same dictionary! S asks n
questions designed to test whether U is using the same dictionary, and U must answer.
Each question is in the form of a multiple choice selection offering, where only one of the
answers is the first letter of the kth entry in the shared dictionary. The trick that makes
this "wet" is that the index, k, is implicit. i.e., the question is not of the form "What is the
first letter of the kth entry?" Instead, the question takes the form: "What is the first letter
of the name of your first hairy animal pet?" We refer to this as wet indexing®. This
method is further strengthened by virtue of leveraging not just a single dictionary for all
S-U interactions, but a different and probably unique dictionary Du for each U! The
strength of the authentication is proportional to the size of Du (the number of entries in
the dictionary Du). Call this quantity size (Du). So, wet-indexing of Du where size (Du) is
large" with n questions can be arbitrarily strong with increasing n, assuming secure
database and system operations. The net result of using Wetmetrics 1.0 is equivalent to
the use of a hugely entropic, highly secret and impossible to share, but trivial to
remember password. User convenience is largely a function of the number of questions
asked, and is dynamically tunable to the level of required security; additional questions,
for example, can be asked at any time to increase the system?s confidence if the user tries
to move from a less to a more secure information area. This strategy corresponds to
dynamically increasing the length of the password, as needed, when needed!
Other Approaches to Authentication
This section compares Wetmetrics to other forms of authentication.
Multi-factor authentication refers to the joint use of more than one type of authentication
mechanism. For example, requiring the use of a hardware token (something you have) in
conjunction with a PIN (something you know) used to access information on the token.
Strong authentication refers to the use of cryptographic or mathematical algorithms to
provide higher levels of assurance. Person-presence is the holy grail of authentication---
the ability to reliably determine the identity of the person at the other end of the
communications channel.
While hardware-based, strong-authentication solutions are expensive - both in capital
costs to install and build, and to operate and administer, they do not provide true "person
presence", i.e., they do not guarantee that the identified user is being authenticated -
merely that the identified token is being authenticated. Therefore they provide "token
presence."
Biometrics is the measurement of a person?s physiological or behavioral features for the
purpose of authenticating their identity. The term is derived from the Greek words "bios"
for life and "metron" for degree.
Typically, biometrics implementations incorporate technologies for measuring static
physiological characteristics like fingerprints, eye retinas and irises, voice patterns, facial
patterns, and hand measurements or dynamic, behavioural characteristics like signature,
gait, voice or typing. Static biometrics are relatively easy to measure, and the technology
comparatively mature, with many competitive suppliers in the market. Implementation
details around authentication systems that rely on static biometrics must be studied
carefully, because poorly implemented systems can be subject to particularly pernicious
forms of identity theft: the theft of a thumbprint, for example, can have long-lasting
implications, since-unlike a password-they are not easily changed.
Dynamic biometrics are unique, often unconscious behaviors of an individual. Dynamic
Signature Biometrics are particularly appealing because the act of signing is already
familiar to users through their many everyday transactions. While it is possible with a
great deal of practice for skilled forgers to duplicate the mere visual image of a victim?s
signature, it is very difficult, if not entirely impossible, to duplicate the manner in which
an individual creates their signature: it is precisely these dynamics that are captured with
signature biometrics. Dynamic features that are measured include speed, pen pressure,
vector, stroke length, and pen-lifts. Signature identification systems can also adapt to
variances in the user?s signature over time, and are highly resistant to false positives and
spurious rejections. Authentication systems that rely on dynamic biometrics do not suffer
from the identity theft issues to which static biometrics are prone.
Strong, dynamic biometric authentication systems, however, remain expensive and are
further diminished by the requirement for a hardware device to take the required
measurements at every access point. For example, if the user has a dynamic signature
tablet for authentication on their office desktop, they will need another similar device at
home to achieve the same level of security when working from home, effectively
doubling the cost of the solution. Furthermore, until such devices are more or less
ubiquitous, traveling workers will be burdened with cumbersome hardware devices to
achieve remote authentication-the typical airport internet kiosk is not today equipped
with any form of biometric reader device.
Biometrics can be used to achieve multi-factor authentication. Retinal scans and
fingerprints are clearly something you "are," and combined with a password or PIN are
constitutive of a multi-factor authentication system. While some biometric authentication
mechanisms can provide "person presence," these systems come at significant additional
expense and severely curtailed convenience when compared to passwords alone.
Wetmetrics embodies the relative merits of dynamic versus static biometric techniques,
foreshadowing its future promise for irrefutable person-presence. Future Wetmetrics will
share with dynamic signature biometrics those attributes of robustness, tolerance for
variation, and transparency/credibility which make it today the only true person-presence
authentication technique.
Wetmetrics embody some of the advantages of dynamic biometrics, without any of the
attendant costs, complexities or inconveniences.
Wetmetrics combine elements of multi-factor authentication with the strengths of one-
time pads. Wetmetrics harnesses the user?s own wetware to act as a covert authentication
mechanism - the user is unaware how their own wetware works - to build a model of the
user so that unlearned questions can be used to authenticate the user. We expect
implementations of Wetmetrics enabled authentication systems to be found compliant
with the very strongest standards in the industry. While these compliance audits and
analyses continue, we have restricted ourselves here to the more modest claim that the
level of assurance provided by THINK IN! is similar to that afforded by PIN protected,
time-synchronized one-time password devices or dynamic signature biometrics-with
much less implementation complexity and significantly improved ROI. Wetmetrics
towers over passwords and already rivals some of the strongest available authentication
methods.
Wetmetrics
Wetmetrics is the measurement of mental responses. The THINK IN! suite of
applications is built on Queue?s Wetmetrics technology foundation.
Wetmetrics combines elements of both cryptography and dynamic biometrics.
Wetmetrics is an innovative technology designed to secure user authentication. It uses
people's memories and memory processes as the access key. Simplicity of user
experience is an integral design objective. We want users to feel comfortable using their
memories, secure in the knowledge that others will not gain access to their personal
information. Keeping the experience quick, using simple language and involving
recognition and knowledge recall (as opposed to only event recall) assures ease of use.
Typical users will require only a few minutes to begin using the system and, after a few
sessions, seconds to be authenticated. Session duration will, of course, be partially
dependent on the level of security desired by the customer.
Summary
Wetmetrics is a powerful application of psychometric models of human memory to
achieve unprecedented levels of identity protection through arbitrarily strong
authentication, without giving up the benefits of economy and convenience associated
with simple passwords.
As simple and as easy to use as a password, Wetmetrics economically fortifies
applications currently authenticated by traditional username password techniques to any
desired degree of authentication-up to and including person-presence.
In effect, Wetmetrics embody some of the advantages of dynamic biometrics, without
any of the attendant costs, complexities or inconveniences.
Wetmetrics completely eliminates problems with passwords without compromising
economy or simplicity: Wetmetrics products directly address all short passwords,
password rotation, password sharing, and entropy.
Queue?s THINK IN! service greatly enhances authenication security while providing the
user with an engaging and interactive twist on a familiar authentication method.
Easily and quickly integrated into any existing password-authenticated application, the
THINK SECURITY ?THINK IN!? solutions are scalable, cost-effective and minimally
intrusive. ROI is extremely easily achieved with either the in-house software product or
the outsourced service offering.
Disclaimer:
Wetmetrics®, THINK IN!TM and THINK SECURITY® are trademarks of Queue Global
Information Systems Corp.
The material provided in this document is for informational purposes only. You should
first consult a professional before acting upon this information.
Wetmetrics®