Recognition of a person by a computer system is one of the most important stages in the interaction of services with its users. The familiarity of this process should not be misleading: no third party should be allowed into the door that this key opens. Digital services are a big part of the life of any person after all.
Any mechanism that controls access is a compromise between reliability, security, convenience, and complexity (and, therefore, high cost) of implementation. Theoretically, it is possible to make a user's connection to a computer system extremely reliable and safe at a level close to 100%. However, the complexity of this mechanism will be completely unacceptable for mass application.
Over time and with the development of technology, authentication is still becoming more and more complicated. Earlier, when electronic systems just appeared, the most difficult for their users was remembering passwords or access codes. However, now that there are a lot of computer services, a person has to navigate in the world of different authentication mechanisms. It is good that they have similar rules and are built on some basic principles that can be identified and sorted out in their strengths and weaknesses.
Password protection is weak because the character set figured out, stolen, intercepted. Simple passwords that can be found out by displaying personal data include names of family members, pets, dates of birth, favorite dishes, names of sports teams or groups. The worst problem with passwords is that many people use the same combination of characters to access a wide variety of services. An attacker, having received a password from one service, will be able to connect to others.
A more complex and reliable authentication method is when a user shows a system an object that is only he physically possesses. Naturally, electronic services cannot use any rare thing for this purpose — it must have an electronic “stuffing”.
Typically, these are storage media: flash drives, cards with a chip, special devices with secure memory. Such devices contain electronic cryptographic keys, certificates, programs that start the exchange of information with the access mechanism to the service.
This method is good for everyone, but it is quite expensive and cannot be applied in mass systems. In addition, an outsider may take possession of such an electronic key. This will be a classic theft or robbery, but the possibilities that will eventually be open to the offender often far exceed the profit from theft, for example, some jewelry or wallet.
The more technological and modern method of user authentication is the verification of biometric data. Here, electronic systems are already very close to identifying a specific person: according to characteristics, physical parameters that are available only to this individual or rarely similar in different people: the technology of a fingerprint or an iris of the eye is quite widespread already. The same list contains authentication methods for ear shape, DNA, face, gait, voice.
The point is that the computer system is trying to recognize a specific person without the use of additional codes or devices, according to deeply individual characteristics. And this seemingly almost flawless authentication technique actually finds a lot of weaknesses and shortcomings, starting with the most common ones — fakes. There are experiments of hacker groups and security experts in which they easily fool modern biometric systems by showing them photos from a printer or fingerprints taken using ordinary adhesive tape.
Another problem is theft and loss of control over biometric data. When such data of a person becomes accessible to an outsider (as a result of scanning, falsification or other means) or a group of persons (for example, on the black market together with the numbers of stolen bank cards), the victim of such a leak will no longer be able to easily change neither data nor password — the consequences are disastrous.
A logical solution to the authentication security problem is to use several methods of user verification. This is done by a combination of different technologies (for example, password protection and biometrics) or by requesting additional codes through other verification channels. Two-factor authentication technology is widespread since about the beginning of the tenths of the XXI century. The user enters the familiar combination of login and password, and the system sends him or her an additional code in response via another communication channel.
The popularity of this technology has made the inquisitive minds of attackers find its weaknesses. Cellular communication is not the most reliable channel for transmitting secret data, which in the case of two-factor authentication is a confirmation code sent by the system. For a criminal who wants to gain access, for example, to a victim’s bank account, creating conditions for intercepting SMS from a bank is just a matter of price. Equipment for this purpose is quite expensive, but if the profit exceeds costs, then why not?
There are still many technologies, or, as they are called, authentication factors: by geographical location, by one-time codes and others — we listed only the most common.
The solutions that exist now demonstrate the same compromise between the cost, convenience and security of authentication systems. Users are not scared off by complicated process, it doesn’t cost much, and the level of protection allow to eliminate the most obvious threats.
Each of the members of society will be constantly identified, its profile will become universal for many systems, and authentication factors will be complex and will include all the information that a person generates throughout life. And then we will have completely different problems. Which ones? We'll probably find out soon.
Image courtesy of The Next Web