Biometric authentication

In this computer-driven era, identity theft and the loss or disclosure of data and related intellectual property are growing problems. We each have multiple accounts and use multiple passwords on an ever-increasing number of computers and Web sites. Maintaining and managing access while protecting both the user's identity and the computer's data and systems has become increasingly difficult. Central to all security is the concept of authentication——verifying that the user is who he claims to be.

We can authenticate an identity in three ways: by something the user knows (such as a password or personal identification number), something the user has (a security token or smart card) or something the user is (a physical characteristic, such as a fingerprint, called a biometric).

All three authentication mechanisms have drawbacks, so security experts routinely recommend using two separate mechanisms, a process called two-factor authentication. But implementing two-factor authentication requires expensive hardware and infrastructure changes. Therefore, security has most often been left to just a single authentication method.

Passwords are cheap, but most implementations offer little real security. Managing multiple passwords for different systems is a nightmare, requiring users to maintain lists of passwords and systems that are inevitably written down because they can't remember them. The short answer, talked about for decades but rarely achieved in practice, is the idea of single sign-on.

Using security tokens or smart cards requires more expense, more infrastructure support and specialized hardware. Still, these used to be a lot cheaper than biometric devices and, when used with a PIN or password, offer acceptable levels of security, if not always convenience.

Biometric authentication has been widely regarded as the most foolproof —or at least the hardest to forge or spoof. Since the early 1980s, systems of identification and authentication based on physical characteristics have been available to enterprise IT. These biometric systems were slow, intrusive and expensive, but because they were mainly used for guarding mainframe access or restricting physical entry to relatively few users, they proved workable in some high-security situations. Twenty years later, computers are much faster and cheaper than ever. This, plus new, inexpensive hardware, has renewed interest in biometrics.

Types of Biometrics

A number of biometric methods have been introduced over the years, but few have gained wide acceptance.

Signature dynamics. Based on an individual's signature, but considered unforgeable because what is recorded isn't the final image but how it is produced——i.e., differences in pressure and writing speed at various points in the signature.

Typing patterns. Similar to signature dynamics but extended to the keyboard, recognizing not just a password that is typed in but the intervals between characters and the overall speeds and pattern. This is akin to the way World War II intelligence analysts could recognize a specific covert agent's radio transmissions by his “hand”——the way he used the telegraph key.

Eye scans. This favorite of spy movies and novels presents its own problems. The hardware is expensive and specialized, and using it is slow and inconvenient and may make users uneasy. In fact, two parts of the eye can be scanned, using different technologies: the retina and the iris.

Fingerprint recognition. Everyone knows fingerprints are unique. They are also readily accessible and require little physical space either for the reading hardware or the stored data.

Hand or palm geometry. We're used to fingerprints but seldom think of an entire hand as an individual identifier. This method relies on devices that measure the length and angles of individual fingers. Although more user-friendly than retinal scans, it's still cumbersome.

Voice recognition. This is different from speech recognition. The idea is to verify the individual speaker against a stored voice pattern, not to understand what is being said.

Facial recognition. Uses distinctive facial features, including upper outlines of eye sockets, areas around cheekbones, the sides of the mouth and the location of the nose and eyes. Most technologies avoid areas of the face near the hairline so that hairstyle changes won't affect recognition.

Because of its convenience and ease of use, fingerprint authentication is becoming the biometric technology of widest choice. A growing number of notebook PCs and computer peripherals are coming to market with built-in fingerprint readers. Scores of products are available, including keyboards, mice, external hard drives, USB flash drives and readers built into PC card and USB plug-in devices. Most of these units are relatively inexpensive.

These devices allow the user to maintain encrypted passwords that don't need to be remembered but instead are invoked after the user puts his finger on the reader. This can also be used with a separate PIN or password to offer true two-factor authentication.

生物特征認(rèn)證

在計(jì)算機(jī)驅(qū)動(dòng)的時(shí)代，身份失竊、數(shù)據(jù)暴露和與有關(guān)知識(shí)產(chǎn)權(quán)的損失越來越成為問題。我們每人都有多個(gè)賬號(hào)，在數(shù)量不斷增加的計(jì)算機(jī)和網(wǎng)站上使用多個(gè)口令。在保護(hù)用戶身份和計(jì)算機(jī)的數(shù)據(jù)和系統(tǒng)的同時(shí)，維護(hù)和管理接入已經(jīng)越來越困難。而所有安全的核心就是“認(rèn)證”這個(gè)概念——驗(yàn)證用戶就是他所聲稱的人。

我們能以三種方式認(rèn)證身份：用戶知道的東西(如口令或個(gè)人身份證號(hào)碼)、用戶擁有的東西(安全令牌或智能卡)或用戶本身就是的東西(物理特征，如指紋，稱作生物特征)。

所有這三種認(rèn)證機(jī)制都有缺陷，因此安全希賽網(wǎng)通常推薦(同時(shí))使用兩種不同的機(jī)制，這個(gè)過程稱作雙重認(rèn)證。但是，實(shí)施雙重認(rèn)證需要昂貴的硬件和改動(dòng)基礎(chǔ)設(shè)施。因此，最常見的安全只剩下了單一的認(rèn)證方法。

口令很便宜，但大多數(shù)實(shí)現(xiàn)幾乎沒有提供真正的安全。管理不同系統(tǒng)的多個(gè)口令，也是件可怕的事情，需要用戶維護(hù)口令和系統(tǒng)的列表，由于記不住它們，不可避免地要把它們一一寫下來。一個(gè)已經(jīng)談?wù)摿藥资甑趯?shí)踐中很難做到的簡(jiǎn)單答案，就是單一登錄。

使用安全令牌或智能卡需要更貴、更多的基礎(chǔ)實(shí)施支持和專用硬件。但大量使用它們?nèi)员壬锾卣髟O(shè)備便宜。當(dāng)與PIN或口令一起使用時(shí)，即使不是很方便，但也提供了能接受的安全保證。

生物特征認(rèn)證已被廣泛地認(rèn)為是最安全的，或者至少是最難偽造或欺騙的。自上世紀(jì)八十年代初，基于物理特性的識(shí)別和認(rèn)證系統(tǒng)已可供企業(yè)的IT部門使用。這些生物特征系統(tǒng)比較慢、煩人和昂貴，但由于它們主要用于保護(hù)大型機(jī)的接入或者對(duì)為數(shù)不多的用戶限制物理進(jìn)入，所以在某些高安全情況下業(yè)已證明它們是能工作的。二十年以后，計(jì)算機(jī)變得更快、也更便宜。此情況加上新的廉價(jià)硬件，重新引起人們對(duì)生物特征的興趣。

生物特征的類型

多年來已經(jīng)推出了許多不同的生物特征方法，但幾乎沒有一個(gè)獲得廣泛認(rèn)可。

簽名動(dòng)力學(xué) 它是基于一個(gè)人的簽名，但被認(rèn)為是不可偽造的，因?yàn)樗涗浀牟皇亲詈蟮膱D像，而是如何產(chǎn)生圖像，即在簽名的各個(gè)點(diǎn)上的壓力和書寫速度是不同的。

敲鍵模式 它與簽名動(dòng)力學(xué)相似，但擴(kuò)展到鍵盤，它不僅識(shí)別敲入的口令，而且還識(shí)別字符之間的間隔和總的速度與模式。這很像二戰(zhàn)中的情報(bào)分析，通過他的“手”(即他使用電報(bào)按鍵的方法)識(shí)別特定諜報(bào)人員的無(wú)線電發(fā)射。

眼睛掃描 這種間諜電影和小說里喜歡用的方式有其自己的問題。其硬件昂貴、專用，使用起來很慢，不方便，還有可能造成用戶不安。實(shí)際上，利用不同技術(shù)，眼睛有兩個(gè)部分可以掃描—視網(wǎng)膜和虹膜。

指紋識(shí)別 人人都知道，指紋具有惟一性。它們也容易取得，就閱讀硬件或存儲(chǔ)的數(shù)據(jù)而言，幾乎不需要空間。

手或手掌幾何學(xué) 我們習(xí)慣于用指紋，但很少想到利用整個(gè)手做單獨(dú)的識(shí)別物。該方法依賴于測(cè)量各個(gè)手指的長(zhǎng)度和角度。雖然比起視網(wǎng)膜掃描該方法更加用戶友好，但仍很麻煩。

聲音識(shí)別 它不同于語(yǔ)音識(shí)別。此概念是對(duì)照儲(chǔ)存的聲音模式來驗(yàn)證說話者，而不是來理解他說了什么。

面部識(shí)別 利用面部與眾不同的特點(diǎn)，如眼窩上部輪廓線、顴骨范圍、嘴巴邊緣線和眼鼻位置等。多數(shù)技術(shù)避開靠近發(fā)際的面部位置，從而<