Abstract
Security in any organization is a very essential but also consciously risky affair that should be handled with extreme care. There are three main types of security measures namely data, system and network security. Data security measures are necessary for the protection of user as well as administrative data against any unauthorized modification or monitoring system. System security deals with the aspect of ensuring system consistency while network security is developed as a protective measure against any attacks on the network and user device. Computer technology has eased the task of protecting data within organizations but the security must be applied in such a way that system and data security are so strong that any attack towards the same becomes even more expensive and therefore futile. This paper analytically examines traditional security systems such as PIN, passwords and smartcards and also examines how security systems can be enhanced by combining such systems with biometrics security.
Introduction
Through the introduction of the modern computer, the world has experienced a digital revolution whereby volumes of information are processed, stored, expresses and communicated in digital form. This digital revolution was greatly propelled by the increased popularity of the internet and enhanced further by the instant messaging system that works through mobile networks. The trend is becoming more advanced with the introduction of cable TV services that enable viewers to interact through their televisions. Mobile telephone services are also getting more advanced and various devices have been customized and made flexible to accommodate more complicated services such as downloading of packages onto the phone. But each new trend in the world of communication brings along new and also more complicated potential threats such that communications security cannot remain stagnant and has to keep improving over time (Mezgar, 2006, p.351).
Biometric security used with smartcard with PIN
Personal Identification Numbers (PINs) and Passwords are the most common methods of authentication that are used in enhancing network security and which should theoretically remain a secret to the user. But though very common, the use of PIN and passwords is the least secure and probably also the lowest form of authentication. When accessing a network or a computer, the first level of security that a user encounters is usually the password security. This type of security is normally used in combination with user ID or a PIN number to enable the said user have access to a network or to some extent allow him/her to access vital information such as the user’s bank account. At this point, many organizations fail in securing their own security details. This is because authentication of a user to a network is rarely monitored and often times, there is little or no further authentication and the user is left free to do whatever they are supposed to do (Wells 2007, p.72-73).
Most security systems have continually relied upon the PIN, passwords or cards, or a combination of these methods. But there are disadvantages to each of these systems. Both PIN and card can be lost or stolen, either separately or together especially in cases where users store their PIN together with a written password of the same. Passwords are also easily compromised because most users tend to use weak passwords such as anniversary dates, familiar names of spouses or children, or even guessed sets of numbers. However, there are some security models that require very strong passwords often with a pre-set expiry date, and which may prove difficult for an intruder to guess. But even strong passwords can become a security issue especially where users create very reliable passwords but out of ignorance stick the password on the bottom side of the keyboard or monitor. A user may also have been assigned a long and complicated password and resolves to write it down in order to avoid any instance of forgetting. People also have the tendency of voluntarily revealing their passwords to other people who may in turn take advantage and access very personal information or data (Reuvid and Ollington, 2004, p.119; Wells, 2007, p.73).
Security within an organization can however be enhanced through provision of physical devices known as tokens, that are designed to assist authorized users of given computer systems within the organization by authenticating them to certain applications or network usage. These tokens are very small gadgets that have been designed to conveniently fit into a purse, pocket or even on the user’s key chain. Some of these tokens have been designed to store biometric data, and apart from being tamper resistant, most of them have also been mounted with small keypads that enable users to enter their PINs so that they can access whatever information is contained in any device. To save the user from the trouble of having to remember complex passwords, tokens are enabled to store such passwords especially for less complex sign-on solutions. Tokens can therefore help to secure the use of passwords in organizations and reduce the chances of compromise. Certain organizations or applications require the use of very strong passwords but still, these passwords are not sufficiently so complex or strong and tokens can be used to store passwords to very complex information (Wells, 2007, p.73-74).
A smartcard is an example of a user token and has much resemblance to a credit card. Smartcards have been in use in most European countries but only recently gained popularity in America. This card is a hardware based security tool, very small in size and which has been designed as a plastic plate and installed with a chip and microprocessor. It has a memory, operation system, interfaces and file system and is capable of handling every external but authorized request that it is directed to carry out. There are different types of smartcards and these have different interfaces. The crypto-card which is designed for decryption and encryption purposes has a built-in chip while other cards have fingerprint sensors or keyboards. Smart cards can be very reliable in appending secure signatures on digital documents. There are various uses for smartcards namely electronic cash, access to wireless communication, credit cards, banking, and access to computer systems and government identification among others. They can also be used to improve internet security. Smartcard readers can be connected to personal computers or any equipment within an organization that is designed to perform a security function. Any enterprise that relies upon logical or physical access systems will value the use of smart cards. Today’s society is largely an information society and the use of smartcards can initiate a technological revolution that effectively integrates security functions and actual field of application (Mezgar, 2006, p.226).
In recent years, smartcards have replaced magnetic stripe cards because of their ability to process and execute programs through the built-in microprocessor. Smartcards are also tamper resistant, a quality that makes it difficult for active attackers to clone and use them for any type of impersonation. Tamper-detection wires installed in smartcards detect any illegal tampering and immediately erase all memory within these cards; therefore halting the attacker from accomplishing the illegal mission. But no security system is totally efficient and smartcards are no exception. They can still be cloned or hacked but unlike magnetic-stripe cards, much effort is required to execute an operation that can compromise smartcards (Mezgar, 2006, p.350-351).
But used in combination, these security systems can provide some reasonable level of the desired or necessary security although there are still some risks associated with using the things we have or things that we know scenarios in security systems. This is where biometric security comes in because it adds a very unique aspect to the security system by including irreversible human characteristics in the authentication process. Biometric security uses certain human characteristics to identify a security system user such as fingerprints, face recognition, palm prints, iris recognition, retina mapping or even voice and signature. Keystrokes dynamic, body odour and ear shapes have also been used. Such human characteristics as the user’s voice, fingerprint or even face cannot be left behind anywhere because they are part of the person and can therefore hardly be compromised. Compromised or forgotten passwords can eventually be very costly to individual businesses. Biometric security can be a favorable alternative in helping to alleviate such costs and the burdens that these costs bring along, giving IT personnel ample time to perform other duties as well as helping to reduce overall costs of managing the IT systems within an organization. By combining smartcard, PIN and biometrics, an individual enjoys a more powerful and less risky authentication process. In case of card loss, any other person in possession of the card apart from the owner cannot operate it without the biometrics and the PIN helps to rule out any chances of fingerprint forgery (Wells, 2007, p.76; Reuvid and Ollington, 2004, p.120, 123).
Biometric security systems eliminate any need to carry a smartcard around, but the combined use of biometrics and smartcards enhances extra security because one part can be compromised but it is unlikely that the whole system will fail. Since biometric uses a person’s characteristics to secure an authentication, there is little or no chance of mistaken identity and biometrics can therefore be used as the key or ultimate proof of identity. But biometric security is very involving to implement in large scale organizations for three major reasons namely; the system must be designed in such a way that everyone within an organization is able to enroll, it must be quick and reliable and; it must be able to accept every valid user while at the same time rejecting all impostors. To get a characteristic that is similar in all people can be a very tricky undertaking and besides this, whatever common characteristic that becomes available must also be user-friendly and attract total user acceptance. Authentication and encryption are essential elements of securing trust between partners dealing with transactions either for small or large businesses. The benefits of using such a security system are great and whatever management challenges or costs that are incurred in the process of implementation should not be a painful undertaking (Reuvid and Ollington, 2004, p.112, 123; Hendry, 2007, p.32-33).
World communication is advancing at a very high speed and both IT and personal security have raised a growing demand for identity verification and user identification through biometrics. This growing demand has led to a general perception that grades biometrics a more secure or better method of security identification than other systems. Biometrics can be used to design identification and authentication systems that are in reality very secure but which nevertheless provide security just within the given environment or application. The appropriateness of any security method depends on the circumstances under which it is being used. Passwords and PINs are the easiest to check because each of them can only either be right or wrong. Although passwords have a high risk factor because of the users’ tendency to write them down, they are advantageous in that they allow delegation and can also be transmitted through communication networks. A card or token hand can only be read through a device and cannot be easily applied, but cards can be stolen, lost or borrowed and therefore do not provide adequate proof of the user’s identity. Biometrics on the other hand requires special software and hardware; yield confidence level rather the straightforward yes or no answers; do not allow delegation and are most times inflexible. But they offer great security against theft and counterfeiting and system designers must therefore take precaution when choosing identification for different situations. Smartcards allow for the combination of these methods and using any methods in combination for example smartcard, PIN and biometrics provides a stronger security system than using one factor solely (Hendry, 2007, p.31-32).
The biometrics identification method of using a user’s physiological or behavioral characteristics has proved to be more reliable than the pin numbers or passwords identification methods. Biometric security involves identification of a device user rather than the device itself as required through pin numbers and passwords and identification through biometrics surpasses that that of passwords or even smartcards alone. Because of the uniqueness of biometric characteristics in every different person, applying biometrics in the security of any organization can be a good security measure of preventing fraud and theft. Unlike these other security devices, biometric traits cannot be lost, forgotten or stolen (Mezgar, 2006, p.226). Biometric technology has also developed mobile data readers that can be carried around by its users and subsequently plugged into the appropriate devices. The purpose of such devices is to read and verify the accuracy of biometric data stored in such devices as well as confirm if such data is relevant to the installed security measures. After verification, the user will either be let in or denied access (Wells, 2007, p.76).
Biometric systems can however be very expensive to implement; can be a possible threat to the user’s liberties; and the use of fingerprints in biometric systems has received criticism for fingerprint duplication with or without the user’s consent. The effectiveness of biometric systems can therefore only be achieved in combination of another identity authentication method such as the smartcard-based certificate in which case biometrics are used to enhance the strength of another security solution. Card holders have a lot to gain from biometrics security and can be assured of sufficient security especially in the banking sector where Automated Teller Machines (ATMs) have become popular. If a user loses his/her card that has been enhanced through biometrics, chances of fraud are almost nil because of the fingerprint scanner (Reuvid and Ollington, 2004, p110). Unlike the more common traditional authentication methods like smartcard or tokens, and PIN/passwords that could easily be stolen, misplaced, guessed or forgotten, biometrics authentication uses more permanent behavioral or physiological features of the user. Biometrics therefore have a high potential for enhancing the security of other authentication systems. Apart from writing down passwords that become hard to remember, users may also share passwords or tokens if working on group tasks. Such practices make the password system of authentication a very weak security system. Biometric information is not transferable and cannot be shared either, and biometrics methods of authentication are therefore powerful weapons against any chance of repudiation (Davida, Frankel and Rees, 2002, p.19).
Implementation of biometric security has its own share of hindrances. Many people are reluctant to avail their biometric information for the fear that biometric data may be used for purposes other than what was originally intended, without the prior consent of the person from whom the data has been extracted. For the purposes of securing biometric information, the user is required to provide explicit approval for collection of such information. An organization that intends to collect biometric data must also have established audit practices whose purpose is to track the use and retention timeframe of biometric information. Criminal penalties should also be put in place within such organizations for the punishment of unauthorized use or disclosure of biometric information. To protect privacy, raw biometric data should be erased as soon as the required feature vectors have been selected. This is because storage of such data within a central system encourages database linkage of personal information obtained through other sources. Biometrics security like any other security system does not guarantee ultimate security. In some less controlled situations, physiological characteristics such as iris patterns and fingerprints can be sourced from elsewhere through photography and in such way; it becomes possible to fool such a system. To some people, biometrics is regarded as unhygienic, offensive, and harmful and this makes them hesitant to provide the details necessary to implement biometric security. Fingerprinting for example has for a long time been associated with criminals and it is a tedious task to build confidence in would-be biometric users (Davida, Frankel and Rees, 2002, p.12-13).
Conclusion
As reliable as biometric security maybe, it is a technological solution that has had very low impact on large corporations and the general public alike. Many people still view it as another piece of scientific fiction. But they would never have been more wrong because biometric systems provide a very essential solution to the security of the transaction world as well offering a myriad of other solutions to common challenges that characterize the business process. Wireless technology has introduced a new challenge in achieving a secure identity authentication system especially as a result of roaming laptops, internet based e-commerce and the environment created by the mobile phone. Mobile e-commerce will gradually increase the volume and value of wireless transactions and secure identification or authentication of the user then becomes a very important security issue. Biometric technology is increasingly becoming a suitable alternative of providing the relevant security or enhancing the effectiveness of established security systems (Reuvid and Ollington, 2004, p.350-351).
References
- Davida, G., Frankel, Y., and Rees, O. (2002). Infrastructure security: International conference, Infra Sec 2002, Bristol UK, 2002: Proceedings. Warren, MI: Springer.
- Hendry, M. (2007). Multi-application smart-cards: Technology and applications. Cambridge, UK: Cambridge University Press, 2007.
- Mezgar, I. (2006). Integration of ICT in smart organizations. Hershey, PA: Idea Group Inc (IGI).
- Reuvid, R., Ollington, C., and Institute of Directors. The secure online business handbook: E-commerce, IT functionality, & business continuity. London, UK: Kogan Page Publishers.
- Wells, A. (2007). Grid Application Systems Design. Boca Raton, FL: CRC Press.