Who user for a password, a form of

Who are you? Do you
belong here? What rights do you have? And how do I know you’re who you say you
are? Those are the essential questions that any effective security system must
answer before a user can access a computer system, network or other protected
resource. The user thinks this is what a password system does, but passwords
are only one part of an effective security system. That security system
requires three separate elements – identification, authentication and
authorization – that together make up what’s called access control. When user
logs into a computer or network, the first thing you’re asked for is a user
name or account name. But a user name offers little protection to the system.
Therefore, the system also usually prompts user for a password, a form of
authentication.

Passwords
are cheap, but most implementations offer little real security. Managing
multiple passwords for different systems is a nightmare, requiring users to
maintain lists of passwords and systems that are inevitably written down
because they can’t remember them. The short answer, talked about for decades
but rarely achieved in practice, is the idea of single sign-on. Using security
tokens or smart cards requires more expense, more infrastructure support and
specialized hardware. Still, these used to be a lot cheaper than biometric
devices and, when used with a PIN or password, offer acceptable levels of
security, if not always convenience.  Biometric
authentication has been widely regarded as the most foolproof – or at least the
hardest to forge or spoof. Since the early 1980s, systems of identification and
authentication based on physical characteristics have been available to
enterprise IT. These biometric systems were slow, intrusive and expensive, but
because they were mainly used for guarding mainframe access or restricting
physical entry to relatively few users, they proved workable in some
high-security situations. Twenty years later, computers are much faster and
cheaper than ever. This, plus new, inexpensive hardware, has renewed interest
in biometrics. 

User
can authenticate an identity in three ways: by something the user knows (such
as a password or personal identification number), something the user has (a
security token or smart card) or something the user is (a physical
characteristic, such as a fingerprint, called a biometric). 

In
this computer-driven era, identity theft and the loss or disclosure of data and
related intellectual property are growing problems.  Maintaining and managing access while
protecting both the user’s identity and the computer’s data and systems has
become increasingly difficult. Central to all security is the concept of
authentication – verifying that the user is who he claims to be. 

To
achieve more reliable veri?cation or identi?cation we should use something that
really characterizes the given person. Biometrics offer automated methods of
identity veri?cation or identi?cation on the principle of measurable
physiological or behavioral characteristics such as a ?ngerprint or a voice
sample. The characteristics are measurable and unique. These characteristics
should not be duplicable, but it is unfortunately often possible to create a
copy that is accepted by the biometric system as a true sample. This is a
typical situation where the level of security provided is given as the amount
of money the impostor needs to gain an unauthorized access.

Humans
recognize each other according to their various characteristics for ages.
people recognize others by their face when they meet them and by their voice as
they speak to them. Identity veri?cation (authentication) in computer systems
has been traditionally based on something that one has (key, magnetic or chip
card) or one knows (PIN, password). Things like keys or cards, however, tend to
get stolen or lost and passwords are often forgotten or disclosed.

                                              INTRODUCTION

Chapter
1