Perhaps the best known application of user authentication and access control is that of the Internet wherein in order to gain access to an Internet resource the user seeking the access must provide proof of their identity sufficiently enough to satisfy the requirements of a user authentication authority. However, there are many other network access control applications that are not within the domain of the “Internet” but which share much in common with the need to establish and validate the identity of a user requesting access to a thing, device, facility, service or resource. All of these seemingly different and unrelated access control applications have in common the need to ascertain and validate the identity of the user requesting access to that which is being protected. The very fact of there being an access control system validates the substantial possibility there are those, who would not be granted access otherwise, wishing nonetheless to obtain it, in some cases by any means necessary including the impersonation of one who has authorized access.
Of course anything worth protecting by use of an access control system probably has several layers of protection to keep the unwanted out, to know when the unwanted has managed to gain access and to prevent the unwanted from causing damage once they have breached the other layers and gained access. Such an onionskin security model is not unusual and relies primarily on a first line of defense of keeping the unwanted out in the first place, the very purpose and intent of the present invention.
As the first line of defense it is necessary that the access control system used be appropriate for the application it is being used for by providing the level of security appropriate for the application.
In networking applications such as those using Local Area Networks (LAN), Wide Area Networks (WAN) or the Internet, at present the most well known user authentication system is perhaps the “user name and password” method employed for use in Internet applications in which, in order to access a network resource, it is necessary to provide both a user name and a password that is known to the resource or its representative. In banking a very well known authentication system is associated with the Automatic Teller Machine (ATM) card wherein an ATM can be accessed by the combined use of an ATM bank card and a Personal Identification Number (PIN). The user name and password model has fallen on disfavor in many instances because of the ease with which this authentication method can be compromised and exploited by unauthorized users. The ATM card and PIN approach has fared much better but is still far from secure as has been demonstrated multiple times by recent corporate and government break-ins in the 2014-2015 time frame where the perpetrator(s) managed to obtain both the ATM numbers and associated PINs belonging to millions of unsuspecting individuals worldwide.
In the field of networking such as LAN, WAN and Internet, advances in user authentication have improved the situation and diminished the frequency of fraud and break-ins by use of impersonation. One approach employs use of “one time passwords” where a password is assigned at the time a user attempts access to a network resource and then is never used thereafter. Typically, these solutions are implemented using some type of device the user must have in their possession at the time network access is being attempted; devices such as a cellphone or a specialized key token like the SecureID. A more interesting twist to user authentication is the use of biometrics such as retina scans, finger/palm prints, facial recognition and voice. Similar to the one-time-use password method, the biometric method requires the user requesting access have a device the authenticating system can communicate with that is capable of capturing the biometric token and forwarding same over the networks to the authenticating system for verification. Though certainly more secure than other authentication methods mentioned above, the biometric approach suffers from being time consuming resulting in rather large tokens that need to be transported to the authenticating system and which themselves can be impersonated.
Returning to the Banking and Credit Card application of user authentication, the most recent advancements have moved away from the card and PIN approach, which can be easily compromised, to a solution based on the “chip-and-PIN” methodology. In this approach the common credit/debit card is replaced by a card of the same size and heft but one which includes a baked on computer circuit. This chip circuit contains all of the user information that was historically stored on the magnetic strip of the card, plus a certificate and a radio frequency transmitter. In application, the user seeking access to a resource (ATM machine or credit card terminal) for the purpose of financial transaction inserts the card into the updated reader device and then provides a PIN associated with the account. The chip device communicates with the terminal via radio frequency network and provides user identification, and one-time password like identification number as encrypted data. While this chip-and-PIN solution is much more secure than prior technologies used in these applications, it is still not a total solution. Research points to, for example, weaknesses in the radio frequency protocols that may open avenues of access to man-in-the-middle attacks. Additionally, it has been demonstrated by research that the radio frequency transmissions can be captured in a second or less using a device, such as a cell phone augmented by readily available electronic devices, thus potentially enabling a perpetrator to steal and compromise a user's identity without ever having access to the card itself and just by being in the near vicinity to the card. Finally, there is good old fashion theft of the card and PIN thereby allowing the impersonation of the user's identity.
Of course, there are many other applications that rely on user authentication although some may not be as obvious as above. One such less-than-obvious user authentication application is the “electronic keyless fob” used in many applications to gain access to a resource. A user needing access to a resource such as, for example an automobile, clicks a button on a keyless fob when approaching the auto in order to unlock the doors to allow access. In this application the computer within the auto senses the radio frequency signal of the keyless fob, assumes the person operating the device is the authorized user and then does as requested by unlocking the doors. Another similar example is when the homeowner approaches the home and presses the button on a keyless fob to disable the security system and unlock the front door. In this case, the hub computer of the security and automation system senses the radio frequency signal from the keyless fob device, assumes the person pressing the device button is authorized and in response does as commanded by disabling the security system and unlocking the front door. Of course there are the access control systems at institutions, government buildings, businesses and others wherein authorized users are granted access upon presentation of some form of identification such as a radio frequency identification card, most of which are easily defeated by nothing more complex than theft and when the device of choice is presented the access control system assumes the person is who the access device claims they are. In all these examples, and many, many more, the operative word is “assumes.” The “user authentication” experience is very limited in scope to simply “assuming” the person operating the keyless fob device or presenting the stolen credentials is the person they claim to be.
There are more sophisticated keyless fob implementations that adopt use of the “Personal Identifier Number” similar to that used in networking application by requiring the user to enter a PIN number on a keypad device at the door or entryway in addition to pressing a button on a keyless fob or presenting a chip'ed identification card. This methodology is somewhat similar to multifactor user authentication employed in networking applications and easily defeated by nothing more complex than theft.
Several examples of user authentication are provided and most share a common aspect that is becoming more and more negative from the user's perspective. In the industry this is referred to as “friction,” a word used to identify the amount of involvement on the user's part that is required to gain access to a protected resource. This friction leads to push back and the upshot of that is a general weakening of the authentication processes. Some examples include; users adopting use of very short and easy to remember user names and passwords, or adopting use of the same user name and password for most of their authenticated accounts, or using PIN's derived from the last four of their social security number or telephone number or license plate number and finally, users being reluctant to ever change a user name or password or PIN assignment because of the memorization issues involved.
More sophisticated user authentication implementations attempt to improve upon security by adopting use of biometrics that subject the user to substantial friction, much more than that associated with password like systems. Each time the user requires access it is necessary to scan the eye, or fingerprint, or palm print, or face, or to speak a prearranged stanza into a microphone as an audio phonic PIN. While in some regard these methods improve overall security, they do so at the expense of forcing users to lengthy and sometime inconvenient bio-capture sequences and all suffer from the risk of “man in the middle” attacks wherein the bio image is stolen and reused to impersonate the actual owner.
In summary, current prior art user authentication methodologies fall into a small number of well defined categories including: (1) implied authentication as a result of possession, (2) self authentication by use of user name and password with optional PIN or device generated token or captured biometric, (3) authentication by use of out-of-band feedback loop with transcribed token, (4) centralized out-of-band by use of self provided biometrics and/or tokens/passwords and (5) multi-factor by use of identification device/card and PIN/Password.
Of course, the entire reasoning for user authentication systems is to ensure that only authorized persons gain access to secured resources. As is well known by many real life examples, these various user authentication systems are tested regularly by cyber attackers and on a regular basis the hackers can break the user authentication systems and gain access to secured resources they are otherwise not allowed access to.