Many things have changed in the Internet security in the last 10 years. Others have remained, however, with no change at all, like user identification by means of alphanumerical passwords. Nowadays, these passwords are still the most popular way of user authentication. Indeed, different studies show that 97% of the organizations use them. Despite its widely spread usage, the identification using alphanumerical passwords has some highlighted disadvantages: they are frequently forgotten and can be easily stolen.
Failures in user authentication can cause technical problems in addition to economic cost. In 2007 the losses due to phishing (user identity impersonation/theft) amounted to $3.2 billion. For all these reasons, research in alternative methods for user identification has come up. New designed methods try to avoid current problems of alphanumerical passwords in order to make the systems more secure in identification terms.
An alternative method for identification, based on passwords as well, is the use of graphical or audio passwords. In those, the user must recognize a set of images or sounds among the presented ones (recognizing methods). Click-based methods are another option for graphical (or audio) password. The user must click on some specific points previously selected of the image or audio track to get access to the system. Different alternatives based on the use of tokens have been recently presented as well. These are systems where the user possesses a personal device like a smart card with PIN, an USB memory with passwords, and so on.
Although some of the abovementioned methods are already used in some programs and applications, the alternative methods that are becoming more popular are the ones that use some user’s biometric to perform the identification. Biometrics is the science of recognizing a person by their personal features. There exist two main types: physical biometrics —the ones that refer to a physiological feature of the person— and behavioral biometrics —features related to the behavior of the user—.
There are several physical features that can be used to characterize a user. Among the most common ones we can find the fingerprint, the palmprint o palm-geometry, the face recognition and the iris recognition. On the other hand, the behavioral biometrics most frequently used for identification are: speech analysis, keystroke pattern, signature recognition and haptic pattern (movement/interaction with object).
The user authentication by means of biometrics has reached a good level of performance in the last few years, allowing its application in several systems. This improvement is due to the development of new biometric data acquisition devices along with the design of new algorithms for feature extraction and recognition.
The main reason for the popularity of the identification by biometrics is that copying them is very difficult, almost impossible. This, however, is also a drawback. In case they were copied, the fake user would have a lot of privileged information about the real user. This makes some users be reluctant of using biometrics for internet identification, as they are also used by many official organisms.
In spite of the large amount of alternative methods for identification designed in the last few years, none of them have shown to be superior, in general terms, to the so extended alphanumerical passwords. On the one hand, for accuracy reasons, and on the other hand for their usability and cost.
This has prompted the design of two-factor authentication methods, trying to solve the drawbacks associated to the different methods by combining two of them. The most popular two-factor method uses a user’s biometric in addition to an alphanumerical password. In this way, just copying the password or emulation the user’s biometric will not grant the fake user the access to the system.
Nonetheless, we cannot fully rely on these advanced methods. A more secure way of recognizing the users has prompted new advanced impersonation methods. Some examples are the MiTM (Man-in-the-middle) attacks or the Trojans attacks that instead of working in the identification phase, work on the phase were the data are sent. In this way, attackers obtain access to the system without impersonating the real user.
Thus, a more complex and secure method of authentication may only grant the security of the system for a period of time. Like in almost all security-related areas, the path of identification methods is a two-way road.