Case 6:21-cv-01101-ADA Document 31-11 Filed 05/19/22 Page 1 of 4
`Case 6:21-cv-01101-ADA Document 31-11 Filed 05/19/22 Page 1 of 4
`
`EXHIBIT 11
`EXHIBIT 11
`
`

`

`Case 6:21-cv-01101-ADA Document 31-11 Filed 05/19/22 Page 2 of 4
`
`Securing Businesses Front Door 一
`Password, Token, and Biometric Authentication
`
`Lawrence O'Gorman
`logorman@avaya.com
`Avaya Labs Research, Basking Ridge, NJ
`
`Abstract
`Human authentication is the security task whose j oh is to limit access to computer
`networks and physical locations only to those with authorization. This is done hy
`equipping authorized users with passwords or tokens, or using their biometrics. However,
`due to human limitations, these are often used poorly, thus weakening security, or they
`are secure but so inconvenient as to be circumvented. This chapter describes common
`means for authentication as well as their strengths and weaknesses. Some of the major
`issues are detailed to emphasize the tradeoffs required when considering different
`authentication schemes. Examples of common systems applications are given with
`appropriate authentication choices. Finally, future trends are described to help to
`understand how soon and to what degree the security-convenience tradeoff will be
`improved.
`Keywords; password, security token, biometrics, human authentication, access control,
`security.
`
`1. Introduction
`
`1.1 Human Authentication
`An attempt to identify the most common computer-age frustration needs look no further
`than the initial authentication stage. Most of us have forgotten the password to our
`computer at least once if not several times. Many of us have rememhered passport,
`toothbrush, and other items for a trip, only to forget the security token that enables access
`to the corporate network. And some of us have remembered that security token only to
`find it useless at the remote machine since it does not have the reader (such as smart card
`reader) or interface (such as USB) in which to plug the token. Sometimes there are more
`serious ramifications of not being able to log in. Consider a situation where a
`government, military, or medical official must make a decision fiom a remote location.
`Since there can be no face-to-face confirmation of identity, how is the person
`authenticated? A password could be used, but this may he forgotten in an infrequent and
`stressful situation. A token could be used, but a token such as a smart card requires a
`reader. The only biometric whose reader is ubiquitous is speaker verification over a
`telephone line, but this is unreliable if there is a noisy background or when stress alters
`the voice characteristics. Passwords, tokens, and biometrics are the tools by which secure
`access can be gained. However, these tools are not equivalent and, unfortunately, none
`has yet proven to offer perfect security and universal convenience.
`
`DEF-AIRE-EXTRINSICOOO00055
`
`

`

`Case 6:21-cv-01101-ADA Document 31-11 Filed 05/19/22 Page 3 of 4
`
`Figure 6. Distinctive features for verifieation ean be measured from speetral frequency
`eharaeteristies of a voiced pass phrase.
`
`3. Considerations When Choosing Authenticators
`There is no perfect authenticator. Below, some considerations are described of particular
`authenticators. In Section 4, appropriate choices are given for some systems taking into
`account these considerations.
`
`3.1 What's Wrong With the Status Quo?
`The password would actually be a pretty good authentication factor 一 if only human
`capabilities could meet technological demand. We defined keyspace in Section 2.3.
`Below is the keyspace comparison of passwords versus tokens and biometrics. (The
`effective keyspace for biometrics can be estimated as the inverse of the felse accept rate
`(see [17]) using 3” party recognition rate data shown in Table A-1 in the appendix.)
`Token (10”) >= Password (1〇"L｝〇&) > Iris (10&) > Fingerprint, PIN (10새)
`느 Voice (1〇3) > Face (10-10^).
`One can see that a well-chosen password can be even stronger than a token (with 12-
`digits) and much better than a fingerprint. The problem with passwords is largely human.
`Strong ones are difficult to remember. Multiple passwords exacerbate this difficulty.
`And, when these must be changed regularly, this goes beyond the patience if not mental
`capabilities of most humans.
`Obscure knowledge used for authentication (such as mother^s maiden name) should, by
`definition, be only narrowly known and difficult to find. Multiple pieces of information
`are often required to further narrow down the potential knowledge group. This approach
`
`DEF-AIRE-EXTRINSICOOO00066
`
`

`

`Case 6:21-cv-01101-ADA Document 31-11 Filed 05/19/22 Page 4 of 4
`
`is more convenient, but there are several security flaws. One is that it is difficult to
`measure the obscurity of one or more pieces of information. Are questions A, B, and C
`good enough? One person's obscure knowledge may be another person's public
`information, in which case more or different questions are needed. Another problem is
`that these depend in part on the scheme's own obscurity; if mother's maiden name were
`the information needed to gain access to everyone's bank account, it is likely this
`information will not be obscure for long. Yet another problem is when an obscure
`knowledge system asks the user to choose an obscure question. For instance, if the user
`chooses a question asking about his favorite breakfast cereal, the user might think this
`pretty clever 一 how would an attacker know this? However, the smart attacker would just
`guess cereals by popularity and likely come upon the user's cereal in a few guesses.
`Putting the onus of strong security upon the common user is likely to fail. A final
`problem is related to compromise recovery. You recover from a compromised password
`by changing it. What do you do with your mother's maiden name?
`Having stated many problems with passwords and obscure knowledge authentication
`approaches, there are also researchers working on methods to improve these. See Section
`5 to see how the status quo might be improved.
`
`3.2 Rejectm흡 Customers is Not Good for Business
`In the introduction to Section 3, we stated that there is no perfect authenticator. Let's
`examine this from the perspective of rejecting customers. If the customer has a password,
`there is the onus on her to remember it. When she forgets it, she may feel one of a
`number of emotions, none of them that a particular business would want associated with
`it. She may feel that her mental capacity is not up to snuff. She may feel aggravated with
`the security requirement. She may feel that this is wasting her time to go to the secondary
`authentication mechanism that may either be a person or an obscure knowledge system.
`She may think about aborting the transaction, or worse yet, taking her business
`elsewhere.
`A token may or may not be easier for the customer. A common token is a magnetic stripe
`card, such as a credit card, frequent flier card, etc. Another common token is a key fob
`card inscribed with bar code such as is used at many grocery stores. There are RFID
`(radio firequency identifi cation) contactless cards and wands as well that can just be
`passed in front of a reader to transfer the customer information^. There are also smart
`cards (where it is necessary that the customer has a smart card reader wherever the smart
`card must be used새). One can understand from the variety of form factors offered that the
`issuer must decide on the easiest device such that the customer will allocate wallet, purse,
`pocket, or computer space to have the token when needed. There should also be a
`procedure in place such that customers can make transactions even when missing the
`token.
`
`3 The Exxon Mobil SpeedPass device is the first RFID device to have gained widespread popularity for
`retail purchases.
`4 American Express introduced the "Blue" card in the late 1990s, in part to perform secure on-line
`transactions with a smart card. With this card was the necessity that customers also have a smart card
`reader. This was provided free of charge to good customers as a loyalty incentive.
`
`13
`
`DEF-AIRE-EXTRINSICOOO00067
`
`