A REPORT ON TWO-FACTOR AUTHENTICATION SYSTEMS

Albert Williams

EXECUTIVE SUMMARY

The following report explains how two-factor authentication systems work. I was commissioned by the management of Dynamic Plumbing Supplies (DPSL) to present my findings to assist the company in arriving at a decision whether or not to replace the present method used by the company to authenticate its customers during telephone sales, with a two-factor authentication system. DPSL in recent months has seen a spike customers complaints that they are being charged for products that they have not ordered.

The company suspect that this may be down to human error, or calculated fraudulent activities committed by staff or external persons. At present, customers are asked security questions at the beginning of any phone conversation, the new system will require customers to type a ten-digit numerical password on their phone’s keypad. In addition, they will speak their password into the receiver.

Consequently, I have outlined the benefits of a two-factor authentication system, which usually includes some sort of biometric authentication, such as using voice, face or finger print verification. I present an overview of biometric recognition systems in general, and provide and overview of how such as system would be implemented at DPSL in practice. A key section of the report is a comparative analysis of the current authentication method with the proposed two-factor authentication system utilizing the parameters of convenience, reliability and acceptability from both the point of view of the customer and the company.

In conclusion, it is my view that the two-factor authentication system being proposed by management in its current form is not robust enough to prevent fraudulent activities. I cite an increased risk of customers having to write down their ten-digit numerical password to remember it, and someone obtaining a recording of the password and use it to fool the system.

CONTENTS

1. INTRODUCTION 4
2.BENEFITS OF TWO-FACTOR AUTHENTICATION 5
3. AN OVERVIEW OF BIOMETRIC RECOGNITION SYSTEMS 6
4. HOW THE NEW SYSTEM WILL AUTHENTICATE CUSTOMERS 7
5.A COMPARISON :THE CURRENT METHOD AND THE PROPOSED SYSTEM 8
6.RECOMMENDATION 10
7.GLOSSARY 11
8.APPENDIX: Speaker recognition systems 13
9.REFERENCES 15
10.BIBLIOGRAPHY 16

1. INTRODUCTION

This report was commissioned by the management of Dynamic Plumbing Supply Limited (DPSL) with the view of exploring the possibility of introducing a new authentication system to vet customers of the firm when placing orders over the telephone. More specifically, management at DPSL are proposing the installation of a ‘two-factor authentication system’ which main features are a ‘ten-digit, numerical password’ together with the deployment of biometric, speaker-recognition software. The decision to consider this new authentication system is as a result of numerous complaints from customers that they are being billed for goods that they have not ordered. To date, when a customer places an order over the telephone, the salesperson on duty authenticates that customer’s identity by matching the caller’s answers to several security questions to those held in the company’s database on that customer. These questions include the caller’s name, date of birth, address and telephone number.

This is clearly a matter of great concern for the management of DPSL, its sales personnel and most of all, its customers. In a bid to mitigate against any fraudulent activity in the company, or incidences of identity theft by persons who may have illegally obtained customer details, and to further strengthen the authentication process, DPSL is considering replacing the current authentication method with this new two-factor authentication and speech recognition system.
Consequently, in the report that follows, I have discussed and explained what a two-factor authentication system entails, and what are the known benefits of utilizing such a system to fight against fraud. In the section 3, I provide an overview of biometric recognition systems, particularly, voice recognition software, and then go on to explain how the proposed new authentication system would work in practice at DPSL. For those readers who would like a more detailed explanation of biometrics, I have included a supplement at the end of the report in an appendix.

Additionally, in section 4, I draw a comparative analysis between the authentication method currently in use at DPSL with the proposed two-factor authentication system being proposed by management according to their convenience, reliability and acceptability.
Finally, in my conclusion, I offer my recommendation to DPSL as to the merits of adopting the new, two-factor authentication system or retaining the method currently in use based on my findings.
A comprehensive reference list, bibliography and glossary are included at the end of the report should readers wish to explore, in depth any of the methodologies and technologies expressed here.

2. BENEFITS OF TWO-FACTOR AUTHENTICATION

To prove that a person is who they say they are, most companies that provide services on-line deploy a process of authentication. Williams. J, and Phillips. D, (2013) state that, “Most authorisation decisions depend crucially on authentication—the proof of identity – so identity becomes a key attribute to gaining access to places, systems and services” The authors add that, “if a person is able to assume the identity of another, they gain unauthorised access to these same places, systems and services, often with dire consequences in terms of individual, corporate or national security.”

The benefits, according to technology company Conjungo, of a two-factor authentication system are: improved security, lower risk, saved money, reduced data theft, increased flexibility, disaster recovery, improved productivity, convenience for users, ease of use.

Overall, a two-factor authentication system such as proposed by DPSL will provide another layer of protection for customers and the business. Biometric authentication and authorisation methods are a lot harder to fool, so the potential for fraud is minimised. Another point I must raise here, is the company’s proposed use of a ‘ten-digit, numerical password’ and speaker-recognition software means that if a fraudster were to somehow illegally obtain the ten-digit password of a customer, the chances of them passing the speaker recognition test would be very small.
In the section (3) I provide an overview of biometric systems and the describe some of the options open to the company.

3.AN OVERVIEW OF BIOMETRIC RECOGNITION SYSTEMS

Biometrics is a branch of science that uses technology to record certain behavioural and physiological characteristics of a person whose measurements are used to identify that individual during an authorisation and/or authentication process. A biometric recognition system, therefore, is an authentication process built on biometrics that measures anyone of the following individual’s: Deoxyribonucleic acid (DNA); Gait (the manner of walking); finger print; iris pattern;signature; keystrokes; personal odour; face and voice digital measurements.(Wong. P, and Walker. M, 2009) (Tech Target 2013) All biometric recognition systems harvest, process, store and evaluate these measurements, that I have mentioned above, based on an architecture comprising of a sensor; feature extractor, storage, match maker and decision maker similar to Damato’s biometric system model in figure 3.1 below:

A BIOMETRIC MODEL By Alessio Damato (Own work) [GFDL (http://www.gnu.org/copyleft/fdl.html), CC-BY-SA-3.0

If there is a a match, it said to be a positive match by the decision component of the system. However, according to the sensitivity settings of the system, there may be occasions when the decision maker makes a false positive match, meaning that an individual that should have been denied access or entry to a restricted area or service is allowed through. (false match rate(FMR) The opposite of this being a false negative, or the false non-match rate (FNMR) That is a person who should have been given access is denied. For this reason, biometric system designers seek to establish what they call an acceptable threshold as a result of testing of the equipment in the field. This threshold is called the equal error rate ERR) when the the number of false matches and false non-matches are somewhat equalised.(Wong. P, and Walker. M, 2009)

4. HOW THE NEW SYSTEM WILL AUTHENTICATE CUSTOMERS

How this new system proposed by DPSL will authenticate users is demonstrated briefly in the following scenario.

Albert Williams of A Williams and Sons, a home radiator installer company calls the sales department of Dynamic Plumbing Supply Limited (DPSL) requesting five 300 millimetre double radiators. The salesperson, Miss Druample, asks Mr Williams whether he has an account with DPSL. To which he answers yes. Miss Druample informs Mr. Williams that before she can proceed with the order she needs to go through the security checks. She asks Mr. Williams to use his phones keypad and type in his ten-digit numerical password. He does so, and after a short pause, the system informs the salesperson Mr Williams that his password has not been accepted.
She adds that he has two more attempts before he is looked out and will have to contact the customer help line. On the second attempt, Mr Williams remembers the correct sequence of numbers, and this time he I successful. Miss Druample, then asks Mr. Williams to ‘speak his password into the phone. The system returns a voice match. Consequently, the sales person can proceed with the customer’s order with no further security checks, as the address to where the items need to be delivered and the terms of payment are electronically filed in the customer’s account details.
A more detailed treatment of how speaker recognition systems capture and process user’s data can be found in appendix 1.

5. A COMPARISON BETWEEN THE CURRENT METHOD AND THE PROPOSED SYSTEM

In the table 5.1, I have compared the two methods of authentication side by side, and in putted my comments in the ‘convenience’, ‘reliability’ and ‘acceptability’ columns on how I think the methods meet these parameters.
CURRENT SYSTEM
CONVENIENCE
RELIABILITY
ACCEPTABILITY
The salesperson authenticates
the customer over the phone based
on answers to security questions

COMPANY:

The onus is on the efficiency of salesperson to accurately record the information given by the customer.
Although the time frame to do this is about a minute, it is still laborious.
The process is open to fraud and error.

CUSTOMER:

The customer is expecting his/her records to be up-to-date
The customer may be annoyed that for each transaction they need to go through a long list of security checks.
COMPANY:

The company expects honest from the caller
Possible identity theft attacks
Possible staff dishonesty who cold sell customer information to fraudsters

CUSTOMER:

Customer may have a bad phone line
COMPANY:

Company desires to protect its customers as the level of complaints is unacceptable.

CUSTOMER:

customers have no choice but to use the system
PROPOSED SYSTEM
CONVENIENCE
RELIABILITY
ACCEPTABILITY

The salesperson authenticates
the customer based on the
customer keying in a ten-digit
numerical password on their
phone’s keypad, and speaks their
password into the phone.

COMPANY:

The new system speeds up the authentication system.
A significant improvement in authenticating caller’s identity.

CUSTOMER:

Although the time frame for authentication is shorter, customers may be forced to write down their ten-digit number in order to remember it. This number could then be discovered by third party.
Customers may be worried that the information stored on the company’s server is safe from employee theft.

COMPANY:

The system though not 100% reliable is strengthening of the authentication system at the company.

CUSTOMER:

Customer will have to remember their 10-digit number, or forced to write it down, or keep it in their phone, thus presenting a risk factor.

COMPANY:

The company may be willing to under the cost of implementing the news system and the the training of staff.

CUSTOMER:

The customer will be responsible for keeping their password safe

table 5.1,
A comparison of the two authentication methods

6. RECOMMENDATION
Having compared above the present authenticating method with the proposed two-factor system proposed by management, it is my recommendation that the Dynamic Plumbing Supply Limited delay moving ahead with the adoption of the proposed system. In addition, in my opinion, although the system is an improvement on the manual method described in this report, the proposed system needs tweaking, if it is to provide the high security that the company hopes to obtain.
For instance, the fact that the customer has to key in their ten-digit number and then repeat the whole number into the system could lead to the risk that the customer could be in danger of being overheard, or even worse still being recorded by persons using basic surveillance equipment
Following, I have offered a few improvements to the proposed system:
That the customer should be asked to input three random digits from their password via phone key pad.
and
That a further three random digits should be spoken into the speaker authenticating system.
This way, the chances of the salesperson or any other person listening, or retrieving or making note of the customer’s ten-digit password is greatly diminished.

7. GLOSSARY

Authentication – A process or method of determining whether an individual is who they declare them selves to be.
Biometric — An identification of humans by the measurement of their unique characteristics.
Enrolment – The act of registering the biometric characteristics in any one of the various authentication systems.
Equal error rate — When the threshold value of the false acceptance rate equals the false rejection rate in the system.
False positive match — The allowing of a person access to a a service who should not have been allowed.
False non-match rate – The value of how many times a biometric system allows an imposter to have access to a system, service or place.
Two-factor authentication – A security authentication method that requires two forms of identification. Usually one being of a biometric nature and the other a pin number or a smart card.
Password – A word or string of characters known only to the user used during authorization to enter or use a service or place.
Positive match – A a value that indicates that there has been a match in the biometric sample and a stored template.
Speaker-recognition software -Software that can be trained to recognise an individual based on biometric measurement.
Speech recognition – Software that can interpret the spoken word and translate it into text.
Text- dependent – An authentication method where a known word or pin is matched during a speaker recognition test
Text independent – An authentication method where the spoken word is matched with text
Threshold – The point at which a biometric system authenticates an individual to entry to use a website, service or place.
Voice recognition software – software that encodes the human voice to be used in verification process.

APPENDIX

Speaker recognition systems

Earlier in this report I mentioned that I would provide a more detailed treatment of how speaker recognition systems capture and process user’s data. Since the 2nd step of the new two-factor authentication system proposed by management, will include a speaker recognition component, let me say from the out set of this appendix that there is a major difference between speaker recognition and speech recognition, although to the layman, the two may be mistaken for one and the same process. The sub committee on biometrics of the United states of America’s, National Science and Technology Council defines speaker (voice) recognition as, “a biometric modality that uses an individual’s voice for recognition purposes.” while speech recognition on the other hand, “recognizes words as they are articulate.” the former being biometric, and the latter not so.

How do speaker recognitions work.

Speaker recognition systems work by extracting various characteristics of the human voice of a speaker and comparing it to a stored template collected by the system during the enrolment or registration phase of that individual. Reynolds D (2002) refers to this extracted information as a ‘speech signal conveying speaker identity.” The voice sample obtained during the enrolment phase are usually obtained over the telephone when a customer is first asked to register or sign up for a telephone service, such as the order line at Dynamic Plumbing supply Limited (DPSL). This sample could be based on on what Reynolds D(2002) calls ‘text- dependent or text independent’ methods. The speaker recognition system proposed by DPSL falls under the text- dependent method where the customer is expected to learn a ten-digit numerical password and speak this whole password into the telephone which in turn will be manipulated by the extractor software of the system, stored and used to compare the customers voice, the next time he or she calls to make an order. On the other hand, a ‘text-independent process does not involve the system having a stored template of the caller, but will verify a speaker based on speech recognition process I mentioned in my introduction, and will seek to recognize the password from the actual words spoken.

The human voice is unique to an individual. The shape of his trachea, mouth and nasal passages and how they interact with the jaw and tongue during speech is what makes speech both a physiological and behavioral biometric identity. To capture this biometric essence, to date, there are a number of speaker recognition modeling techniques in use. Which one or combination of techniques deployed by the company will depend on factors such as where the system will be put to use, how expensive is is to train and install the system and other technical considerations in regard to on or off-site storage of the data and generally the organization’s network infrastructure.
(2,903 words)

REFERENCES

Williams, J. Phillips, D. (2009) T215- Communication and information technologies, Block 4 Part 4: Identity, authentication and authorisation
[Online]. Available at https://learn2.open.ac.uk/mod/oucontent/view.php?id=312559 (Accessed June 1, 2013)

Conjungo Limited(2013) Understand two-factor authentication [Online] Available at, http://www.conjungo.com/technology/two-factor-authentication/benefits-of-two-factor-authentication . (accessed June 13, 2013)

Wong. P, and Walker. M (2009) T215 Communication and information technologies, Biometrics Open University
page160 – 163

Wong. P, and Walker. M (2009) T215 Communication and information technologies, Biometrics Open University
page 188

Techtarget (2013) Search Security, Biometrics [online] Available at http://searchsecurity.techtarget.com/definition/biometrics (Accessed June 9, 2013)

Damato A (2007) (http://www.gnu.org/copyleft/fdl.html [Online] Available at; http://commons.wikimedia.org/wiki/File%3ABiometric_system_diagram.png (Accessed June 1, 2013)

Reynolds, D. (2002) ‘An Overview of Automatic Speaker Recognition Technology’, IEEE International Conference on Acoustics, Speech, and Signal Processing, vol. 4, pp 4072–4075, 17-19 May [online]. Available from http://ieeexplore.ieee.org.libezproxy.open.ac.uk/stamp/
stamp.jsp?tp=&arnumber=5745552 (accessed June 16, 2013).

National Science and Technology Council (2006) Speaker Recognition,[online]. Available from http://www.biometrics.gov/Documents/speakerrec.pdf (accessed June 16, 2013).

BIBLIOGRAPHY
Williams, J. Phillips, D. (2009) T215- Communication and information technologies, Block 4 Part 4: Identity, authentication and authorisation
[Online]. Available at https://learn2.open.ac.uk/mod/oucontent/view.php?id=312559 (Accessed June 1, 2013)

Conjungo Limited(2013) Understand two-factor authentication [Online] Available at, http://www.conjungo.com/technology/two-factor-authentication/benefits-of-two-factor-authentication . (accessed June 13, 2013)

Wong. P, and Walker. M (2009) T215 Communication and information technologies, Biometrics Open University
page160 – 163

Wong. P, and Walker. M (2009) T215 Communication and information technologies, Biometrics Open University
page 188
Techtarget (2013) Search Security, Biometrics [online] Available at http://searchsecurity.techtarget.com/definition/biometrics (Accessed June 9, 2013)

Damato A (2007) (http://www.gnu.org/copyleft/fdl.html [Online] Available at; http://commons.wikimedia.org/wiki/File%3ABiometric_system_diagram.png (Accessed June 1, 2013)

Reynolds, D. (2002) ‘An Overview of Automatic Speaker Recognition Technology’, IEEE International Conference on Acoustics, Speech, and Signal Processing, vol. 4, pp 4072–4075, 17-19 May [online]. Available from http://ieeexplore.ieee.org.libezproxy.open.ac.uk/stamp/
stamp.jsp?tp=&arnumber=5745552 (accessed June 16, 2013).

National Science and Technology Council (2006) Speaker Recognition,[online]. Available from http://www.biometrics.gov/Documents/speakerrec.pdf (accessed June 16, 2013).

Published by Albert Williams

Albert Williams is a postgraduate of Open University working towards a MSc Technology Management.