Evaluation of the effectiveness and security of authentication mechanisms
In the last article , I gave my classification of authentication mechanisms. Now I will share their methods of evaluation and comparison.
In total, there are 4 main indicators of the authentication system:
1. Installation and maintenance costs.
2. Efficiency.
3. Reliability.
4. Security.
But first, remember what is meant by the authentication process?
It can be represented as a function that calculates the degree of similarity of the images of the authenticators (a) present in the system (S) and the user (P), and checks them for occurrence in the confidence interval. In the case of occurrence authentication is considered successful.
Why, the images (a '), and not the authenticators themselves?
The authenticator can be: password, e-token, iris, etc. and in most cases it is stored either in the user or in the system, and on the opposite side only his image is stored, for example, password hash, fingerprint or iris pattern. And for comparison, the first party also does not transmit the authenticator itself, but only its image. These images can coincide completely, in the case of using passwords, or be very similar when using biometrics. The method of checking the similarity differs depending on the authentication method, as well as the limits of the confidence interval - k min and k max, which range from zero to one. With password or hardware authentication, both limits of the confidence interval are usually equal to one, and when using biometrics or secret questions, the interval often has a small range in the vicinity of the unit. Moreover, k max is not always equal to one. In the case of the use of authenticators that have a dynamic nature, for example, voices or handwriting, the full coincidence of the images of the authenticator indicates more likely its fake.
We now turn to the main indicators.
')
- cost measure, which includes 
- the time, effort or means of the system administrator for its installation and maintenance, and the user to create or change his account, divided by the specified ratio 
, the default is the average cost for this class of systems.
This is perhaps the most difficult of indicators, because it is not entirely clear how to properly consider the costs of installing and maintaining the system as an administrator? Take them entirely or per user?
Can calculate = ((system installation costs + administrator costs for maintenance per year) / number of users) + user costs per year;
In addition, you can add multipliers for different types of costs.
- a performance indicator describing the time, effort, or other costs required from the account holder every time he or she is authenticated in the system, where 
- the cost of input and analysis of the authenticator, and 
- the default is the average cost to enter and analyze the authenticator for this class of systems.
This is a much more tangible option. The input time of the authenticator, for example, the time to enter a password, connect a flash drive, record voice and their further analysis is easy to calculate, and do not have large fluctuations.
- an indicator of reliability equal to the probability that the account holder will be able to successfully authenticate. The higher the level of reliability, the lower the overall security.
k min is taken from the description of the authentication process. If for authentication you need to answer a few simple test questions, for example, 7 out of 10, then the reliability will be equal to 30%. Accordingly, the higher the reliability of the access function, the easier it is for the user to authenticate. Therefore, with the fall of the priority of using the authentication mechanism (from the main one through the backup to the last instance mechanism), the reliability of the mechanism should increase.
- a security indicator describing the total cost of an attacker required to successfully pass authentication (false authentication) using a certain type of attack, where 
- the cost of creating one authenticator and checking it, 
- the skill level of the attacker, and 
- the complexity of the authenticator. By default, an attack is a complete enumeration of all possible variants of the authenticator. For other types of attacks, the formula may differ from this.
Here, too, everything is generally understandable. If the mechanism does not have obvious vulnerabilities, then the only way of hacking remains a brute-force attack. And then it all depends on how quickly an attacker can, for example, generate passwords and check them.
The coefficients are added so that the indicators can be made dimensionless. Moreover, by comparing several authentication mechanisms, by setting the necessary values to the coefficients, it is possible to obtain orders of numbers that are more convenient for perception.
The difficulty of calculating these indicators lies in the fact that costs can include both time and money, and specific resources.
From these basic indicators you can create two derivatives:
5. General security.
6. Overall effectiveness.
- the general security of the authentication mechanism, against a certain type of attack, in this case against full brute-force attack.
- the overall effectiveness of the authentication mechanism.
1. The more authentication mechanisms your system uses, the better for the user and worse for you. The golden mean is the presence of three mechanisms: the main, backup and last resort.
2. The primary criterion for selecting and setting up authentication mechanisms used in the system is general security. It should be approximately the same for all mechanisms, while its reliability and security should increase with a drop in the priority of using the authentication mechanism.
3. When choosing between the mechanisms belonging to the same class and having the same security, choose the one who has higher overall efficiency.
4. It makes sense to compare only the mechanisms belonging to the same class, or having one common characteristic.
Comments welcome constructive criticism, clarifications and examples from practice.
In total, there are 4 main indicators of the authentication system:
1. Installation and maintenance costs.
2. Efficiency.
3. Reliability.
4. Security.
But first, remember what is meant by the authentication process?
It can be represented as a function that calculates the degree of similarity of the images of the authenticators (a) present in the system (S) and the user (P), and checks them for occurrence in the confidence interval. In the case of occurrence authentication is considered successful.
Why, the images (a '), and not the authenticators themselves?
The authenticator can be: password, e-token, iris, etc. and in most cases it is stored either in the user or in the system, and on the opposite side only his image is stored, for example, password hash, fingerprint or iris pattern. And for comparison, the first party also does not transmit the authenticator itself, but only its image. These images can coincide completely, in the case of using passwords, or be very similar when using biometrics. The method of checking the similarity differs depending on the authentication method, as well as the limits of the confidence interval - k min and k max, which range from zero to one. With password or hardware authentication, both limits of the confidence interval are usually equal to one, and when using biometrics or secret questions, the interval often has a small range in the vicinity of the unit. Moreover, k max is not always equal to one. In the case of the use of authenticators that have a dynamic nature, for example, voices or handwriting, the full coincidence of the images of the authenticator indicates more likely its fake.
We now turn to the main indicators.
')
Installation and maintenance costs
- cost measure, which includes - the time, effort or means of the system administrator for its installation and maintenance, and the user to create or change his account, divided by the specified ratio , the default is the average cost for this class of systems.This is perhaps the most difficult of indicators, because it is not entirely clear how to properly consider the costs of installing and maintaining the system as an administrator? Take them entirely or per user?
Can calculate
= ((system installation costs + administrator costs for maintenance per year) / number of users) + user costs per year;In addition, you can add multipliers for different types of costs.
Efficiency
- a performance indicator describing the time, effort, or other costs required from the account holder every time he or she is authenticated in the system, where - the cost of input and analysis of the authenticator, and - the default is the average cost to enter and analyze the authenticator for this class of systems.This is a much more tangible option. The input time of the authenticator, for example, the time to enter a password, connect a flash drive, record voice and their further analysis is easy to calculate, and do not have large fluctuations.
Reliability
- an indicator of reliability equal to the probability that the account holder will be able to successfully authenticate. The higher the level of reliability, the lower the overall security.k min is taken from the description of the authentication process. If for authentication you need to answer a few simple test questions, for example, 7 out of 10, then the reliability will be equal to 30%. Accordingly, the higher the reliability of the access function, the easier it is for the user to authenticate. Therefore, with the fall of the priority of using the authentication mechanism (from the main one through the backup to the last instance mechanism), the reliability of the mechanism should increase.
Security
- a security indicator describing the total cost of an attacker required to successfully pass authentication (false authentication) using a certain type of attack, where - the cost of creating one authenticator and checking it, - the skill level of the attacker, and - the complexity of the authenticator. By default, an attack is a complete enumeration of all possible variants of the authenticator. For other types of attacks, the formula may differ from this.Here, too, everything is generally understandable. If the mechanism does not have obvious vulnerabilities, then the only way of hacking remains a brute-force attack. And then it all depends on how quickly an attacker can, for example, generate passwords and check them.
The coefficients are added so that the indicators can be made dimensionless. Moreover, by comparing several authentication mechanisms, by setting the necessary values to the coefficients, it is possible to obtain orders of numbers that are more convenient for perception.
The difficulty of calculating these indicators lies in the fact that costs can include both time and money, and specific resources.
From these basic indicators you can create two derivatives:
5. General security.
6. Overall effectiveness.
General security
- the general security of the authentication mechanism, against a certain type of attack, in this case against full brute-force attack.Overall effectiveness
- the overall effectiveness of the authentication mechanism.Recommendations for choosing and configuring authentication systems
1. The more authentication mechanisms your system uses, the better for the user and worse for you. The golden mean is the presence of three mechanisms: the main, backup and last resort.
2. The primary criterion for selecting and setting up authentication mechanisms used in the system is general security. It should be approximately the same for all mechanisms, while its reliability and security should increase with a drop in the priority of using the authentication mechanism.
3. When choosing between the mechanisms belonging to the same class and having the same security, choose the one who has higher overall efficiency.
4. It makes sense to compare only the mechanisms belonging to the same class, or having one common characteristic.
Comments welcome constructive criticism, clarifications and examples from practice.
Source: https://habr.com/ru/post/179179/
All Articles