Entry Point Access control
Currently almost all computer systems work in this manner. The user is not permitted to perform any actions until
they have presented a valid username and password to the system, performed an IKE authentication, or a Kerberos ticket
exchange has successfully completed. After that point no further authentication activities are performed until the user
logs out and attempts to re-enter. Some systems have a suspend function that is either operated by the user or on an
inactivity timeout that then requires re-authentication before proceeding.
Continuous verification control
A continuos verification system will allow an anonymous user to execute a limited set of commands that are
considered low risk. Commands that list the system identification, or list some help pages and the like. For each
connection the system will maintain an Authentication Vector (AV) this vector will contain values as to how confident
the system is to the identity of the user, what privilege level the user is allowed to access, and the time and level
to which the user was last authenticated.
Each time a command or service is activated, the system will check the AV and compare this to a Required
Authentication Level Vector (RALV) this function would look at the two vectors and determine if the current AV was
sufficient to allow the execution of the command. If it was sufficient then the command is executed as normal.
Where the current AV is insufficient a mechanism is then invoked to increase the authentication of the user. I would
envisage that the requested command fails and the error path then invokes a routine that is passed the RALV and the AV.
This routine would examine the set of authentication mechanisms that are implemented on the terminal device that the
user is using, the set of identification information registered, and the expected increase in the AV resulting from a
successful authentication. It would then select an authentication method to check the user and execute it.
In the simplest case this may be the challenge for a valid user name and password pair, but it could incorporate
many other systems. For example the system may have a set of challenge response questions for which the user has easily
remembered answers, such as "what is your mothers maiden name?" or "What is your sisters date of
This system also allows for biometric identification systems, these generally return a confidence value as to how
certain the system is that the real person is there, rather than a binary pass / fail value. The result of the
biometric test is then weighted and added to the AV, if this then gives the user sufficient rights to execute the
command the command could proceed as normal.
There are also continuos biometric systems that, for example, monitor the characteristics of keyboard use, looking
at the time each key is pressed and the time interval between different key pairs. Or systems that look at the mouse
movements and clicking. In tests these system have been found to give a high degree of accuracy especially if they
accumulate their data over a reasonable period.
How would all this work?
Letís say you are a systems admin and you arrive at your desk in the morning. The first thing you will probably do
is a bit of checking on how things are going, list a few log files and the like. For this level of access we have set
just a fairly low level of RALV so you only need to give your username and answer two challenge questions chosen
randomly form the ones stored in the system.
While you are doing this the keyboard use authentication system is monitoring you and the video camera mounted on
your system is building up a picture of your characteristic head movements as you use the system. So after this when
you come to kill of some processes that need to be restarted the system is sufficiently confident in your identity to
let you do this.
Now you need some coffee and off you go to the coffee machine, and chat to some people in kitchen. An opportunist
jumps on to your terminal and starts looking around. Immediately the continuous verification agents are reporting much
lower confidence in your identity, as soon as the opportunist tries to do something critical the system challenges him
with a question, even if they get the question right the keyboard use will reduce their overall AV score. The camera
may have noticed your brief absence and reduced your AV score, if it genuinely you returning and you continue working
with high level commands the system would require re-authentication.
All of these authentication systems running on the client system will need to be engineered in a tamper resistant
manner, so that a hacker could not run a tampered demon that reported a false identity pattern to the system.
I have also talked about the "system" and a single amorphous blob. The actual implementation of the system
I have described would probably be split into an Authentication Server from which the various systems that I was
requesting access referred to verify my identity.
Easier to use
The more I use the system, the more confident the system is with my identity and hence lessens the reliance on
authentication based on things that I know (passwords), and more on things that I am (biometrics).
There is no root level password in this scheme which removes a major line of attack for system hackers. There may be
the need to have root level passwords on systems before they are incorporated into the authentication scheme but this
would only be for new system being installed, as soon as they were networked and linked to the authentication server
the root access could be disabled. Enabling it would require a very high level of identity authentication, if a hacker
can achieve this he would have no need of root.
The Biometric Consortium
The BioPassword System