Enhancing and Reinforcing Security and Usability of User Account Authentication using Fingerprints as Username Credential by Mohammad Hassan Algarni A dissertation submitted to Florida Institute of Technology in partial fulfillment of the requirements for the degree of Doctor of Philosophy in Computer Science Melbourne, Florida July 2018 We the undersigned committee hereby recommend that the attached dissertation be accepted as fulfilling in part the requirements for the degree of Doctor of Philosophy in Computer Science Enhancing and Reinforcing Security and Usability of User Account Authentication using Fingerprint as Username Credential by Mohammad Hassan Algarni Lucas Stephane, Ph.D. Assistant Professor, School of Computing, Human-Centered Design Innovation Program Advisor and Committee Chair Walter Bond, Ph.D. Associate Professor, School of Computing Marius Silaghi, Ph.D. Associate Professor, School of Computing Munevver Subasi, Ph.D. Associate Professor, Mathematical Sciences Philip J. Bernhard, Ph.D. Associate Professor, Director School of Computing Computer Sciences and Cybersecurity Abstract Title: Enhancing and Reinforcing Security and Usability of User Account Authentication using Fingerprints as Username Credential Author: Mohammad Hassan Algarni Committee Chair: Lucas Stephane, Ph.D. With the process of logging in, the users gain access to a computer system after identifying and authenticating themselves. The user credentials are required to login, and they are typically some form of a username and a matching password. The username for logging in an account is textual. This text can be either email address or some alphanumeric or numeric or characters chosen by the user. However, if the email account of a user is compromised, the attacker can click on Forgot Password link available on the user interface of the target account. If the compromised email account has the same email address as the one used when registering to the target account, then a password reset link will be sent to the email address and the attacker will be able to compromise the target account as well. In addition, if the username of the target account is known, the attacker will just have to crack the password of that account. iii The primary goal of this research is to address the vulnerabilities of the authentication systems and thereby strengthen the security of user accounts by enhancing and reinforcing security and usability of user account authentication using fingerprints as username. iv Contents 1 Background 1 1.1 Introduction . .1 1.2 Overview . .3 1.3 Biometrics Purposes . .6 1.3.1 Security . .6 1.3.2 Avoiding Time Loss . .7 1.4 Biometrics System Components . .7 1.4.1 Fingerprint Recognition . .8 1.4.2 Face Recognition . 12 1.4.3 Iris Recognition . 13 1.5 Multimodal Biometrics Systems . 14 1.5.1 Background . 14 1.5.2 Assessment . 16 1.5.3 Fusion . 18 1.5.4 Multimodal Scenarios . 19 1.5.5 Adaptive and Non-Adaptive Fusion . 21 1.5.6 Unattended and Attended Biometrics Systems . 24 v 1.5.7 Summary . 25 2 Biometrics Utilization 26 2.1 Overview . 26 2.2 Usage in Commerce . 27 2.2.1 Most Used Biometrics . 29 2.2.2 Usage in Online Banking . 33 2.2.3 Usage in Automated Teller Machine (ATM) . 35 2.2.4 Summary . 37 2.3 Usage in Government . 38 2.4 E-Government Models with Commercial Applications . 40 2.5 Social Impact . 42 2.6 User Experience . 43 2.7 Summary . 46 3 Biometrics Vulnerabilities and Countermeasures 48 3.1 Spoofing Attacks . 48 3.1.1 Overview . 49 3.1.2 Spoofing Attacks . 51 3.1.3 Summary . 62 3.2 Attacks on Biometric Systems . 62 3.2.1 Fingerprint Sensors and Attack Types . 65 3.3 Defense Techniques . 68 3.4 Revocable Biometrics . 70 4 Literature Review 52 vi 4.1 Overview . 52 4.2 Detailed Review . 53 4.2.1 Use of fingerprints in authentication . 53 4.2.2 Use of order of multiple fingerprints in authentication . 55 4.2.3 Use of Multimodal Biometrics in Authentication . 57 4.2.4 Use of fingerprints as usernames and/or password: . 59 4.3 Conclusion: . 60 5 Research Problem Statement 62 5.1 Motivation . 62 5.2 Problem Statement . 64 5.3 Problem Goals . 65 5.4 Problem Questions . 66 5.5 Research Hypothesis . 66 5.6 Research Methodology . 68 5.6.1 Introduction . 68 5.6.2 Approach . 69 5.6.3 Research Method . 71 6 Survey Findings and Conclusion 73 6.0.4 Demographic Information . 74 6.1 Model Related Information . 76 6.2 Conclusion . 84 7 Evaluation of the Authentication Systems 86 7.1 Evaluation framework . 87 vii 7.2 Relevance of the framework to the proposal . 88 7.3 Application of the framework to the proposal . 89 7.3.1 Usability . 89 7.3.2 Security . 91 7.4 Security Metrics . 95 7.5 Summarized metric results . 103 7.6 Implications and Conclusion . 51 8 Evaluating of the User Adoption 53 8.1 Background on the proposed idea . 53 8.2 Proof of Concept . 33 8.3 Selection of Adoption model . 39 8.3.1 Formulating Hypothesis . 40 8.3.2 Methodology . 42 9 Analysis of the Survey 44 9.1 Results . 44 9.1.1 Demographic information . 45 9.1.2 Information related to FUAF . 45 9.2 Reliability . 91 9.3 Implications . 91 9.4 Analysis of Usability Metrics . 94 10 Conclusions and Future Work 97 10.1 Conclusion . 97 10.2 Directions for further research . 99 viii 10.3 Timeline . 99 A List of Publications 101 B Surveys Questions 102 ix List of Figures 1.1 Three categories of user authentication [1] .................6 1.2 Structure of Unimodal Biometric System. ..................7 1.3 Biometrics enrollment and recognition process. ...............8 1.4 Minutia in a fingerprint [2]. ........................9 1.5 Optical scanner [3]. ............................ 10 1.6 Capacitive scanner [4]. ........................... 11 1.7 Screen-shot captured from facial recognition program Aurora [5]. ....... 13 1.8 Example of an iris pattern [6]. ....................... 14 1.9 Multimodal Biometric Scenarios [7]. .................... 22 1.10 Adaptive Fusion VS Non-Adaptive Fusion [8]. ................ 23 2.1 Proportion of used biometric technologies in the worlds banks [9]. ...... 34 2.2 A lady is getting her iris scanned by the ATM to withdraw her monthly cash allowance. [10]. .............................. 36 3.1 Possible attack points in a generic biometrics-based system [11]. ....... 50 3.2 Example of live and non-live fingerprints captured by capacitive DC scanner. (a) Live finger; (b) spoof finger made from Play-Doh; (c) spoof finger made from gelatin; (d) cadaver finger. [12] ....................... 53 x 3.3 Block diagram of the proposed cascade structure for face spoofing detection [13]. 57 3.4 Segmentation results and four paths in the common iris region of two images (a) and (b) captured in illumination condition I and II. Image (b) is resized to have the same iris diameter as that of image (a). The blue circle in image (b) defines the pupil size in image (a) [14]. ................... 60 3.5 a normal eye and one with a patterned contact lens generate different deformations of a projected stripe pattern [15]. ............... 61 3.6 Possible attacks on the biometric system at various points [16]. ....... 63 5.1 Technology Acceptance Model (TAM) [18]. ................. 70 6.1 The responses percentage for the Demographic Information of participants: Gender, Age and Education Level ..................... 75 6.2 Chart showing the responses percentage for participants familiarity with fingerprint technologies .......................... 77 6.3 Chart showing the responses percentage for how participants perceived information present on their phones .................... 78 6.4 Chart showing the responses percentage for the level of privacy protection that participants required for their information on their phones .......... 80 6.5 Chart showing the responses percentage if the participants would store more private information on their phones if it has fingerprint scanner ....... 81 6.6 Chart showing the responses percentage of participants if they think the fingerprint authentication technique was better than traditional security methods ................................. 82 6.7 Chart showing the responses percentage of participants to use fingerprints as usernames or alphanumeric usernames ................... 83 xi 8.2 Sign Up Screen .............................. 33 8.3 Sign Up Screen with details entered .................... 34 8.4 Authenticate Fingerprint Screen ...................... 34 8.5 Sign In screen ............................... 35 8.6 Sign In screen with details entered ..................... 35 8.7 Profile page after successful sign in ..................... 36 8.8 Reset Password screen ........................... 37 8.9 Password reset email ........................... 37 8.1 Home screen of the prototype app ..................... 38 8.10 Technology Acceptance Model (TAM) ................... 40 9.1 The responses percentage for the Demographic Information of participants: Gender, Age and Education Level ..................... 47 9.2 Chart showing the responses percentage for participants if they think FUAF is easy to use. ................................ 48 9.3 Chart showing the responses percentage for participants if they think learning FUAF is clear. .............................. 49 9.4 Chart showing the responses percentage for participants if they think using FUAF will be easy. ............................ 51 9.6 Chart showing the responses percentage for participants if they think it would be faster to sign in with FUAF. ...................... 52 9.7 Chart showing the responses percentage for participants if they think it would be useful not to remember textual usernames. ............... 53 9.8 Chart showing the responses percentage for participants if they think using fingerprints as usernames is a viable idea .................. 54 xii 9.9 Chart showing the responses percentage for participants if they think using FUAF will be advantageous. ........................ 87 9.10 Chart showing the responses percentage for participants if they think using FUAF is a good idea. ........................... 88 9.11 Chart showing the responses percentage for participants if they think using FUAF is within their control. ....................... 90 9.12 Chart showing the responses percentage for participants if they have the resource, knowledge and the ability to use FUAF.