8. The Means of Cybersecurity: Access Control 195 low-cost attacks against passwords. For example, shoulder surfing attacks are devastating against passwords, but they are ineffective against biometrics—observing a person scanning a fingerprint does nothing to help a hacker. Table 8.1 Comparisons of biometrics rated on a scale of 1 (low) to 5 (high)—these ratings are for illustration purposes only and are not necessarily accurate. One advantage of passwords, however, is that they cannot be “extracted” without the user’s cooperation. This is not true of biometrics. People can potentially be forced to provide a recognition sample, for example, by holding their phone up to their faces. Attackers could also trick a person into providing a biometric sample without their knowledge—this would be much more difficult to do with passwords. Another potential downside of biometrics compared to passwords is that they cannot be reset. If a password is compromised, the user can always just create a new password. However, biometrics cannot be modified, so a compromised biometric sample might disqualify that particular biometric for future use. 8.1.3 Something You Have The last category of authentication token is something you have. Here, the authentication mechanism verifies that the user is in possession of a unique device. The device is registered during the enrollment phase. The device could be a smartphone, a smart card, a USB stick, or another physical token. 8.1.3.1 Smartphone “Something you have” authentication tokens work by verifying that the user has a device. For smartphones, one method is to send the user a text message with a one-time passcode. The user checks his phone, sees the passcode, and types it in. Passcodes seem similar to passwords, but they serve a different purpose. The passcode is randomly generated, only used once, and has a short expiration. The assumption is that if the user can type in the passcode, then he must have the device it was sent to. Since the passcode is only valid for a short period of time, this ensures that the user is in possession of the device at the time he logs in. The longer that passcodes are valid, the more they resemble passwords
RkJQdWJsaXNoZXIy MTM4ODY=