Authentication

Definition

Utilize strong authentication mechanisms (e.g., biometrics, smart cards, multifactor) to authenticate users and prevent unauthorized access to robotic systems.

How it works

Multifactor: when logging into an account users present two or more credentials that fall into different categories: a. Something You Know: This is usually a password or PIN that the user knows. When the user enters this information, the system checks if it matches the stored credential. b. Something You Have: This involves using something physical that the user possesses, such as a smart card, token, or mobile device. The system checks the possession of this item as part of the authentication process. c. Something You Are: This refers to biometric authentication, such as fingerprint, retina scan, facial recognition, or voice recognition. Biometrics verify a person's unique physical characteristics.

Biometrics: biometric authentication verifies identity by comparing unique physical or behavioral traits, such as fingerprints or facial features, to stored data. During enrollment, the user's biometric data is captured, and key features are extracted and stored securely. When attempting authentication, a new sample is compared to the stored data using matching algorithms. If the match surpasses a predefined threshold, access is granted; otherwise, it's denied. Biometric authentication offers security and user convenience, but it requires specialized hardware and safeguards against fraud and privacy concerns.

Authentication within ROS2

Within SROS2 each topic has an enclave, the enclave contains an Identity Certificate Authority. When a node wants to participate on a given topic it must present a certificate, the presented certificate must be signed by the Identity Certificate Authority. If this certificate is valid the new participant is allowed to start participating within the topic. The certificate system complies with the “something you have” concept, and proves a participants identity. This is described as per the ROS2 Security documentation

Considerations

Multifactor authentication configuration steps may vary across accounts and in some cases left up to users to activate and implement.

• Use strong, unique passwords or employ multi-factor authentication.
• Regularly review and update access credentials.
• Implement account lockout policies to prevent brute-force attacks.
• Monitor and log authentication attempts for suspicious activity.
• Ensure biometric data storage is secure and compliant with privacy laws.
• Use anti-spoofing measures to prevent fraudulent biometric data.
• Educate users on proper biometric usage and hygiene.

Related ATTACK Techniques

Default Credentials

References

MITRE D3FEND Multi-factor Authentication

MITRE D3FEND Biometric Authentication

NIST CSRS - Authentication