Authentication Methods

One of the the primary roles of the Identity Provider is to authenticate the user that has been sent there.  There are a number of long standing ways of doing this, like User ID and Password which although having some pretty basic flaws it is still in widespread use and doesn't seem to be going anywhere in a hurry.

There are a few of things to bear in mind when talking about authentication methods and Government services.  Firstly is frequency of use; many Government services are annual, so you could be having people logging in once a year.  This brings its own issues, it rules out password expiry for a start, and secondly it means that people are going to write things down.

The second issue is around what do people do when they need their authentication reset?  Who do they phone?  Is there going to be a central helpdesk, or if I am trying to access the Contoso City Council site should I not phone them?  The answer often comes down to cost and political desire.

Finally we have to remember that Authentication is not a guarantee of who someone is, but rather it is the same person returning.  As we provide stronger authentication methods, we also need to increase the assurance that we are dealing with the correct person.

User ID and Password
This is the most common authentication method in the world, I won’t go through all of its flaws as they are pretty well known; however I would prefer to concentrate on its strengths.  Its huge strength is simplicity and cost effectiveness.  If you are looking at providing authentication to a large population size, you need a method that can scale easily at low cost.  I am not talking about scale in a performance sense, but more management, education and distribution.  The User ID and Password is the most understood of all the computing paradigms and requires no training or special equipment.

This is something that the banks have rolled out very successfully.  It involves someone picking 3 characters from a know passphrase.  Again, like passwords it has its problems.  It is prone to attack from Trojan’s; they can take screen captures on mouse clicks as well as record key strokes.  However, like the User ID and Password, it scales well.

Shared Secrets
This is more commonly used as a password reset mechanism, asking a set number of questions along the lines of ‘What is your mother’s maiden name’, ‘Where were you born’ etc.  Although easy for people to use and understand, it is open to social engineering attacks.  There have been a number of quite high profile hacks, the last big one was on the US Vice-President nominee Sarah Palin who had her Yahoo email account hacked by someone who just looked up the answers to the questions on Wikipedia. With people posting more and more info to FaceBook, Friends Reunited, etc etc answering question like mother’s maiden name and where you were born get easier to answer, and for those people like Sarah Palin who have their entire lives examined by the press, these questions get very trivial to answer.

Certificates / Smartcards
This is the most common secure method of authenticating used in both business and more commonly now by Governments; however the cost and complexity is a significant step up from User ID and Password, but then again it is infinitely more secure.

The distribution of ‘soft certificates’ has never really been practical.  You can download the certificate easily enough onto the machine, but it is difficult to then move that certificate from machine to machine.

So that is where SmartCards come in as the certificate is not on the machine, but rather held on the card.  However, you now need a piece of hardware to read that certificate which most home PC’s and many business PC’s do not have.  So there is a cost in distributing and supporting card readers.

The other cost is the production of certificates themselves.  All certificates have to have a ‘trusted root’ and this is provided by people like VeriSign who are Certificate Providers.  However the Certificate Providers charge for this, so there will be a cost in every certificate produced.  Alternatively a Government can become an Certificate Provider themselves, but this in itself is not a cheap option.

Finally, you now need to get sites to support certificate authentication.  They are going to have to add the code to accept and validate the certificates which is not easy (of course with federation you only need to do that on the Identity Providers rather than all the sites…)

This is something that we are starting to see being looked at. EMV (Europay, Mastercard and VISA) is the standard used to authenticate your purchase with a PIN number in the retailer.  It is used extensively across Europe, and if the banks have their way it will be going worldwide.  It is seen to have a number of advantages over certificates around cost and complexity.

Firstly the cards themselves are far cheaper as they do not have to hold a proper certificate just a set of crypto keys, and you do not have to have a Certificate Provider to provide the certificates.  So if you are looking at distributing large number of cards, the cost is far lower (which is why the banks never adopted certificates).EMV Card Reader

The card readers are also separate from the computer, so no driver issues.  To authenticate you put your card in, type in the number given to you by the web site, type in your PIN, and then the card reader gives you a number to back type into the web site – challenge and response.  The other nice addition is that as it is all numeric, you can do it over a phone line.

The downside is the cost of the readers; they are coming down in price as the banks are starting to distribute them to customers.  I will probably do a separate post on this technology as it looks rather promising.

CardSpace and Information Cards
Information Cards are a virtual representations of your identity that are stored on your computer.  You can have multiple cards, supplied by different Identity Providers and they support things like User ID and Password, Certificates and also can be the an identity themselves.

CardSpace is a cross industry attempt and providing a common and secure way of authenticating people over the internet.  I will do another post explaining it in more details, but there is more info here and more technical info here.

There are other technologies out there, but the ones above are the most common ones that are seen in the Government and Citizen identity space.