Do you need strong authentication?
So before I move off the authentication topic, I just wanted to put forward a question. Do we need strong authentication for Government Online Services?
The answer has to come down to ‘what am I doing online’. I personally perform a vast amount of functions online, and many for me are more sensitive than the information I exchange with my Government online – for example my banking (of which I need nothing more than a Password and 3 letters from a Passphrase to access). I am not saying that we should ignore security requirements at all, however we have to balance the cost to the service provider (the Government), with the cost to me (more secure authentication tends to be more complex for me) against the confidentiality of what I am accessing. If you do not get the balance right, people will not adopt the online service and sites will not implement it. It is the age old debate of balancing security and usability.
Take paying tax in the real world. I can write a cheque with my name on it and my signature, and send it with a letter saying I want to pay someone else's tax and it will be accepted by the Government. Therefore for the process of paying tax online, how much security do we need when there is effectively none in the offline world?
Excluding health, will online Government services ever be more sensitive than my bank account? If you tie an unrealistic level of security to a process (ether too high or too low) people will not use it.
Taking certificates as an example; these can often have a cost to the citizen to obtain a certificate, and a cost to renew that certificate. As a person I have to weigh up the cost financially, the cost of my time and the security that I require. Given a choice of paying for a certificate to submit a few online forms a year, or using the paper based versions… I will probably use the paper based versions.
Even in this web 2.0 enabled world we live in, unless there is a greater benefit to get me online, I am happy to stay in a paper based world.
I am not saying that Governments should not adopt technologies like Smartcards, I just think we need to be careful not to default to the most secure answer when the process does not warrant it.