A while back, I wrote about the three keys to a quality process for using shared secrets in establishing an individual’s identity: quantity, quality and the degree to which a secret is shared.
The quality (i.e. relative strength) of a shared secret is critically important if it is to be used to establish a credential for access to government information. Quick, rank the following in order of declining strength:
a provincial student number
your last federal tax return refund or payment amount
a randomly generated PIN that is mailed to you
your birth date
your mother’s maiden name
The student number is a common identifier for the education system. It uniquely identifies students ‘in the system’ and, in most cases, is assigned at entry into kindergarten and used right through post-secondary. It’s strength comes from its uniqueness, its ability to be independently verified, the authority that issues it (the government), and the strong processes they follow to issue and maintain the number. However, student numbers are often displayed on report cards, certificates and countless other paper and electronic documents. It is not difficult to find out a person’s student number.
Dollar amounts from federal tax returns are similarly unique to an individual (or, at least, the combination of the user’s name, perhaps their SIN and the dollar amount is considered unique). The information is securely delivered to the individual’s household via Canada Post. It is reasonable to assume that if you answer this shared secret correctly, you are the individual you claim to be — with one exception: others in your household have access to your mail and tax papers.
One-time PINs are useful in e-government applications when issued to individuals for identity assurance purposes. Often the government will have good information on the identity of the user, have a reliable address and perhaps a request from the user to establish an electronic identity. A PIN is created, mailed to the user and then provided by the user in a prescribed online credential creation process. By having appropriate one-time and PIN expiry processes, the government can be reasonably assured that the individual is who they claim to be with one exception: others in the household may gain access to the correspondence containing the PIN.
Your birth date and your mother’s maiden name are both fairly common shared secrets that have the benefit of easy recall for the user, but suffer from overuse and low secret strength. Genealogy sites, social networking sites and public records can easily be used to retrieve these ‘secrets’. A large disadvantage to this type of secret is that it does not change — once compromised it cannot be reset to another value (unlike a password) and becomes useless.
It can be seen that none of these mechanisms allow for absolute assurance — and really, without a strong in-person verification there will always be gaps. However, several online implementations have been successful by combining shared secrets of different strengths when establishing the identity and by notifying the user when the process was executed. For example, you wanted to mail the user a PIN but there is concern that it could be used by someone else in the household, two mitigating processes could be used:
1. Send the user a follow-up notice (letter or email or both) when the PIN is consumed thereby alerting them if they had not performed the process themselves; and/or
2. Combine the PIN with additional shared secrets. A student number and a PIN and one’s birth-date and a previous course mark is a difficult combination to crack, even by someone in the same household.
Striking a balance between the quality and quantity of shared secrets, and introducing a confirmation notice, are the keys to establishing workable online identity assurance solutions.