Read an interesting article yesterday on the Supreme Court’s ruling in favour of the province’s right to enforce photos on driver’s licenses — see my post at the Canadiam blog.
I haven’t applied for a credit card in a while and so I wasn’t expecting this new identity proofing process from BMO MasterCard…
I called the customer service number to activate the card. In the past, you simply had to enter the 16-digit number and, assuming you are calling from a home phone number, the combination of the card number and phone number were sufficient to validate your identity.
Today, however, the system collected my card number and explained that I would need to participate in an identity proofing process based on my credit history.
After a few minutes on hold, the agent came online. Here is the transcript, somewhat paraphrased:
Agent: Hello, Mike, we need to confirm your identity using information from your credit history. We will ask you some questions and you can pick from three multiple-choice answers. Do you agree to this process?
Me: Uh, Sure.
Agent: Okay, from the following list of credit unions, who have you banked with in the past five years? <she then listed three credit unions.>
Me: <name of credit union.>
Agent: That is correct. Next, from the following apartment numbers, pick the one that corresponds to a previous residence.
Me: Uh, well I can’t recall the last time I’ve lived in an apartment…
Agent: Well… Let me list the numbers and see if you recognize any: 1101, 6A or 904.
Me: I’m not sure — is this my only option? The last time I lived in an apartment was 1987!
Agent: Well, we need an answer to this question.
Me: I can’t remember an apartment from 20 years ago… can you?
Agent: Uh, no, I see your point… but the credit bureau has this information…
Me: (sigh) I’m sure they do… and I’m sure it is accurate, but this isn’t much use to us if I can’t remember.
Agent: Well, if we can’t finish this process you can go to your bank in person with two pieces of identification to activate your card.
Me: I see. Well, can I guess? How about ‘1101’ ?
Agent: Yes! That worked; your card is now activated…
I’ve written about shared secrets and identity proofing before, and I knew that credit bureau information was a rich source of shared secrets. In fact, these types of questions are likely what is driving the Equifax Over 18 I-Card implementation (used to prove age of user among other things).
So what is new and worth commenting about all this?
- The questions are locked – the agent only had two questions and I had to get them correct on the first try to proceed. She was surprised when I asked for an alternate question.
- There were only three options to each question. I actually guessed at the apartment number and was successful. With only 2 questions and three options, my calculation is that a fraudster would have a 16.7% chance of guessing the right answer to both questions.
- Because my call had to be from my home phone, the threat they are attempting to thwart is (presumably) ‘an intercepted card by someone in the same household (or someone with caller ID spoofing capability)’. This is seemingly low probability occurance but it is obviously worth the bank’s efforts to implement this additional process.
My best guess is that they are having trouble with intercepted mail and caller ID spoofing. I wonder if the additional shared secrets presented in a multiple choice format are sufficient to overcome a determined (or lucky guesser!) fraud artist given that they’ve already stolen my mail and know my phone number…
I took a day off today so I happened to be driving through my own neighbourhood around 10:00am. As I turned the bend, I noticed a Chevy Cobalt with an odd derrick-like structure mounted on the roof:
Of course it was the Google Street View car!
The cameras on the car take pictures in all directions. Specialized software then ‘stitches’ the still images together to provide the Street View experience. Here is a picture of the camera cluster:
There has been lots of discussion across the country about Street View and its potential for privacy invasion. The Privacy Commissioner of Canada weighed in on this with their Fact Sheet titled Captured on Camera. The basic point is that we do have privacy rights:
In Canada, there is private-sector privacy legislation that applies to these street-level imaging applications if they are collecting images of identifiable people. And, while the Privacy Commissioners of Canada, British Columbia, Alberta and Quebec recognize the popularity of these applications, they have also expressed reservations because the technology captures images not just of places, but of people as well.
I believe the federal commissioner lobbied Google and was able to extract two key concessions: Google would notify residents of the Street View car visit and the company would allow citizens to have images scrubbed if they were deemed privacy invasive.
I’ll dig up the facts related to this on a subsequent update to this post, but for now I have to go tidy up my front yard!
Update: Google has a video describing how to remove sensitive or inappropriate images from the service.
Today’s Globe and Mail brought news of Passport Canada’s decision to abruptly cancel its online passport application system. The online service allowed Canadians to fill out their passport application online, and was launched four years ago as a progressive example of e-government.
The reasons for removing the service was a lack of ‘convenience’ for passport applicants, and passwords were cited as examples of that inconvenience. The system is being replaced by online forms that don’t require a user account and password to be used. Presumably a user will now need to fill in the form on a web page, then print and bring the form into a Passport Canada office for processing.
Of course, Passport Canada has been under attack by the Canadian privacy commissioner and had an embarrassing security breach in late 2007. The claim that the service was inconvenient due to the need for users to remember passwords is a bit suspicious — by this logic, we’d have wholesale dismantling of online government services and the requisite hiring frenzy to replace them with counter representatives…
A better explanation is that the agency clearly has decided that the risks of making passport data available on the web has exceeded the organization’s tolerance levels. And good for them. Until they are able to deliver highly secured system, or reduce the amount of data accessible online, the passport application should be removed.
Most of my consulting projects are delivered in the public sectors: higher education, central services, municipal and, a few years ago, in the health department. Until recently, my projects have involved implementing systems to deliver identity and access management — usually on a deadline, usually for a specific application or set of applications.
But I have also had the opportunity to work on more conceptual projects including defining an IdM strategy for a government department. Starting in the next few weeks, my team will begin architecting and designing federated and user-centric identity solutions.
The first thing we are working through are use cases that will help drive out solution designs. We already know what the technologies are capable of and we have selected the products we need to conduct the proofs-of-concept. But what are we going to do with this technology?
If we break down the emerging identity model into Identity Providers, Service Providers and Users, we can define actions in our use cases by these actors. This post starts the discussion with what makes a good Identity Provider (IdP). Specifically, the discussion is around the Citizen to Government context.
Who should act as an IdP? I believe that there are actually a limited number of government organizations that can fulfill this role. While many government departments (and divisions and branches within those departments) might maintain citizen information, only a few actually maintain citizen registries. And it is these registries — legislated databases of citizen information that are highly secured and carefully maintained — that are ideally suited to supporting an IdP implementation.
Why? Because citizen registries matter. These databases are consistently used for identification to support both real-world and electronic transactions. A registry of citizens is used to support eligibility for health services in a province. A registry of drivers allows for issuance of drivers licenses and enforcement of road use laws. Student registries ensure that the right student gets credit for exam results, course marks and certifications. The tax department keeps a reliable registry of citizen tax payers.
In my home province there are also registries for seniors, land titles, vital statistics, children/youth, and a perhaps few others — but that’s about it. Federally we have citizen registries for taxation, family benefits, veterans, guns (well… the people that own them), and others.
The point to all this is that there are a finite number of authoritative sources of citizen identity information. It therefore makes sense to leverage these databases for purposes of building reliable identity provider services.
I would even take it a step further — it makes very little sense to build a citizen IdP that is not built on a government registry. Why? Because the legislative authority to build a registry — and the effort to maintain it over time — are not trivial things. Therefore, government departments that contain registries take the job seriously. Registries are secured, monitored and carefully updated. They often contain key identity attributes such as legal name, date of birth and residential address. Registries are subject to review by provincial and national privacy commissioners. Some registries contain some unique information as well, such as relationships: parent to student, husband to wife, driver to vehicle.
In the event of problems, bodies that manage registries have processes for citizens to correct information to contained in these databases. Most of us care very much if a registry does not have our correct information. Errors can lead to late payments, loss of hard-earned certifications or denial of critical services. For example, if the tax department mis-spells our name, it is difficult to cash our refund cheque and we’ll be certain to correct them at the first opportunity.
To further bring this point home, consider the municipal property tax role. The city maintains this database and it is important to them that the rate payer be linked to correct property. They want to know who to contact if taxes are in arrears or if a ticket needs to be issued for icy sidewalks. But municipalities don’t deliver most of the type of life-sustaining or entitlement services that truly matter to us. Cities and towns also don’t have a business need to record useful identity information like date of birth or gender. If my city tax assessment arrived and my name was spelled incorrectly, I would probably ask that it be changed, but there would be limited consequences if I didn’t. For these reasons, the city’s tax role would make a poor choice as an IdP.
But a municipal government still needs to deliver services based on citizen entitlements, and identification can play an important role in electronic service delivery. So if my city’s own databases are poor choices, where should they turn? To a higher level of government, namely a provincial or federal IdP based on a robust registry. By establishing an agreement with one or more registry-based IdPs, my city can focus on delivery services — acting as a Service Provider — and leave the more difficult identification and authentication of citizens to an IdP.
Finally, the idea of using registries is aligned with the Pan-Candian Identity Management and Authentication Framework. While use of registries is not specifically prescribed, the concepts presented in the Identity Component — identity context, identity lifecyle, identity assurance levels and identity relationships — seem to map well when considering registries as ‘sources of truth’ for identity.
There will be a proliference of IdP services established over the next decade so the quality of identity proofing — especially for establishing credentials that are use in higher value transactions — is critical. Establishing Identity Providers that are based on government registries will be key to the success of future identity management and electronic service delivery initiatives.
I spent a good part of the holidays watching and overhearing my young son play (and replay, and replay…) his favourite movie, The Incredibles. Some great, great lines in that movie — and a few good ones on the subject of Identity. Here is a compilation of identity-related quotes from that show, plus a few good ones from other TV shows and movies.
The Incredibles (2004)
Helen/Elastigirl (talking to her daughter Violet): Put these on. Your identity is your most valuable possession. Protect it. And if anything goes wrong, use your powers.
The Office (2005)
Dwight Schrute: Identity theft is not a joke, Jim!
The Incredibles (2004)
Helen: Of course I have a secret identity. Can you see me in this at the supermarket? Come on! Who’d want to go shopping as Elastigirl, know what I mean?
The Simpsons (1989)
Barney: [to Adam West] So long, Superman. Your secret identity is safe with me.
The Incredibles (2004)
Mr. Incredible: Of course I have a secret identity. I don’t know a single superhero who doesn’t. Who wants the pressure of being super all the time?
Star Trek (1966)
Computer Voice: Voice print & identity verified & correct sequence 2 complete
The Incredibles (2004)
Lucius/Frozone: Superladies? They’re always trying to tell you their secret identity… think it’ll strengthen the relationship or something like that. I say, “Girl, I don’t wanna know about your mild-mannered alter ego or anything like that. I mean, you tell me you’re, uh… S-Super, Mega, Ultra Lightning Babe, that’s alright with me. I’m good… I’m good.
Here’s hoping your identity challenges are less worrisome than those of Frozone or our friend Barney… Happy holidays, I hope 2008 was a good year and all the best in the New Year!
Registration is the “process by which a person obtains an identity credential, such as a user name or digital certificate, for subsequent authentication.” All users of applications supported by an IAM solution must be identified and be registered in order to create an electronic credential.
As I’ve blogged about a few times in the past, the identity proofing that takes place in the Registration Process is critical for sensitive transactions. In the same way that real-world credentials, such as driver’s licenses, require rigorous registration processes, so too does identity proofing for establishing electronic credentials.
Of course, the strength of the identity proofing process must be in keeping with the overall Identity Assurance required. For access to a blog or creation of an Instagram or Gmail account, the identity proofing standard can be quite low. To register for systems that access health or other sensitive information, identity proofing must be much more stringent.
For this reason, the Pan-Canadian assurance model (left-most column) calls for different levels of registration depending on the degree to which an identity needs to be substantiated:
1. Low — Pseudo-anonymous. Identity is registered with little or no verification of identity. User supplied information is taken at face value. If validation is performed, it is cursory.
2. Medium — Identity Validated. Identity is validated to a moderate level of assurance, and registration is typically performed via an online registration process. Shared secrets are exchanged to validate the identity during the process.
3. High — Verified Identity. Identity is verified against information held by an authoritative party. The process is managed and typically delivered in-person (e.g. a counter service). A third-party physical credential (e.g. picture ID) may be presented and compared to an organization-held data source.
4. Very High — Corroborated Identity. Identity is not only verified by an authoritative party via an in-person process, it is corroborated by a trusted third party. The rigour of this approach provides the highest level of registration possible and is typical of critical process such as passport issuance.
The Pan-Canadian model notes that the identity proofing can be supported by either:
- evidence supplied by the user (driver’s license, military service card, passport, etc.), or
- by validating a shared secret that the user supplies and that can be retrieved for comparison from a trusted source (such as a government registry).
In assessing the quality of the identity proofing process, two aspects needs to be considered:
1. The Method of Verification. In person verification is stronger than online verification; corroborated information is better than information supplied by the user alone; and, identity information verified by multiple sources is better than information that is confirmed by only a single source.
2. The Strength of the Evidence. Quick — which is more trustworthy: a Canadian passport or a college ID card? The identity evidence presented by people varies in quality and strength, and the registration process needs to be designed with appropriately strong identity evidence.
I’ve been involved with the design and implementation of dozens of identity proofing and registration processes over the past ten years, and each assignment required a careful review of identity proofing processes. (Note: There are different terms used to describe this functionality of an IAM system, including ‘Identification’ and ‘Enrolment‘, but for this discussion the general term ‘Registration’ will be used.)
The first step is to determine which of the four Registration levels are required. If your solution will be enterprise in nature, or it is already known that a large number of applications will be integrated, then it is probably safe to assume that Levels 1, 2 and 3 will all be required. (Level 4 registration is rare and, in addition, unworkable online).
Next, inventory the potential shared secrets your organization possesses. What information do you have on file that your clients readily know or can easily look-up? Account numbers, birth dates and formal names are examples. It is quite possible that both Levels 1 and 2 can be supported by data you already maintain in enterprise databases. Some organizations, such as government departments, have numerous shared secrets to choose from. Others may not know much about the user before the registration process is initiated — in these cases, in-person registration (supported by paper credentials such as driver’s licenses) will likely be required for access to systems containing sensitive information.
Once you have a list of potential shared secrets and paper credentials that could be used, align them with each of Registration Levels 1, 2 and 3. For example, a client account number might be suitable for Level 1, but on its own it may not work so well for higher levels. You may find that a combination of good quality shared secrets can help you to achieve Level 2 — the account number plus current mailing address and a recently mailed one time access code might be sufficient. At Level 3, you will want the assurance of in-person identity verification. (Click here for a discussion on shared secret quality.)
Finally, for pan-Canadian’s Level 4 the information supplied (in most cases via in-person visit) needs to be corroborated by a trusted party via a separate process. In practice, this would require verification of the presented identity evidence by a third party.
One way to support Level 3 and 4 regsitration is to first have the individual supply the evidence online. For example, a physician could provide his college identification number along with his name and date of birth. Once verified against a trusted data source, the information can be sent to an administrator that works with the physician. This administrator can confirm the registration event with the physician the next time they meet face-to-face. Optionally, the administrator could have the physician sign a usage agreement as well. In effect, this is a corroboration of the registration information, and should satisfy the requirements for a Level 3 or 4 process.
Next: Credential Strength.
A while back, I wrote about the three keys to a quality process for using shared secrets in establishing an individual’s identity: quantity, quality and the degree to which a secret is shared.
The quality (i.e. relative strength) of a shared secret is critically important if it is to be used to establish a credential for access to government information. Quick, rank the following in order of declining strength:
a provincial student number
your last federal tax return refund or payment amount
a randomly generated PIN that is mailed to you
your birth date
your mother’s maiden name
The student number is a common identifier for the education system. It uniquely identifies students ‘in the system’ and, in most cases, is assigned at entry into kindergarten and used right through post-secondary. It’s strength comes from its uniqueness, its ability to be independently verified, the authority that issues it (the government), and the strong processes they follow to issue and maintain the number. However, student numbers are often displayed on report cards, certificates and countless other paper and electronic documents. It is not difficult to find out a person’s student number.
Dollar amounts from federal tax returns are similarly unique to an individual (or, at least, the combination of the user’s name, perhaps their SIN and the dollar amount is considered unique). The information is securely delivered to the individual’s household via Canada Post. It is reasonable to assume that if you answer this shared secret correctly, you are the individual you claim to be — with one exception: others in your household have access to your mail and tax papers.
One-time PINs are useful in e-government applications when issued to individuals for identity assurance purposes. Often the government will have good information on the identity of the user, have a reliable address and perhaps a request from the user to establish an electronic identity. A PIN is created, mailed to the user and then provided by the user in a prescribed online credential creation process. By having appropriate one-time and PIN expiry processes, the government can be reasonably assured that the individual is who they claim to be with one exception: others in the household may gain access to the correspondence containing the PIN.
Your birth date and your mother’s maiden name are both fairly common shared secrets that have the benefit of easy recall for the user, but suffer from overuse and low secret strength. Genealogy sites, social networking sites and public records can easily be used to retrieve these ‘secrets’. A large disadvantage to this type of secret is that it does not change — once compromised it cannot be reset to another value (unlike a password) and becomes useless.
It can be seen that none of these mechanisms allow for absolute assurance — and really, without a strong in-person verification there will always be gaps. However, several online implementations have been successful by combining shared secrets of different strengths when establishing the identity and by notifying the user when the process was executed. For example, you wanted to mail the user a PIN but there is concern that it could be used by someone else in the household, two mitigating processes could be used:
1. Send the user a follow-up notice (letter or email or both) when the PIN is consumed thereby alerting them if they had not performed the process themselves; and/or
2. Combine the PIN with additional shared secrets. A student number and a PIN and one’s birth-date and a previous course mark is a difficult combination to crack, even by someone in the same household.
Striking a balance between the quality and quantity of shared secrets, and introducing a confirmation notice, are the keys to establishing workable online identity assurance solutions.
I spent two weeks in Italy last month and, in case you haven’t heard, it is one of the most beautiful places on earth. So it was appropriate that I attend a match of the ‘beautiful game’, aka calcio, football, soccer.
The game was Fiorentina (Florence) vs. Sampdoria (Genoa), and it had some importance so a large crowd was expected. I set out on the number 51 bus from Florence’s historic centre, bound for a suburban stadium near the Tuscan hills north of town. 45 minutes before game time the bus was full of purple-shirted — and well-behaved — Fiorentina fans.
Once near the stadium I realized that I had no idea of where to buy a ticket, so in my pitiful Italian I asked assorted gate personnel, coffee shop clerks and fans where the ticket office was.
I found one in a cafe across the street. Inside there were big signs, in English, saying that English fans could not buy tickets for games here — they had been previously banned from Italian soccer stadiums, presumeably due to poor behaviour over the years, and therefore tickets for all foreigners had to be officially dished out by the club. Nevertheless I enquired at this cafe and was told, no, I had to go to the official ticket office down the street; my pasty Englishman-like complexion and bad Italian quickly (and correctly) labelled me as being a tourist.
I eventually found the official ticket office. While waiting in line for the soon-to-be sold out game, I chatted with a Greek national who was also planning to attend. He asked me if he needed his passport to buy a ticket. Uh, yes, you needed some type of identification, and I had my passport on hand. (I since learned that in 2005, new laws in Italy were enacted requiring teams to sell tickets only to named individuals, hence the need for ID.) He seemed quite dismayed, but stayed in the line hoping to charm the ticket booth ladies I guess. In the end, he was turned away…
At the booth, I presented my passport and asked for a seat in the quiet end of the stadium. The agent looked at my picture, looked at me carefully, then entered my name and passport number into the ticketing system. After a few seconds, the system — perhaps connected to a soccer hooligan database? — confirmed that I was not a troublemaker! Out came my ticket, personalized with my full name:
I was informed that I had to go to a specific gate in the stadium, and would be asked for my passport to prove identity before gaining entry. I sprinted to the stadium, and showed my ticket to the uniformed gate-keeper. He waved me through without asking to see my passport…
The game turned out to be spectacular mostly because of the fans’ behaviour. My seat was in the family end of the 45,000 seat stadium. At the opposite end were 15,000 of the most rabid home fans, and to our right — in a fenced and plexiglass section — stood a mass of rival Sampdorian fans. Below us were a smaller collection of younger, energetic home fans and between the two were several dozen brightly uniformed crowd enforcement officers.
Throughout the game, the Sampdorians screamed, sang, chanted, raised fists and — when Sampdorian scored — rushed headlong towards the plexiglass. The surge of 4,000 manic fans was accompanied by wild shirt-tearing off and the noise of 40,000. In turn, the enraged Fiorentina fans below me rushed towards the security personnel, raised their fists, hoisted middle digits and flung insults toward their guests. On this day, the surge was just a feint, and there wasn’t much more than some light shoving with security at the perimeter. And even if they did burst through, a chain link fence stood in their way.
Fiorentina went on to score the next two, and the singing and chanting that filled the stadium was everything one could imagine at an Italian football game. As the game wound down, the smug confidence of the home fans could be felt. The sky was blue, the game was in hand, our rivals quiet and downtrodden…
Then the unbelieveable happened — with only a minute left, Sampdoria scored! The Genoa faithful rushed down the terrace, more shirt-flinging and frothy-mouthed bellowing! The locals below us surged again, but it was less energetic — they knew as I did that we’d just been tied by these invaders and what good would a bloody clash serve at this point?
It was a fascinating spectacle, even though no true violence took place. And it became very clear why my identity was confirmed prior to buying a ticket. What if I was a hooligan looking for trouble? What if my gang and I decided to bring smoke bombs, darts or other projectiles to lob into the visitor’s section? Only by checking the thug database prior to entry could such debacles be minimized.
The only flaw was the missed passport check at the gate… The careful identity proofing and personalized ticket wasn’t much use if it the ticket-taker didn’t ask for proper ID on entry. Perhaps the profiling of English-looking trouble-makers only applies to international games…
As for the game, click here for the highlights.
I lost my drivers license this week. No, not from being reckless orspeeding — I lost the physical plastic credential that various authorities use to confirm that I can drive a car, open a bank account or have an adult beverage.
So, here in Alberta, when you lose this rather important identity credential you can turn to our very convenient registry office system to get it replaced. Some years ago, our government privatized the customer service for all provincial registry services. Today, there are over 220 locations around the province where you can get counter services for things like vehicle registrations, marriage licenses and so on.
There is a registry office across the street from where I work, and I paid them a visit yesterday afternoon:
Me: I have lost my drivers license.
Registry Agent: Oh. That’s too bad. Maybe you should slow down or something…
Me: No! I lost the plasticized thingy. Can I get another?
RA: Yes, of course! Do you have a piece of picture ID?
Me: (handing over my oh-so-precious Canadian passport) Here you go.
RA: Thank you.
At this point the registry agent glances at the passport picture, glances at me – yup, that’s him – and notes the passport number on an official form.
RA: Has any of your information changed? Hair – brown; eyes – hazel; height – 5′ 11″?
Me: Uh, no.
A few more particulars are exchanged. Then the agent asks the shared secret question! (Only I could get excited about such a question! And, at this point, I am positively bristling with excitement!)
RA: What is your home phone number?
What is my phone number? My jaw drops. I stop bristling. Really, is that the best she could do? I was hoping for some other nugget from the government’s mighty store of personal information. How about the high school I attended? Perhaps my health care number? Or my third child’s middle name? PHONE NUMBER??? C’mon people, give me a challenge here.
Me: (mutters phone number)
RA: Hey, that’s just one number off of my phone number!
And that was about it. I signed a few forms, she pecked a few keys and off the bits flew to the Canadian Bank Note company, the outsourced operation in Ottawa that prints and mails Alberta provincial drivers licenses. I was given a temporary license until my new plastic-coated beauty arrived.
How does my experience compare with the government’s defined process? It is based on ‘who you are, what you have and what you know.’ To confirm who I am, the agent uses their computer system to retrieve a picture of me from my last renewal. So, they have a way of confirming I am who I say I am. That’s good.
However, a few comments from this experience:
- The agent forgot to ask me for secondary identification that further identified me and/or proved that I still live in Alberta. I could have moved to BC or Zambia and the government process prescribes a way to catch this and confirm that I’m still a tax-paying Albertan. An additional ‘what you have’, beyond my passport, would have strengthened the identity assurance.
- The ‘what you know’ secret used in this case, my phone number, isn’t secret at all… I use it as my frequent shopper ID at Safeways, and blurt it out regularly in all kinds of situations. Oh, and it is in the phone book, right next to my name… I know that this was likely just a secret (among several possibilities) that the registry agent chose off the screen, but perhaps there should be less choice in the process to ensure stronger secrets are used.
There, in a nut-shell, are a few issues with the license replacement — an identity credential renewal –process. But are these significant enough to be of concern?