An IAM Blog
I had the pleasure today to present to an attentive and curious group of privacy lawyers at the Canadian Bar Association. The presentation was a rapid fire slide deck titled Identity Management: Drivers, Challenges and Opportunities; click here to view.
Many thanks to Jane Steblecki from Field Law for the opportunity.
Mike
I’ve been thinking about strong authentication (SA) lately as it relates to some client work I’m doing. The technology has matured over the past few years, and the acceptance by both users and clients is growing. A few years ago I would deliver presentations on multi-factor authentication and I would pass around an RSA SecurID fob. Fully half the audience had never seen one and had no idea what it was for. Today, you’d be hard pressed to find an enterprise or government user who was unfamiliar with SA devices.
So what are the current options for SA? My SA world right now is mostly concerned with public access to confidential information held by government, education and health organizations, so I’ll limit the scope to applications in these spaces.
This makes it easy to eliminate a few things: for real and perceived privacy reasons, biometrics are difficult for public users to accept, and a lack of readers on individual user desktops is a problem; smart cards are an excellent technology platform for SA, but again readers are not yet common for a public-scale roll-out to be successful; certain one-time password (OTP) token solutions — including the venerable RSA SecurID — are cost prohibitive for deployment to large numbers of public users; and software tokens, those virtual token generators running on the desktop PC, are prone to virus attach and too easy to share between users from the same household. (More to this last point, software-based tokens can be deployed to individual users on a shared desktop, but then access to the token is inevitably protected by a password… Not really an SA solution by most definitions.)
Fortunately, that still leaves a fairly large number of options:
USB tokens — There are a number of tokens that are available on a USB (Aladdin, RSA, etc.) format. Most are deployed with a certificate and work within PKI environments. The devices are becoming viable for large implementations because USB devices are easily supported on most computers, and the general public have become much more comfortable in plugging devices into USB ports.
Value-priced OTP fobs — Entrust, Activeidentity and others have driven the cost of fob-based SA systems to less than a third of RSA SecurID. While these products might not RSA’s robust encryption, many large deployments are at least considering traditional tokens again due to these lower cost options.
Grid cards — Also known as ‘paper authenticators’ or ‘Bingo cards’, these wallet-friendly cards contain rows of numbers organized in a grid. The authentication system prompts the user for values on the cards by column and row. Because the user possesses a unique card, this provides SA. Drawback: grid cards are easy to duplicate… A variation, one-time ‘scratch’ cards, overcome this limitation. OTPs are hidden under a scratchable surface (think scratch lottery tickets) and a new one is used each time for access.
Mobile SMS — One of the more difficult problems (and cost concerns) with large-scale SA is the issuing and managing of SA devices. Mobile SMS addresses this problem by using an authenticator that the user already has: their mobile phone. An SMS message containing an OTP is sent to the registered user, and this OTP is used as the second factor in the authentication. More robust implementations replace SMS with a phone-generated token. Mobile SMS solutions benefit from the widespread use of cell phones (especially among younger users) and the high percentage of time people have them in their physical possession.
Voice delivered token — A variation on the mobile phone authenticator is to deliver the OTP via an automated voice call. This can provide some additional security when combined with a PIN and a voice-delivered OTP might be easier for certain public users to use, particularly those with vision problems or certain cognitive challenges (e.g. dyslexia).
This narrowing of the options makes analysis of SA solutions for large public user projects a bit easier:
Finally, blending these technologies into a solution is recommended. For example, not all users possess cell phones, so you’ll want an alternate technology (fob or grid card perhaps) as an option. In the public user space, you need to be careful about forcing a specific technology on to your user base — a degree of user choice is always recommended.
Ultimately it is a matter of picking the best solution to meet your needs — and no matter what your criteria may be, today’s SA vendors truly have viable options to offer.
Mike
I’ve been working on an Identity Management (IdM) strategy for a client over the past few months. They have been investing in IdM solutions to meet their needs for several years, so it was becoming important for them to look at the bigger, long-term picture.
A key recommendation in the strategy is to establish user-centric IdM in this organization. This is based on emerging research that shows users desire more control over identity information, even if that control amounts to simply viewing the information the IdM system possesses.
As I’ve commented on this blog a few times, this emerging user trend is being talked about regularly in industry circles, by select academics and by identity management ‘thought leaders’. User-centred, or user-centric, IdM can provide practical approaches to meet the increased needs of individuals who wish to better manage their own identity information.
What is less reported and commented on is that user-centric IdM is not a technology, but rather a model or philosophy that is primairly concerned with putting user needs first in IdM solution design. To be successful, designers of user-centric solutions have to consider the user identity’s full life-cycle and be ‘in tune’ with their needs for privacy and control. Two noted examples illustrate this point.
Three years ago Kim Cameron came to my city to talk about information cards. This was a completely new paradigm for those of us that had been designing and building centralized IdM systems. Mr. Cameron’s use case that day was the payment of an online purchase. He showed how a user with a Visa account could use an information card to present a cliam to an e-commerce site. The claim didn’t have to provide any details about the user — simply that the user had been authenticated and that they, Visa, would honour the payment. All the e-commerce site had to do was present this claim to Visa in order to receive payment. The user in this scenario did not have to supply personal information to the web site in order for the payment to be processed (of course, a name and address would need to be provided to the shipping department, but that was outside the actual financial transaction).
Around the same time, Dick Hardt was wowing them at the O’Reilly OSCON conference with his Identity 2.0 presentation. His use case was that of how he, a responsible adult, might purchase a quality vodka product from the local liquor outlet. The main point was this: in real life we present credentials of our choosing to clerks in order to prove an aspect of our identity, such as our current age. Liquor store clerks don’t need to record our name and address in order to conduct the transaction — they simply need to verify that the birthdate works out to the correct minimum age for the purchase and, in effect, discard the information after the transaction is completed. Mr. Hardt goes on to say that there are technology solutons that can virtualize this approach, hence user-centric and privacy-smart identity solutions can emerge.
In both these cases, the needs of the individuals are considered first. Mr. Cameron could easily have stuffed the vitual credit card with user information, and made the case that the e-commerce site would highly value that information (think Facebook). Similarly, Mr. Hardt’s example focused on the only reason the individual would want to present identity information: to confirm one aspect of their, that being their age. Both of these are in tune with the demands of privacy-aware citizen and are excellent examples of user-centric philosophy.
Centralized systems, like the Canadian government’s ePass, scale to millions of users and are well understood by users and designers alike. But these legacy systems are fraught with challenges related to security, lack of privacy controls and, potentially, accusations of ‘big brother’. In no way are these system user-centric — they simply were built in a time when user ‘control over identity’ needs were not a priority.
For organizations like large companies and governments, these systems do a disservice because they ultimately will discourage privacy-aware individuals from using the very online services the IdM system is intending to enable. Only by adopting user-centric philosophies in solution design can IdM systems meet the changing needs of individuals in an increasingly privacy-aware world.
Mike
One of my secret pleasures is reading the hacker quarterly magazine 2600. While the quality of writing might be a bit suspect, there is real joy in the content. There is something about the hacker culture that is fascinating and endearing to mainstream IT and security folks. Whether reading articles titled Facebook Applications Revealed or Hacking the Nintendo WiFi USB Connector, or simply a carefree scan of the infamous Letters section, 2600 delivers insight and bemusement in every issue.
That spirt is alive and well in a German hacker magazine called Die Datenschleuder. A hacker group called Chaos Computer Club (CCC) has captured the fingerprint of a German government minister who is promoting the biometric identification features of the German passport. While this has previously been reported by the rather excellent Vikram Kumar blog, I couldn’t help but trot it out for my own examination.
So, what does the group do with the copy of the print? Well, according to this report, they produce a replica using some kind of silicon printing process that produces a high-quality ridged output. The CCC claim that similar reproductions have been proven to fool over 20 different types of biometric readers.
The minister’s fake fingerprint is then reproduced 4,000 times and distributed with the magazine! Ha! Their point is that fingerprints are not a fool-proof biometric, and once compromised, they are impossible to ‘reset’. You are what you are, a reality that produces a common failing in many biometrics.
Security issues notwithstanding, I think that there is a bigger point to be made here, and that is one of education, leadership and awareness. I was a bit critical of a UK politician a while back for his privacy naïveté, and this falls into the same category. However, in this case, it is not the Interior Minister that deserves the rotten tomatoes — he is clearly acting on the policy and advice of his department. The professionals in charge of identity management and authentication schemes for the government are the real red-faced ones in this case.
Many biometrics have long been under attack for their lack of effectiveness (false negatives and false positives), narrow operating environment tolerances and, in the case of fingerprints, ease of duplication. Even the mainstream ‘science’ show Mythbusters has done an exposé.
Why, then, does a sophisticated national government deploy a security solution that is so certain to fail? Is it just another example of security theatre? Surely there was someone in room playing devil’s advocate and pointing out the weaknesses of such a solution? If so, that voice was clearly not heard, much to the embarrassment of the government in question.
And where are the CIO and CISO for the country in all this? Is this not, ultimately, a failure of IT and security leadership?
Mike
Dick Hardt from Sxip was interviewed last month by IT Conversations on the Government of BC’s plans for a virtual information card pilot.
Mr. Hardt points out that privacy laws in BC and Canada are very strong compared to the rest of the world, and that governments are actually not interested in collecting and linking citizen data unnecessarily. The goal is to NOT have an electronic ID card like those that are being rolled out in other countries.
There is a lot of interesting information in the interview, but for now I’ll stick to some comments on the implementation. Mr. Hardt maintains that the virtual info cards are more advanced than traditional tokens because they allow for a user to select what information can be shared with the site being accessed.
The first use case being implemented is not particularly ambitious from a identity standpoint. Recognizing that government staff tend to work together and often travel to each other’s work sites, there is a need to share wi-fi connections at dozens/hundreds of sites.
Info cards will be used to control a user’s access at these sites. By integrating the technology into the wi-fi portal, access can be restricted to those that possess a valid info card. Users that want Internet access at the site simply present the virtual card to gain access. This results in improved privacy because the card is only used to confirm that the user is allowed access — it does not identify them.
It is an interesting choice for a first implementation. The users are all known to the organization (typically senior-level staff) and have a well defined need. Both privacy and security is improved and, apparently, a standard solution can be rolled out to many locations easily.
But most intriguing to me is the user audience. This implementation targets roving users — and most often these are director-level and higher in government. As these laptop enslaved decision-makers roam around the province, the ease of the solution should win converts. When designs for more tricky info card implementations, such as those for public citizens, arise in the future, the management teams are already well-versed with the technology and able to make informed decisions.
This is of critical importance to identity and access management systems. Having had direct experience designing identity systems in the public sector, I can attest to the importance of having educated decision-makers at the table. When issues around privacy and security need to be escalated, you want your sponsor and team to be knowledgeable and comfortable with the topic — and, ideally, the technology.
The BC Government appear to be making smart choices with this project, it will be interesting to hear how it progresses in the next few years.
Mike
Here’s a prediction: by 2010 we’ll all carry a smart card that is linked to a virtual information card that resides on our PC.
In this near future, our bank needs us to use two-factor authentication, and the credit card companies force us to use the same when shopping online. Our governments want us to apply for programs online, but insist on proving who we are with strong authentication to reduce fraud. And we also have realized that its a good idea to have two-factor logins on our own computers.
In the midst of all this, our awareness of personal privacy has increased to the point that we don’t just blindly enter personal information on every e-commerce registration page that asks. We’re not just tired of the repetitive entry, but insist on controlling what information is shared.
A Microsoft rep told me this past week that CardSpace and smart card integration services are just around the corner. Are info cards converged with smart cards an obvious solution to a set of already chronic security and privacy problems?
Mike
Now that the British Columbia provincial government is moving towards a virtual identity card for citizen access, the prospects seem bright for establishing a solid, flexible and user controlled credential for citizen-to-government business.
To date, my expertise on information cards is limited to seeing Kim Cameron speak twice, seeing a demo and reading up on the assorted solutions on-line. But I’ve had lots of exposure to the issues related to the strength of a security credential so I’ll stick to that theme for this post.
First some background and assumptions. The BC government plans to distribute the certificate to users via some secured channel, presumably a link to a web site that has been identified to the user in a letter via Canada Post mail, or some other secured, out-of-band channel. So far, so good. The user goes to the site, let’s say mine is www.your-identity.bc.ca/mikewaddingham, and enters a shared secret (probably a one-time PIN) that was included in the letter. A certificate gets downloaded to my computer, then some ID card magic takes place and — voila! — the digital identity card is set to go.
Subsequent visits to sites that need authentication result in easy access by supplying the digital identity card. No additional passwords needed, security and privacy increased, everyone happy, right?
Well… there is this bit about increased security (and the corresponding claimed increase in privacy assurance) that gets tossed around in these news stories. It is sort of like the Canadian Government and their ePass solution. ePass also uses certificates — these are served up by a government web server to your browser. I’ve heard some call this strong or two-factor authentication — username/password + certificate = two factor — but, in fact, the cert is accessed using that same password. As a result, ePass is only single factor and, for all intents and purposes, its authentication strength is the same as a simple username/password solution. (It does offer increased session security, that much is true.)
Back to the BC Gov’t: from what I can tell, the digital ID card cert is essentially still offering single-factor authentication, i.e. that cert is protected by a simple password just begging to be scribbled on a post-it note. Some might argue that the computer where the certificate is stored is the second factor, the ‘something I have’ that provides additional assurance. However, in this world of shared computers at work and home, the claim that only the authorized user has access to the certificate is weak.
Social engineer the password, gain access to the computer and you’re doing business with the gov’t under someone else’s identity. Yes, convenience has been increased, and anonymous access can be achieved, but the real hard problems of doing business on-line have not been solved. The high value business-to-government centres around sensitive information like student transcripts, drivers’ license renewal data, personal health data, electronic tax account files, etc. All of these require strong authentication in order to access confidential data.
From what I can tell, virtual identity cards, in this implementation, don’t provide critical features that will enable broad, functional access to sensitive government information. What is needed is a virtual card linked to a true second factor device, biometric or other solution that sufficiently increases the strength of the security credential to be used for sensitive information access.
Mike
Is it surprising that 50% of user accounts remain active when employees leave? How about that 90% of companies don’t have automated security audit capabilities? Or that 7 out of 10 companies still only use usernames and passwords for all authentication? These are the startling findings of a survey of 259 IT professionals in the UK, as reported by IT Pro.
Perhaps I shouldn’t be so surprised — based on the lax attitudes I frequently witness on security projects, the more shocking story would be if the majority of enterprises had comprehensive identity and security solutions in place…
Mike
For most of the past four years, I’ve found myself in project management positions on security projects. The work has included managing technical and business teams as they integrated applications into an enterprise Identity and Access Management solution.
These projects have been among the most difficult I’ve had to manage with most of the challenges came from managing multiple teams. On each of these projects, successful delivery of the work required cooperation from multiple disciplines: business analysts, software developers, infrastructure guys, core integrators, vendors, security analysts and privacy analysts. On the larger projects (e.g. gov’t healthcare or education) there were up to seven teams involved, often from three or four different organizations. And, of course, each organization had its own project sponsor and senior management teams to please…
Perhaps enterprise IAM is unique in terms of implementation complexity. The client organization (government) certainly was complex, and the public-facing nature of the IAM solution required care in planning and execution. The technology we chose was complicated and new. The solution was highly distributed. Our vendors over-committed and, frankly, under delivered.
I found that it was critical to focus on delivery and manage that delivery formally. For those projects where we used this approach, we were successful. For others, well, the results eventually were produced but not without hardship and delay…
Mike
In a couple of previous posts I was pointing out the types of convergent solutions possible with smart cards and USB tokens. These were reviewed on a project I was involved in that assessed a number of other strong authentication solutions.
One of these other technologies was Entrust IdentityGuard. This access solution has a number of features and capabilities, including low cost fob-style tokens, USB tokens, SMS, machine-based and ‘grid authentication’. This last solution type, grid authentication, uses paper cards with codes printed in rows and columns like bingo cards.
The primary advantages of grid authentication are low cost and ease of provisioning. Bingo cards are included in the price of the license (approx. $9/user per year) and can be distributed via mail or courier — or even fax or email if receipt can be assured. For companies with large numbers of users, bingo cards offer a significant cost saving — not just because of the cards are cheap but also due to the flexibility of distribution options.
The downside with bingo cards is that they are less secure than alternatives (such a fobs) as the three digits used in the solution are obviously fewer than most random OTP solutions. The cards can also be photocopied which exposes the solution to unique threats.
Bingo cards can work well for business-to-business applications where the frequency of use is low to moderate, and the level of data sensitivity is considered moderate.
Mike