Now that the British Columbia provincial government is moving towards a virtual identity card for citizen access, the prospects seem bright for establishing a solid, flexible and user controlled credential for citizen-to-government business.
To date, my expertise on information cards is limited to seeing Kim Cameron speak twice, seeing a demo and reading up on the assorted solutions on-line. But I’ve had lots of exposure to the issues related to the strength of a security credential so I’ll stick to that theme for this post.
First some background and assumptions. The BC government plans to distribute the certificate to users via some secured channel, presumably a link to a web site that has been identified to the user in a letter via Canada Post mail, or some other secured, out-of-band channel. So far, so good. The user goes to the site, let’s say mine is www.your-identity.bc.ca/mikewaddingham, and enters a shared secret (probably a one-time PIN) that was included in the letter. A certificate gets downloaded to my computer, then some ID card magic takes place and — voila! — the digital identity card is set to go.
Subsequent visits to sites that need authentication result in easy access by supplying the digital identity card. No additional passwords needed, security and privacy increased, everyone happy, right?
Well… there is this bit about increased security (and the corresponding claimed increase in privacy assurance) that gets tossed around in these news stories. It is sort of like the Canadian Government and their ePass solution. ePass also uses certificates — these are served up by a government web server to your browser. I’ve heard some call this strong or two-factor authentication — username/password + certificate = two factor — but, in fact, the cert is accessed using that same password. As a result, ePass is only single factor and, for all intents and purposes, its authentication strength is the same as a simple username/password solution. (It does offer increased session security, that much is true.)
Back to the BC Gov’t: from what I can tell, the digital ID card cert is essentially still offering single-factor authentication, i.e. that cert is protected by a simple password just begging to be scribbled on a post-it note. Some might argue that the computer where the certificate is stored is the second factor, the ‘something I have’ that provides additional assurance. However, in this world of shared computers at work and home, the claim that only the authorized user has access to the certificate is weak.
Social engineer the password, gain access to the computer and you’re doing business with the gov’t under someone else’s identity. Yes, convenience has been increased, and anonymous access can be achieved, but the real hard problems of doing business on-line have not been solved. The high value business-to-government centres around sensitive information like student transcripts, drivers’ license renewal data, personal health data, electronic tax account files, etc. All of these require strong authentication in order to access confidential data.
From what I can tell, virtual identity cards, in this implementation, don’t provide critical features that will enable broad, functional access to sensitive government information. What is needed is a virtual card linked to a true second factor device, biometric or other solution that sufficiently increases the strength of the security credential to be used for sensitive information access.