Shared secrets for establishing identity

identity proofing IAM consulting solution design services

Sharing secrets is an effective way to perform online identity proofing

 

We are all familiar with the use of shared secrets for establishing our identity when we do business online or over the phone.  These secrets are things like account numbers, our mother’s maiden name or a dollar amount from a recent statement.

Shared secrets are very useful because they significantly reduce the chances that an imposter can gain access to our information by guessing the information being requested.  Shared secrets are also used when digital credentials are first established, and this is an area of significant interest in the public sector where potentially millions of users need to be efficiently enrolled into government services.

Further, both quantity and quality matter.  As governments strive to move more services online, the question of ‘who is at the end of the wire’ takes on more and more significance.  When digital credentials are being used to access confidential data, the impact of improperly identifying an individual can be catastrophic for both the public authority and the individual.

  • A single shared secret on its own makes a poor choice for identifying an individual.  In almost all cases, even those where non-confidential or low-value transactions are taking place, multiple shared secrets are needed to ensure appropriate identity assurance is carried out.
  • The quality of the shared secret is also critically important.  Using a secret that is relatively easy to obtain — e.g. a professional certification number that is displayed on a certificate in the individual’s outer office — is of less value in identity assurance than a secret that is known only to the user.

The best identity assurance schemes are therefore those that use multiple strong shared secrets — information that only the user would generally have access to and information that, typically, is not known by others.

This last point is somewhat critical.  Sharing of confidential information in a household is very common: spouses open each other’s mail; report cards and bank account statements are left in plain view; and personal details such as birthdates are commonly known throughout the household.

A well-constructed identity assurance process must therefore also consider the degree to which shared secrets are known amoung a household, workplace or other group of individuals.

Fortunately government organizations have a wealth of citizen information in their databases.  These stores of shared secrets allows a government system to select from a range of options when validating user identity.

An effective enrolment solution depends on carefully analyzing the strength and appropriate combination of multiple secrets in order to select the best ones for e-government applications.

Mike

One Response to Shared secrets for establishing identity

  1. […] more particulars are exchanged.  Then the agent asks the shared secret question! (Only I could get excited about such a question!  And, at this point, I am positively bristling with excitement!)  RA: What is your home phone […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: