Identity Renewal

April 8, 2008

I lost my drivers license this week.  No, not from being reckless orspeeding — I lost the physical plastic credential that various authorities use to confirm that I can drive a car, open a bank account or have an adult beverage.

So, here in Alberta, when you lose this rather important identity credential you can turn to our very convenient registry office system to get it replaced.  Some years ago, our government privatized the customer service for all provincial registry services.  Today, there are over 220 locations around the province where you can get counter services for things like vehicle registrations, marriage licenses and so on.

There is a registry office across the street from where I work, and I paid them a visit yesterday afternoon:

Me: I have lost my drivers license.

Registry Agent: Oh. That’s too bad.  Maybe you should slow down or something…

Me:  No!  I lost the plasticized thingy.  Can I get another?

RA: Yes, of course!  Do you have a piece of picture ID?

Me: (handing over my oh-so-precious Canadian passport) Here you go. 

RA: Thank you.

At this point the registry agent glances at the passport picture, glances at me – yup, that’s him – and notes the passport number on an official form.

RA: Has any of your information changed? Hair – brown; eyes – hazel; height – 5′ 11″?

Me: Uh, no.

A few more particulars are exchanged.  Then the agent asks the shared secret question! (Only I could get excited about such a question!  And, at this point, I am positively bristling with excitement!)

RA: What is your home phone number?

What is my phone number?  My jaw drops.  I stop bristling.  Really, is that the best she could do?  I was hoping for some other nugget from the government’s mighty store of personal information.  How about the high school I attended?  Perhaps my health care number? Or my third child’s middle name?  PHONE NUMBER??? C’mon people, give me a challenge here.

Me: (mutters phone number)

RA: Hey, that’s just one number off of my phone number!

Me: Oh.

And that was about it.  I signed a few forms, she pecked a few keys and off the bits flew to the Canadian Bank Note company, the outsourced operation in Ottawa that prints and mails Alberta provincial drivers licenses.  I was given a temporary license until my new plastic-coated beauty arrived.

How does my experience compare with the government’s defined process?  It is based on ‘who you are, what you have and what you know.’  To confirm who I am, the agent uses their computer system to retrieve a picture of me from my last renewal.  So, they have a way of confirming I am who I say I am.  That’s good.

However, a few comments from this experience:

  • The agent forgot to ask me for secondary identification that further identified me and/or proved that I still live in Alberta.  I could have moved to BC or Zambia and the government process prescribes a way to catch this and confirm that I’m still a tax-paying Albertan.  An additional ‘what you have’, beyond my passport, would have strengthened the identity assurance.
  • The ‘what you know’ secret used in this case, my phone number, isn’t secret at all… I use it as my frequent shopper ID at Safeways, and blurt it out regularly in all kinds of situations.  Oh, and it is in the phone book, right next to my name…  I know that this was likely just a secret (among several possibilities) that the registry agent chose off the screen, but perhaps there should be less choice in the process to ensure stronger secrets are used.

There, in a nut-shell, are a few issues with the license replacement — an identity credential renewal –process.  But are these significant enough to be of concern?

Mike


Shared secrets for establishing identity

January 25, 2008
identity proofing IAM consulting solution design services

Sharing secrets is an effective way to perform online identity proofing

 

We are all familiar with the use of shared secrets for establishing our identity when we do business online or over the phone.  These secrets are things like account numbers, our mother’s maiden name or a dollar amount from a recent statement.

Shared secrets are very useful because they significantly reduce the chances that an imposter can gain access to our information by guessing the information being requested.  Shared secrets are also used when digital credentials are first established, and this is an area of significant interest in the public sector where potentially millions of users need to be efficiently enrolled into government services.

Further, both quantity and quality matter.  As governments strive to move more services online, the question of ‘who is at the end of the wire’ takes on more and more significance.  When digital credentials are being used to access confidential data, the impact of improperly identifying an individual can be catastrophic for both the public authority and the individual.

  • A single shared secret on its own makes a poor choice for identifying an individual.  In almost all cases, even those where non-confidential or low-value transactions are taking place, multiple shared secrets are needed to ensure appropriate identity assurance is carried out.
  • The quality of the shared secret is also critically important.  Using a secret that is relatively easy to obtain — e.g. a professional certification number that is displayed on a certificate in the individual’s outer office — is of less value in identity assurance than a secret that is known only to the user.

The best identity assurance schemes are therefore those that use multiple strong shared secrets — information that only the user would generally have access to and information that, typically, is not known by others.

This last point is somewhat critical.  Sharing of confidential information in a household is very common: spouses open each other’s mail; report cards and bank account statements are left in plain view; and personal details such as birthdates are commonly known throughout the household.

A well-constructed identity assurance process must therefore also consider the degree to which shared secrets are known amoung a household, workplace or other group of individuals.

Fortunately government organizations have a wealth of citizen information in their databases.  These stores of shared secrets allows a government system to select from a range of options when validating user identity.

An effective enrolment solution depends on carefully analyzing the strength and appropriate combination of multiple secrets in order to select the best ones for e-government applications.

Mike


Who are you?

August 27, 2007

Quick — what are the top IT security issues today?  A list might include things like uncontrolled wireless devices, organized e-crime, identity management and ‘the next big virus’.  It would be hard to discredit any on this list, but from a individual user’s perspective, identity management is becoming a very hot topic.  And identity management is certainly something that is of interest to large organizations, particularly those that are in government or regulated industries — which covers a lot of ground these days.

Identity management is critical to conducting e-business and for protecting sensitive information.  Practically speaking, if a company doesn’t know who is ‘at the end of the wire’ then it is very difficult to offer up anything significant in the way of business content.  And if that identity is not managed properly over time, the user can lose confidence in the relationship and even stop using the offered services completely.

So, how can you know who is accessing your site, web portal or business application? How sure can you be that they are who they say they are? It all starts with confirming the identity at the first interaction with the user, or what we like to call ‘identity proofing’.  This critical step can be difficult to design, build and operate.  Identity proofing requires good process, the type of process that businesses and governments use to support the issuance of identity cards in the physical world. When it comes to proving identity, electronic identities and physical identities must follow the same process to be effective.

Mike