Challenges and Requirements of Online Authentication: The “epass” Solution
Challenges and Requirements of Online Authentication: The “epass” Solution
May 23, 2003
Abstract
The Government of Canada’s Government Online service has been established to provide Canadian residents with secure online access to government services. With proper safeguards, this provision of access has been extended to areas in which government departments allow individuals and businesses to fill out forms and update personal information online, e.g., their addresses. Clearly this is only feasible when users can securely and uniquely identify themselves to the system. They must be confident that no other persons can gain access to, or change, their personal information. To permit this level of personal security, the government has implemented the “epass” system, which allows secure authentication of individuals wishing to gain online access to government programs and services. Epass also allows other categories of secure access, e.g., access for authorized employees of businesses dealing with government departments online.
Secure and workable authentication systems must meet stringent requirements and yet not be cumbersome to use. They must allow users to substantiate their identities with unique information, but must also make provision for re-establishment of authentication if users forget or lose unique identifiers or passwords. It must be possible for users to rapidly revoke their authenticated online access if their passwords or electronic credentials have been lost, stolen, or otherwise compromised. Very importantly, government-operated authentication systems must meet the needs of citizens in a democracy to restrict the use of personal information available to the government and its employees, so that personal privacy is not compromised. Authentication systems must be designed to avoid using informational items such as the social insurance number as online identifiers. They must also prevent online identifiers being used as a means of cross-linking information in diverse government program databases in order to form a comprehensive dossier on users. As additional safeguards to prevent correlation of personal data, users should be able to establish multiple, independent access credentials, and, where feasible, to have pseudonymous online access.
Well designed online authentication systems are a form of infrastructure and may be relatively complex, potentially using sophisticated technologies such as digital signatures. They are best designed when they meet both privacy concerns and practical business criteria such as user-friendliness, efficiency and scalability. Both for these purposes and to allow maximization of security and confidentiality, it is best that they be designed in a comprehensive way, rather than being cobbled together out of a patchwork of smaller, ad hoc systems. The epass system meets all of these criteria, and also has the potential to interact successfully with interlinked provincial, territorial and municipal systems.
Contents
1 Introduction 1
2 Authentication Systems 1
2.1 When is Authentication Needed? 1
2.2 Components of Online Authentication 2
2.3 Authentication and Electronic Service Delivery 5
3 Challenges to Building Secure Authentication Systems 6
3.1 Privacy Challenges 6
3.2 Security Challenges 7
3.3 Business Challenges 8
4 Minimum Requirements for Authentication 10
4.1 Privacy Requirements 10
4.2 Security Requirements 10
4.3 Business Requirements 10
5 epass 12
5.1 Overview 12
5.2 How it works 12
5.3 Identification and Registration 12
5.4 Revocation 14
5.5 E-Credential Recovery 14
5.6 Renewal 15
5.7 Meeting the Challenges; Exceeding the Requirements 15
6 Conclusion 17
Appendix I: Authentication and the Privacy Principles of the CSA Model Code 18
Appendix II: epass Technical Specifications 21
Appendix III: Authentication and Digital Signature Certificates 22
References 23
ii
Version 1.0 Draft
Challenges and Requirements of Online Authentication: The “epass” Solution
1 Introduction
During the last year, the Government of Canada’s Government Online initiative (GOL) has moved from providing online information for every federal government department to providing Canadian residents with authenticated access to online services. It is now poised to rapidly expand the programs and services offered via authenticated online access. A GOL authentication system called “epass” has enabled that expansion.
Before outlining the structure of the Government of Canada’s epass service, this paper will present the general principles that any well-designed authentication scheme should adhere to. It then explains in detail the approach to authentication taken by epass and shows whether it meets these general principles.
Privacy protection is a major concern in the design of online services for the general public. This paper discusses privacy-protective approaches to authentication and describes the epass authentication service as one example of a privacy protective implementation. The context for authentication services is also discussed, including the use of a common authentication infrastructure, as well as the case for alternatives such as anonymous access and pseudonymous access.
An appendix discusses digital certificates as a special type of authentication service; it covers both situations with high security requirements and also some where high levels of authentication are not required but where use of digital certificates is nonetheless advantageous.
2 Authentication Systems
2.1 When is Authentication Needed?
In many types of online access, authentication isn’t needed at all. GOL distinguishes between at least three different types of access, each needing its own level of assurance:
1. access to public information – this requires no authentication of the user and access can be (and usually is) anonymous. Examples include obtaining online advice from Health Canada on how to quit smoking.
2. filling out forms online – this requires a level of authentication sufficient to ensure that information about an individual filed in an online form actually comes from that individual. Filing personal income tax via Netfile[1] is an example of this level of authentication. Failure to accurately authenticate the user may initiate a bogus transaction, but will not expose confidential information (as the fraudulent user merely filled out an initially blank form).
3. updating personal information online – this requires a level of authentication sufficient to ensure that the personal or proprietary information being accessed and updated actually belongs to the individual updating it. Failure to accurately authenticate the user may not only initiate a bogus transaction, but may also expose confidential information (as the fraudulent user will have accessed the current state of the personal information being updated).
2.1.1 Pseudonymous Access
Truly anonymous access to information and services does not require an authentication system. But there are many important online applications where users must be persistently and accurately linked from one online session to another, even if their actual identities are never required. Examples include telehealth counselling (where online counsellors must be assured that the subject whose previous online session has been recorded as a set of notes is the same person as the patient involved in the current online session) and moderated online chat rooms where users’ questions are answered. This type of authentication assigns a unique identifier to the unknown user that can then be reliably used much like a pseudonym (hence pseudonymous authentication).
Pseudonymous authentication also plays an important role in preventing data matching across programme databases (see section 3.1 below).
2.2 Components of Online Authentication
Every authentication system contains at least two components—initial registration and authentication—and most also contain at least one of the three life cycle management components—renewal, recovery, and revocation. All five components are described below.
1. Initial Registration: creating and issuing a persistent electronic identity for an individual after (optionally) establishing the identity of the individual (either as a private individual or as a business agent) based on an assessment of the evidence that has been presented to support the claimed identity.
From the user’s perspective, registration is a single, seamless process, but from an administrative perspective it contains several distinct components. Existing authentication systems only implement those components that are necessary to meet the business needs of the online systems they protect.
a. identification, an optional step involving either a physical examination of identification documents (asking for example to see a driver’s license, proof of address, or a passport) or else an online confirmation that the individual shares one or more secrets with the registration software agent.
Identification can also involve a mapping to a pre-existing application-specific identifier, thereby providing a translation from the authentication infrastructure to the application infrastructure. In the case of a government application, this application-specific identifier could be a government program identifier such as social insurance number or health card number. This translation allows users to authenticate themselves in a single consistent fashion regardless of the program or service being accessed.
b. electronic credentials generation and issuance, involving the creation or recording of one or more authentication factors that the user can later use to authenticate herself online[2]. An electronic identifier (i.e., a user ID) is created and subsequently used by the registrant with their electronic credentials for authentication.
During registration, other optional steps are often performed to help manage electronic credentials later in their life cycle, to provide needed additional information, or to enhance the registration audit trail:
c. chronicle, involving the creation of an auditable record of the whole registration transaction (at a minimum, this record will contain the user’s ID).
d. shared secret deposition, involving asking the user for additional mnemonics that can later be used either during revocation (see item 3 below) or during authentication recovery (see item 4 below). Depending on the authentication factors employed, it is possible that a user might lose one or more of them. A process is often engineered to allow for recovery of lost factors (a forgotten password for example, or a lost smart card).
e. attribute verification of some claimed attribute (authorization to act on behalf of a business entity, for example); and
f. attestation by the registrant, indicating their agreement with some statement (“I agree to abide by the terms of the subscriber agreement” for example, or “I certify that the information I have provided is accurate and complete”).
Ideally, registration is performed only once per user (but see item 5 below re: “renewal”).
Not all of the above components are needed in every registration. The following table contains examples of registration processes, and shows where each component might fit in.
RegistrationExample / Registration / Shared Secrets / Attestation / Attribute Verification /
Verify Identity / E-Cred Generation /
Register for e-voting (voter registration) / Yes / Yes / Yes / Likely needed / Yes (inclusion in a list of electors)
Register as a Government employee / Yes / Yes / Yes / Likely needed (acceptable use agreement) / Yes (employee ID number, etc.)
Register as a business employee (e.g.: file GST online) / Yes / Yes / Yes / Likely needed / Yes (right to act on behalf of business)
Register to access change of address service / Yes / Yes / Yes / Likely needed / No
Register as consumer obtaining product (e.g.: from govt. online bookstore) / Credit card only / Yes (if an online account is to be opened) / No / Yes (agree to purchase on credit card) / No
Register for ongoing pseudonymous access to some service (e.g.: telehealth) / No / Yes (pseudo ID) / No / Possibly not needed / Possibly confirm residency in jurisdiction
Anonymous access to some service (e.g.: Health Canada info on how to quit smoking) – no registration required / No / No / No / No / No
2. Authentication: establishing the validity of the accessor before granting access to information or online services. Authentication has two components:
a. ID presentation by the user of his/her user ID obtained during registration; and
b. presentation of one or more authentication factors by the user that support the user’s claim to be the entity referred to by the ID (e.g.: typing in a password or inserting a smart card).
Authentication is performed by the user at the start of each online session. It requires that the user has already undergone registration. Authentication systems supporting revocation (see item 3 below) first check to ensure that the user’s access hasn’t been revoked. During lengthy online sessions, some authentication systems also require the user to periodically re-authenticate.
Though not required in every implementation, many authentication systems also contain one or more of the following credential management components:
3. Revocation: the ability of a registered user or an administrator to prevent future use of a registered electronic identity after losing control (or upon fearing the loss of control) of one or more factors in a multi-factor authentication scheme.
Not all authentication systems provide for user initiated revocation[3] but where a revocation service is provided, prompt and reliable access to it is essential.
Revocation presupposes that the user has already undergone registration. It may be carried out as an online activity or by means of a secure out-of-band communication (by means of a phone call to a help desk, for example). Either way, the user must be authenticated before the revocation request can be honoured.
4. E-Credential Recovery: the ability of registered users to regain access to their e-credentials after losing one or more factors in a multi-factor authentication scheme. Recovery typically involves the use of shared secrets to regain access to a lost token.
E-credential recovery presupposes that the user has already undergone registration. Though not required as a component in all authentication systems, recovery can increase user friendliness and an automated online recovery facility can reduce costly help-desk calls. It can also be an essential component of systems that control access by professionals to mission-critical online services – services that could be seriously degraded if a user were unable to rapidly replace a lost e-credential.
5. Renewal: the ability of a user to refresh a time limited initial registration prior to its expiry[4].
Some authentication systems allow for indefinite registration of users; i.e., there are no security-related time limits on how long a user remains registered with a valid user ID. Others provide for time limited registration – after which the user is unable to successfully authenticate online[5]. Not all such authentication systems provide for renewal; some require users to re-register from scratch.