Can ‘Trust’ Prevent Entropy to Online Privacy?
The data breach at Equifax this year reminds us that the ways we establish our identities are pretty tenuous in the digital age. The research and education (R&E) community has been working on approaches for managing electronic identities for many years, and some of those concepts are worth considering for general identification.
First, some background. The Social Security Number was not intended to be a form of identification. It wasn’t even intended to be a secret, but it has been adopted as THE one unique identifier by so many organizations that keeping it secret has become necessary. In fact, until 1972, the bottom of the card said: "FOR SOCIAL SECURITY PURPOSES -- NOT FOR IDENTIFICATION."
One consequence of using SSN as the unique identifier for most Americans is that finding what your SSN is has become the holy grail for hackers. Once armed with it, impersonating someone becomes quite easy.
Today, we attempt to protect our identifying information by only allowing access to that information when a secret code (a password) or PIN is provided. In theory that password or PIN is something that only the owner of the information would know. If a third party can steal or guess the password, then they can gain access.
The online world increasingly is adopting Two Factor Authentication, or 2FA. With 2FA, “something you know” (a password) is combined with “something you have” (for example, a smartphone. To gain access to your private information you must provide a password and a code retrieved from your smartphone. This is significantly more difficult to hack, especially in bulk.
Beyond 2FA is 3FA, which adds “something you are” to “something you know” and “something you have.” This is defined as something about you that does not change, like your retina or fingerprint. This is substantially better; but if a bad actor can access the place where your fingerprint, password, and smartphone number are stored then it could be possible to compromise even 3FA.
The research community has been working on managing identities online for the past couple of decades. This has been in part because science is collaborative and those collaborations occur between people working for different organizations. A collaboration may have shared instruments, software, and data that belong to the virtual organization representing the collaboration. Creating new online identities for participants is inefficient and time consuming. The solution is to develop a system of trust where the home organization of each person can electronically vouch for members of their own organizations and trust when their partner organizations do the same. They do this by creating a federation of organizations carefully vetted to ensure they are who they claim to be and who adhere to rigorous practices for identifying their users. On top of that, identifying information (what you know, have, and are) is only ever exchanged with the home organization.
When a user requests access to a system operated by a member of the federation, he/she is directed to log in from their home system, which then provides only the attributes necessary for access. Such attributes might be “is a faculty member at Duke” for example. The end result is that identifying information is held as close to the end user as possible and only the minimal information about that user required to access a system of data is exchanged.
The NIST, or National Institute of Standards and Technology, has a Trust and Identity program. This program is focused on modernizing our approach to identification. They are working out standards for identifying individuals and for safeguarding those identities online.
Their guidance on identification has changed from providing a list of acceptable documents for identifying a person to one describing the characteristics of evidence needed and the process for gathering it. For safeguarding identity online they are moving towards 3FA and the use of federation as pioneered by the R&E community.
We are beginning to see a path forward, but this will be a long process. Many private companies have business models based on selling information about specific people (including the credit reporting bureaus like Equifax). Changes to the status quo will put those models at risk. We still have a ways to go.
The proofing guidance moves away from a static list of acceptable documents and instead describes “characteristics” for the evidence necessary to achieve each Identity Assurance Level. In fact, the document no longer differentiates between physical evidence (like a driver’s license) and digital evidence (perhaps a mobile driver’s license or an assertion from another identity provider). You should no longer think “plastic is good” and “digital is bad” for presented evidence; what matters is the process behind the presentation.
MCNC’s work in trust and identity has been aimed at extending the mechanisms developed by the research universities to all of education. This will improve privacy for students, teachers and staff, and facilitate access to applications and services adhering to concepts and standards for identity pioneered at universities and now promoted by NIST.