Use Case 11 - Identification Authentication
From W3C eGovernment Wiki
Use Case: Identification and Authentication
Public Administrations must ensure that, when delivering certain services, the people or organizations that is requesting and receiving it are in fact who they claim to be. In the physical world this is achieved using different means, usually involving the presentation of some commonly recognized evidence, called 'credentials'. In the electronic world, the problem is currently not easier to solve, but is generally addressed in the following terms:
- Authentication. Is the process of making sure that the credentials provided by someone are valid and therefore the Identity of the Principal (person, organization, machine, etc.) can be reasonably established with trust from both parties.
- Authorization. Once the authentication process is successful (i.e. the Identity of the principal is established), it is necessary to check if he/she/it is entitled to perform a given operation.
While this is a general approach, eGovernment has its own issues and considerations:
- lack of legislation / uncertainty in certain areas
- diversity of authentication mechanisms
- proliferation of credentials (each portal or even application requiring its own credentials)
- insufficient penetration of digital certificates
- in the digital world, authentication mechanisms can pose a barrier of entry to several services
- digital certificates provide solutions for some areas, but are not free of challenges
- Public organizations
- Issuers of credentials, Certification Agencies
- Citizens in general & organizations
When dealing with identification and authorization issues, public organizations must make a set of decisions that have a great impact in the way services are used and perceived by its end users.
One of the first considerations is acknowledging that different services require different levels of identification, so a one-size-fits-all approach is not viable:
- providing information about the location of public libraries in one city can be done safely with no identification at all - whereas delivering information about tax or health for an individual cannot be done without some sort of authentication.
- many other services may require that the person identifies itself providing some personal information (name, address, etc.) but the person may receive the service without authentication (that is, the person is not providing any credential that proves its identity). This highlights the difference between 'claiming to be' and 'proving to be' and the fact that some services can be provided in both cases.
- if authentication is really needed, legislation should somehow include a basic set of authentication mechanisms that can be used by Public Administrations. This list is usually non-exclusive, meaning that Public Administrations are also free to add some other authentication means in some contexts if allowed by law - for instance, a matrix of coordinates for citizen phone service.
Another consideration relates to the fact that, in the current state of things, some authentication procedures pose a barrier of access to the service - so authentication mechanisms should only be used when really needed. It is not uncommon to see that some services require a higher level of authentication in the digital channel than its on-site counterpart without further justification. Finally, it is important to see if the target population for the service has access to the credentials required (see the 'Distributing Credentials' paragraph below).
Since authentication mechanisms are based in the concept of credentials, the logistics for this aspect should not be minimized. While some authentication mechanisms may use lightweight distribution procedures, other can involve heavy management. For instance, the countries that have adopted digitalID documents had to deal with the process of building a certificates issuer, setting up of the cryptographic chips into the physical document, distributing the physical documents, establishing validation, renewal and cancellation procedures, etc. In this particular case, some sort of card reader hardware must be available as well, so some countries have decided to give it for free as well to increase adoption.
This is a very wide area, involving different security levels - physical, logical, etc. We will just present some of the most common, internet standards and limited to citizen-to-government scenarios.
- Username/password. Widely used, it would be desirable to reduce the number of passwords that internet users have to remember, since each particular site is usually keeping their own credentials store.
- One-time pass. Some services can provide a one-time pass, that is invalidated after a (probably short) lifespan.
- Digital Certificates. Public Sector is one of the main drivers and supporters of this technology, since these can also be used to perform digital signing. However, current penetration rates show that using this authentication mechanism may reduce usage of some services since it imposes a barrier of access thus reducing the amount of potential users.
- other standards/tools. Several other standards & tools (openID, Single Sign On, etc) complement and or improve the identification process.
- AAA software
- portals and applications
Identified problems or limitations
There are several issues already identified in this area:
Proliferation of credentials
Currently, each organization is managing their own credentials. Therefore, users end up holding at least one credential for each service provider. This involves different username/passwords for the different levels of the administrations. Though in a lesser extent, the situation is similar in the digital certificates space, where different certification agencies issue different certificates.
This issue can be addressed by:
- further usage and improvement of Identity Federation standards and tools.
- further coordination by public sector initiatives at the different levels.
- centralization of credentials management.
- further development and usage of international standards
Penetration of Digital Certificates
Though there is a significant amount of digital certificates in some countries, in general it cannot be set as a requisite to have a digital certificate to access the services offered by public organisms - due to the great percentage of people not having one.
- other key management and cryptographic standards