These days we spend a lot of time proving who we are. If you do online banking, use your debit card, access any work resource from a remote location, check your e-mail or voicemail, then you have to prove your identity to use those services. Each of these services requires that your identity be unique from other users. Since we are using online services, we are identifying ourselves to a computer rather than to a person. This process is known as authentication. Authentication is very important to computer security. The more online services we use, the more identities we create, and as in the case of multiple identities, the more confusing the world becomes.
Authentication is the process of determining that an individual is who he or she claims to be. Notice, the definition does not address the rights and privileges of a user. Authentication is often confused with authorization, which is often used together with authentication. Giving permissions–rights and privileges to access data based on an identity–is called authorization. One of the most common authentication methods is by IP address. In IP authentication, the server containing the resources is given your computer IP address or a range of IP addresses at your institution, enabling users to view certain resources. For example, if you want to view an e-journal from your library, the journal’s server checks the IP address that is requesting access. It finds your address and allows you to view the journal. The fact that you can view the journal does not mean you are authorized to cancel the journal subscription or buy access to a new journal. That right is given to the Acquisitions Librarian, whose identity will be authenticated when ordering or canceling subscriptions.
Authentication is based on three simple factors: something you know; something you have, and something you are. The use of a combination of any of these factors as a method of authentication is known as multi-factor authentication.
Something You Know
Most of the authentication that we do is based on something we know. A good example is the user ID and password you created for your online accounts. User ID/password authentication is based on the premise that since you created them, you will remember them, and only you have access to them. However, this type of authentication has its weaknesses. Depending on the computer system, creating IDs or passwords can be a frustrating experience. Furthermore, IDs and passwords can be stolen, forgotten, or misplaced. Despite these drawbacks, for the immediate future, most of us will still have to grapple with creating, protecting, and remembering our passwords.
Here are some things to consider if you are about to create a password or want to manage your existing passwords. First, never use any personal information such as Social Security numbers, phone numbers, addresses, names of relatives, etc. Personal information is one of the first things hackers and identity thieves try to retrieve. Second, do not use dictionary words, proper nouns, or foreign words. Many hackers have programs that use dictionaries to look for words. Try not to use the same password for multiple accounts, because if someone gets your password, they will be close to having access to all the accounts using that password.
If you want to create a secure password, create passwords that are meaningful to you. They are easier to remember. Make passwords at least eight characters in length and utilize a combination of numbers, keyboard characters, e.g., ~, $, #, @, etc., upper and lower case letters. A password written $i1v3rSmiTh is much harder for a thief to crack than when it is written silversmith. Also, do something very few of us do–change your passwords or PINs often. As a security measure, more institutions are forcing their staffs to periodically change their passwords. If you have multiple accounts requiring different passwords, consider using a password management program. These programs allow you to manage your existing passwords and generate more complex secure passwords. With the creation of a master password, you will have access to your other passwords and PINs. Some programs such as Password Safe <http://passwordsafe.sourceforge.net/> ask for donation and others such as RoboForm Pro charge a fee. For a review and comparison of the top 10 password management programs on the market, see Password Management Software Review 2009 – TopTenREVIEWS <http://password-management-software-review.toptenreviews.com/>.
If you don’t want to use a software management program, then consider using a Single Sign-On (SSO) system such as OpenID. OpenID is a decentralized open standard, which means that it is not owned by any organization. An OpenID is simply a URL that you claim after obtaining it from an ID provider of your choice. You and the ID provider agree on what you should provide, e.g., passwords, tokens, smart cards, etc., to prove ownership of the URL. If you want access to a service on a site that supports OpenID, you enter your OpenID at that site. This is transmitted to the ID provider, which certifies that you are who you claim to be and access to the service is granted. It is similar to proxying at private institutions, but OpenID is open standard proxying. That is a very simplistic explanation of OpenID. While not all sites support OpenID, some of the larger organizations such as AOL, BBC, Yahoo, Google, PayPal, and Microsoft use and provide OpenID authentication.
Something You Have
Another method of authentication is to have a physical or electronic object that carries your authentication credentials. Although there are many types of physical and electronic objects, the most common physical objects are smart cards and key fobs; electronically, they are digital ID certificates. The sole purpose of these objects is to verify that you are who you claim to be.
Smart cards are plastic cards about the size of credit cards that contain a microchip instead of a magnetic strip. Since these cards have microprocessors, they can carry all types of data, like an individual’s health data, and be programmed for various applications. There are over a billion smart cards being used, mostly in Europe. Last March, the German government successfully conducted regional pilot studies for electronic health smart cards. In 2009, the government plans to issue these cards to the German population as part of its public health system. It has been reported that Hewlett-Packard and Compaq are working on developing keyboards with smart card slot readers.
Key fobs, unlike smart cards, do not have microchips. A key fob is a small security hardware device which can resemble a flash drive. It randomly generates access codes within a specified time limit. Key fobs can change codes from as often as every thirty seconds to every five minutes. Since there is no communication between the server and the key fobs, the device works because it uses a deterministic mathematical algorithm that synchronizes the key fob with the server program. The explanation of how it works is worthy of a Numbers TV episode, but it does work. Here is the procedure for using key fobs. Suppose you log into the server and want to access a sensitive folder. When you select the folder, you may be asked for an ID and password. You enter your ID and activate your key fob, which generates the code. You immediately enter the code before a new code displays, and hit Enter. If the fob changes code before you hit Enter, you will be denied access to the folder and you will have to repeat the process.
While you may not have a smart card or key fob, if you bought something online from a website, that uses PayPal or Cybertrust, then you have a digital ID certificate. Digital ID certificates use public key encryption to secure the transmission of data between your computer and the website with which you are doing business. The certificate is issued by a mutually trusted third party known as a Certification Authority (CA). A digital ID certificate contains the owner’s name, the owner’s public key, the key’s expiration date, the certificate’s serial number, the name of the issuer (CA) of the certificate, and the digital signature of the issuer. Think of the digital certificate as being similar to your passport or driver’s license, except that the personal information is electronic rather than hard copy. When you make a connection to the secure site, your certificate is reviewed for any discrepancies or abnormalities. If everything is in order, then the connection is completed. This is done quickly and seamlessly so you’re not aware of any review.
Something You Are
This authentication factor is the stuff that thrillers, caper movies, and spy novels are made of. This type of authentication is based on an individual’s physiological or behavioral characteristics. It is the biometric recognition of physical characteristics such as fingerprints, irises, facial and voice patterns, hand and finger geometry, and signature verification. Some of these biometric recognition systems have existed for years. The CSI characters are not lying when they ask that fingerprints be run in AFIS. The Integrated Automated Fingerprint Identification System (IAFIS) is a national automated system maintained by the FBI and containing over 47 million fingerprints and criminal histories. Law enforcement and intelligence agencies such as the National Security Agency, CIA, and FBI, use voice and facial recognition to identify the individuals they have under surveillance. It has been reported that some companies have begun using facial and iris recognition systems to enhance their security needs.
Biometric recognition systems have several advantages over other methods of authentication. Unlike passwords, PINs, smart cards, and key fobs, which can be lost, stolen, misplaced, or duplicated, biometric systems are based on a distinguishable physical or behavioral trait that identifies you as you. These characteristics do not change with age. For instance, your iris is unique and cannot be lost, stolen or misplaced. Also, it is a trait, which would be extremely difficult to forge or duplicate. Another advantage of biometric systems is that they are non-invasive. In theory, you can capture an individual’s data without attaching or using probing instruments. Finally, the advances in biometric technologies have achieved a high level of accuracy and made the technologies faster and more user-friendly.
If biometric systems are so efficient, then why are they not in general use? First, they are still expensive. However, as the technologies mature costs are coming down, so we will begin to see more of them in everyday situations. For instance, The Aspen Times reported that the Aspen, Colorado School District is holding meetings to decide if they want to implement a fingerprint-recognition system for students in school lunch programs. The school district purchased the hardware and conducted a successful pilot test of the program. A California newspaper, The Contra Costa Times, reported that ValleyCare Hospital now uses a Patient Access Lifetime Match (PALM) scan system to access patient records. Aside from costs, lack of uniformity in standards for the technology is a barrier. Not all fingerprint readers are created equal. Standards are still being negotiated and developed. Another problem is that while the technology is based on measuring physiological traits, there is a population that may have damaged traits or not have the traits. For example, how can a fingerprinting system scan a person with no hands, or iris systems authenticate a person whose iris cannot provide accurate measurements because of eye disease? In addition to these dilemmas, biometric systems can be fooled and they do make mistakes. Researchers have fooled fingerprint systems by having the system scanning and authenticating a fingerprint copy instead of a real, live fingerprint. Also, these systems do sometimes generate the biometric equivalent of false-positive and false-negative matches.
Despite these shortcomings, biometric authentication systems have the potential for linking all the information–school, employment, health, banking records, etc.– quickly and efficiently. Think of it: banks, employers, and insurance companies can use a common authentication system to create your permanent universal ID and use it to share information. While this may make life easier for us, it increases the temptation and possibility of misuse. Since authentication and privacy are opposing forces, such actions would conflict with our concept of privacy. The goal of authentication is to identify the user. If you know who the user is, you can hold that individual accountable for his or her actions. This is in sharp contrast to the goal of privacy, which is anonymity. People are not to be identified unless they choose to be. Authentication methods such as user ID/passwords and key fobs are ephemeral, but authentication systems based on physiological and biological traits, such as DNA and retinas, are permanent identifiers. Authentication with permanent identifying characteristics will compromise anonymity and bring them into conflict with one of the underlying principles of HIPAA– privacy. The question is, how much of our privacy are we willing to surrender for the sake of efficiency and convenience? That is the debate society will be having for the next few decades.
If you have any questions or comments, please send them to me at rodrigue@pobox.upenn.edu. C U NX time.
Carlos Rodriguez
References:
“Gemalto Electronic Health Cards Successfully Tested by German Authorities.” Smart Card Alliance : News. (http://www.smartcardalliance.org/articles/2008/03/27/gemalto-electronic-health-cards-successfully-tested-by-german-authorities)
Meckley, J. (2001). “Smart Card.” SearchSecurity.com Definitions (http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci213004,00.html)
Redding, K. (2009). “Fingerprint system at Aspen schools to be topic of meetings.” The Aspen Times, February 4. (http://www.aspentimes.com/article/20090204/NEWS/902039936&parentprofile=search)
“Security in the Palm of Your Hand.” The Contra Costa Times, November 9, 2008 (http://www.contracostatimes.com/). This article has been archived and is no longer available for free. See also, Reyes, R. (2008). “Security in the Palm of your Hand,” The Edge, October, p.6. (http://www.murphyaustin.com/articles/The20Edge_October202008.pdf). This is an article by ValleyCare’s Director of Patient Access Services, on the PALM reading system.
0 Response to “TechnoHumanist Corner: Who are You?”