|Received:||3/23/2007 10:26:10 AM|
|Agency:||Federal Trade Commission|
|Rule:||Proof Positive: New Directions for ID Authentication|
|Attachments:||527026-00019.pdf Download Adobe Reader|
Comments:How can individuals prove their identities when establishing them in the first place? In recent years, governments worldwide have instituted laws that directly or indirectly require companies to reduce vulnerability to identity theft. The United States, the European Union, Asia Pacific, and Latin America have all drafted or implemented regulations to track money transfer transactions and authenticate credentials before issuing various government documents such as: passports, marriage licenses, electronic voter registration and voting, visas, citizenship, and driver’s licenses. They are also rapidly moving to electronic invoicing and tax filing which not only reduces fraud and speeds tax refunds, but improves controls on collection. In parallel, companies are requiring employees to present validated credentials as part of the hiring process and to gain access to confidential and highly secure data. Equally important in these directives is the need to safeguard consumer privacy, protect corporate data integrity and enhance auditing accountability. Standards to combat money laundering and terrorist financing that include customer identification have been proposed by the Financial Action Task Force (FATF), an inter-governmental organization, and have been adopted by more than 150 jurisdictions. Today, many consumers and businesses use smart chip cards, issued by financial services organizations under the MasterCard, Visa, and American Express rule sets, that contain the owner’s personal information. It is routine for consumers to present these cards for payment. Downloading digital identity credentials onto a chip in a smart card is the next evolutionary step to enabling an individual to use the single smart card for multiple purposes including identity authentication. Since the identity data on the chip is encrypted, it is difficult for a criminal to capture any useful data from the device. Placing identity credentials on the chip enables the cardholder to present the credentials for compliance with various government programs – e.g. driver’s licenses. This is especially important when it comes to proving a person’s true identity, because the U.S. Patriot Act allows citizens to use a driver’s license to open a bank account. Today banks provide identity authentication as part of many of their processes – lending, payment transfer, trading, etc. Under U.S. regulation, they are chartered with controlling the identity information and ensuring that it is correct. The DMV would verify the validation with the bank when the user presents the credentials, thus relying on the bank for authentication, non-repudiation, and limitation of liability. This saves time for the consumer and the DMV, and provides a single, consistent ID. Combining this capability with allowing driver’s license applicants to take their initial test or renewal online or at the DMV office and digitally signing these tests to authenticate the test taker, further automates and secures the current processing flow. The area of electronic voting is also a consumer-focused opportunity for credentialed identification, as it allows for election officials to accurately validate citizens as they register to vote. These credentials can be renewed through the bank and certified authentic by the bank. Individuals carrying bank authenticated digital identity credentials would be able to use them as the single, consistently accepted way of proving their identity for myriad requests, such as applying for: phones or phone service, loans, cable services, memberships, etc. Credentials issued consistently across financial institutions facilitate commerce, communication and mobility. What are some current or emerging authentication technologies or methods – for example biometrics, public key infrastructure, and knowledge-based authentication – and what are their strengths and weaknesses? To what extent do these technologies meet consumer needs, such as ease of use, and to what extent do they raise privacy concerns? While many technologically advanced solutions have been created to combat identity fraud, none have gained a solid foothold. Understanding why previous approaches to identity authentication have not been as successful as they could have been enables corporations and financial institutions to implement an identity infrastructure that bypasses many challenges. PKI Approach PKI was one of the first technologies to address the issue of identity management, and has been successfully implemented within many large enterprises, such as the U.S. Department of Defense. PKI showed promise with its ability to legally bind signatures through digital authentication. However, few business applications require identity authentication with digital certificates and signatures. While a robust technology, PKI implementations have historically resulted in fragmented, siloed security and identity management systems that did not easily support interoperability. To bring true value to government agencies, corporations, and financial institutions, a PKI-based infrastructure must have interoperability both with other systems and with other countries’ government-mandated schemes. Additionally, users must be able to rely on the policies and procedures used for issuing the certificates. Two-Factor Authentication As global business interactions became more customary, and e-crime grew more prevalent, corporations and financial institutions worked quickly to establish security measures. Many turned to two-factor authentication, coupling a password with another type of identification. This method, however, is not a certain solution. For example, thieves can easily steal PINs by looking over a victim’s shoulder, leaving the victim unaware of the theft until a crime is committed. Two-factor authentication has also proved to be unsuccessful at thwarting man-in-the-middle attacks because fraudulent sites can be inserted into the workflow through techniques such as phishing or hacking into the link between the user and their ISP, thus compromising the data being transferred. To fully protect against attacks, the user must be authenticated to the site and the site authenticated to the user. Two-factor authentication as it has been implemented in most cases does not achieve this goal. A recent man-in-the-middle attack involving a large, multi-national financial institution highlights the shortcomings of one-time passwords, which are sometimes used in two-factor authentication. In this attack, the criminals spoofed the token key hardware used by the bank’s customers to generate one-time passwords, tricking the customers into entering their passwords into a faux banking login site. The criminals then used the stolen passwords to access thousands of accounts via the bank’s real Web site. In addition to one-time passwords, several authentication methods are being used – with varying degrees of success – to help thwart man-in-the-middle attacks, including public keys, stronger mutual authentication, secret keys, and other criteria, such as voice recognition or other biometrics. Man-in-the-middle attacks are very rare for PKI, as the issuing bank performs public key checks to ensure that they are valid. Token Solution Security experts agree that one of the most effective approaches to identity authentication is through the use of a secure individual device, such as a smart card or token, that authenticates and validates the user. Others argue that this approach has several challenges, including consumer resistance to using a token and the cost of issuing and replacing such security devices, which can be easily misplaced. However, these arguments are no longer valid. Devices such as iPods and other gadgets that make use of USB ports are common and can easily serve double-duty as security devices. The only missing link is an easy, inexpensive way to educate users and transition them to using more secure devices, such as tokens, USB devices or smart cards. The challenge today with consumers is that they have little incentive to sign up for digital certificates and signatures since few applications demand them for authentication. As important, corporations and financial institutions are skittish about enforcing device-based security, without being able to show a value add. Another disincentive for consumers is the $50 liability limit associated with most card transactions. Believing that they will only lose $50, many consumers do not feel extra protection is necessary. As identity fraud continues to grow in prevalence, consumers will begin to understand that the $50 liability limit is no help when their identity has been stolen and someone else is using their social security number to apply for new credit cards or to finance large purchases such as homes, planes, and boats. Corporations have a different perspective from the average consumer. There is no limitation of liability for corporations doing business over the Internet. Thus, companies involved in supply chain commercial transactions are liable for greater losses. They are, therefore, more eager to implement greater security. A majority of identity management solutions provide only one piece of the puzzle. What is needed today is a phased approach to identity authentication that will expand and strengthen as required, rather than a solution that works briefly but must then be retrofitted to protect against more sophisticated attacks. Traditional solutions focus on a single method of authentication and then combine it with a PIN or password to meet the multi-authentication guidelines. PKI based approaches, in conjunction with a second authentication method – hard or soft tokens – combines two strong authentication approaches, thus providing the strongest authentication.