By Zack Martin, Editor, Avisian Publications
President Obama wants people to be better secured when using the Internet. The rising costs and concerns over identity theft as well as weak cybersecurity have caused the president to task a group with finding solutions to the online identification problem.
Obama’s group, the National Strategy for Secure Online Transactions, may eventually recommend ways for consumers to be vetted, some type of background check, and a technology they can use for better security when conducting business online.
The president wants consumers to use strong authentication, something more than user name and password, which will most likely add another security factor, say officials familiar with the project.
For example, user name and password is one-factor security, something you know. But additional factors can be added. A token or digital certificate can be a second factor, something you have, resulting in stronger two-factor authentication. If you add a fingerprint or other biometric, something you are, it’s increased to three-factor security. The more factors, the better the security.
It’s now known what the National Strategy for Secure Online Transactions group will recommend for consumer but potential technology options include:
Digital Certificates: An individual certificate can be stored on a USB drive, secured on a smart card or downloaded directly to a personal computer. A Web browser can then automatically check the certificate along with user name and password to enable Web sites for two-factor authentication.
If a consumer uses multiple computers to conduct transactions they will have to load the certificates are loaded on to all those PCs or carry certificates with the via a token or card.
One-Time Password tokens: In some parts of the corporate world these tokens, which sometimes look like keyfobs, are standard issue. Individuals enter a user name, password and then hit a button on the token that gives them a one-time passcode. Because a legitimate passcode can only be created by the user’s token, this creates a second factor of authentication, something you have.
These tokens come in a variety of form factors, from keyfobs and embedded in a standard credit card form. Some of the vendors also have released applications that enable users to get the passcode from a smart phone instead of having to carry around another token.
Smart Cards/Public Key Infrastructure: These microprocessor cards have been around for a long time and are being issued by the U.S. federal government for employees credentials. Computer manufacturers also have started including smart card readers in laptops and the cost of adding one to a PC is nominal.
Using smart cards for access to computer networks is a pretty standard task, but if the committee decided to go with smart cards and Public Key Infrastructure (PKI) it could get a bit more complicated. Deploying national PKI would be complex and expensive, though in the long run it may be the best and most secure option because PKI is one of the most secure technologies available, officials say.
Biometrics: Although, some computer manufacturers are embedding fingerprint scanners into laptops, this is most likely a long shot for a nationwide secure authentication solution. If the scanners aren’t included in a PC they can be expensive. Other biometric modalities haven’t made the in roads to the desktop yet or are too costly.
Smart Phones: This may seem like a long shot to many but some government officials see mobile devices being the key for online authentication. People will leave the home without a wallet or ID badge but rarely do they forgot their mobile phone.
With Near Field Communication (NFC) on the horizon it could be identification rather than payments that brings the technology to the forefront, some officials say. NFC enables a mobile device to transmit information using the same protocol as contactless smart cards.
The snag in this plan is that most PCs aren’t equipped to read contactless smart cards and those readers are more expensive than those used for contact smart cards. But could the smart phone connect via a USB until contactless reader are embedded in computers? It’s a possibility that wouldn’t cost very much.
Using the mobile device for identification would be less expensive than any other type of card or token. There wouldn’t be any issuance cost because most people already have a mobile device. Users would just download the application onto the smart phone and use it from there.
After the committee finishes its work it’s likely a combination of these technologies will be recommended. Consumers will be able to choose which technology they want to use and what may fit their specific needs. At that point the more interesting questions is how consumers will be vetted and how the tokens/certificates/cards will be issued.