Although they sound elementary, these two processes, called identification and authentication (I&A), involve some of the trickiest information security problems. Why? For most people, entering a username and password to log on to a computer or application is the most visible and intrusive information security mechanism they encounter. Because this act of authenticating a digital identity is so common, many of the security issues surrounding the creation of digital identities are overlooked.
Creating Digital Identities
Digital identities can be created by a business, such as an employee's company; an Internet service provider (ISP) that provides a network connection to the Internet; or an online application vendor, such as an airline reservation Web site. The degree to which businesspeople and their companies can trust digital identities depends on how well the business that created the identity performs two tasks:
- verifying a person's real-world identity, and
- creating and protecting the evidence for authenticating the person's digital identity.
The amount of real-world identity evidence a business gathers before issuing a digital identity varies according to the business's own needs. For example, businesses that provide free e-mail, such as Yahoo! Mail, don't require any proof of a person's real-world identity before issuing him a username to access the e-mail service. The person can choose the first part of his e-mail address, which is the "name" part of email@example.com, and the name doesn't have to have any connection to the person's real name. Since the service is free, the e-mail provider doesn't have to collect and verify any personal information about its users. This business situation is similar to that of grocery stores that issue frequent-shopping cards. There's no security risk because the cards can't be used to buy anything.
At the other end of the spectrum is the process companies go through when issuing digital identities to new employees. By the time an employee is hired, the company has interviewed the employee, checked professional references, and, in some cases, checked criminal and driving records. In short, the company knows who the employee is when it issues digital identifiers such as a username for company applications and an e-mail address. The amount of due diligence a company performs in establishing an employee's real-world identity more closely resembles the process for issuing a passport than a grocery store club card.
The other part of creating a digital identity is creating and protecting the evidence-typically a password-that a person will use to authenticate that identity. The primary concern is how the issuing business protects the evidence while it is stored and while it is transmitted between a user and the application authenticating the user. Although it is standard security practice to encrypt passwords that travel over the Internet, many companies and online applications don't encrypt passwords consistently, or at all. For example, one popular enterprise application encrypts passwords when users log on, but not when they change their passwords. Another enterprise commerce application does encrypt changed passwords, but negates this protection by sending unencrypted e-mail to confirm these new passwords. Similarly, the protections companies afford stored passwords vary significantly. Some companies encrypt passwords on computers that they protect with firewalls and intrusion detection, while other companies provide little protection.
A lack of protection for authentication evidence undercuts a company's trust in the validity of digital identities. Does this username or e-mail address really belong to the person who is using it?
Authenticating Digital Identities
Authenticating a digital identity involves two tasks: determining that the digital identity is valid and that the digital identity's owner is the person using it. Verifying the validity of a digital identity is straightforward when a person is logging on to a company application. All the application has to do is check to see if the person's username is on the list of valid accounts. This is similar to checking a person's name on the guest list at a party.
Determining that a digital identity belongs to the person trying to use it consists of comparing the authentication evidence the person provides to the evidence created when the digital identity was established. Authentication evidence falls into three basic categories commonly called factors:
- something a person knows,
- something a person has, and
- something a person is.
Each of these factors, alone or in combination with others, can be an effective and appropriate means for authentication. However, the security and practicality of different types of authentication evidence are not always clear. Companies should make sure they know the value of various kinds of authentication evidence when selecting technical solutions for themselves and evaluating the solutions of partner companies.
Want to read the full seventeen-page excerpt from Thomas J. Parenty's Digital Defense: What You Should Know About Protecting Your Company's Assets? Click here for the entire clip, courtesy of BNET.com.