After my son was registered for summer camp, we received an email that we needed to go to the camp’s website and download some forms to be completed. To get the forms, we needed to set up a very rigorous password (27 characters, include punctuation, include a quote from an obscure Sanskirt poem, etc.), had to set up some challenge questions (What was your favorite cat’s name?), and had to confirm our e-mail address. All this to download some blank forms that were completed and delivered by hand.
A couple days later, I was doing an online application that required I provide a significant amount of personal information. It certainly shook my confidence as to how well my information was going to be protected when, as part of the registration process, the system emailed me my password in plain text!
Canadians are increasingly and often involuntarily interacting with government and businesses online. While this has advantages for both parties, any interaction beyond cursory information retrieval is dependent some form of identity and authentication. Unfortunately the execution of these core requirement has degenerated into a morass of inconsistent approaches, poor practices, and frustrated users that is putting our personal data, and the reputations of our organizations, at risk.
Identification and authentication is difficult, and risky. To avoid this, organizations have pushed the burden onto their customers and clients. The result is an individual user identity (usually your email address) and authentication token (a password) for each service. And often, multiple identities for the same organization because each system uses a separate credential store.
To cope with this, users have adopted the following highly sophisticated and secure methods:
- Use the same user name and password everywhere
- Let the web browser keep track of all the passwords (until you get a new computer and lose them all)
- Sticky notes on the monitor
- A password management tool
As IT professionals, I am sure we are aware of how few people make the effort to employ solution 4.
Just a few of the issues with the current situation:
- The email address has become the default authentication mechanism and identity token. The problem with this is email is not fundamentally secure. And if someone manages to compromise your email account, they can gain access to almost everything else. And email addresses legitimately, and often involuntarily, change.
- Organizations like their users to have unique, complex, and impossible to memorize passwords. But they don’t like the cost of dealing with password resets, so they set up trivial mechanisms to bypass them and change the password.
- Rather than fix the fundamental problem, organizations keep tacking on additional kludges, like challenge questions.
The technical solutions to these problems have existed for years. Distributed authentication and authorization via Kerberos has been around since the late 1980’s. The principles of reliable dual factor authentication (e.g. RSA keys) are well known. OpenID provides the underlying protocols for decentralized authentication.
Most organizations providing an on-line presence would be thrilled to offload their authentication to someone else, and offer the ease of use and improved user experience of identity reuse. The problem is no one wants the cost and accountability of being the primary identity and authentication provider.
So I am going to advance the argument that the responsibility for reliable online identities ultimately lies with government. Only government can establish the legislative and regulatory frameworks, including protections from litigation and financial liability, that make the provision of these services tenable.
So, which government level should hold the accountability for establishing and maintaining online identities? It can be argued many ways:
- Municipal governments are “closest” to individuals, and have the most reliable records in terms of space and location. A paid Property Tax bill is the gold standard of identification as it is easily verifiable, and requires a significant financial commitment to secure.
- Historically the accountability for identity has lain primarily with provincial governments, through such practicalities as driver licenses, registries, and health care administration.
- The federal government manages what is the closest we have to a national universal identifier, the Social Insurance Number (SIN). There was a tendency at one point to use individuals SINs as a key for non-tax related issues but this has discontinued, legitimately, due to privacy concerns.
- A sound principle when developing an identity strategy is “Follow the Money”, i.e. an authorizing record that, if mishandled, will have a financial impact to the managing party, is usually highly reliable. This means that the Canada Revenue Agency would the party that would be best placed to be a reliable identity provider.
In the end analysis, in Canada it is provincial governments that are best placed to establish and manage a reliable online identification and authentication mechanism. Provinces have established networks of front line service desks, and already manage the most common form of trusted identity (drivers licenses or identity cards). And the separation of provinces from primary responsibility for personal taxation will facilitate trust and acceptance.
It is time for our provincial governments to stop shirking their responsibility and, working with the federal government to ensure a consistent national approach, establish reliable and authoritative on-line identification and authorization services that can be broadly used. There is also a responsibility and opportunity for our IT professional organizations, such as CIPS, to advocate for the establishment of these services, and to participate as arms length reviewers to assure Canadians that these services are carefully implemented and administered in order to improve the reliability and security of Canadians use of online services, while also ensuring individuals privacy.