Speaking at the Cambridge Cyber Summit in Boston, White House Cybersecurity Coordinator Rob Joyce indicated that the Trump administration was looking at the potential of replacing Social Insurance Numbers as a form of identification. They were looking at the various technologies that could replace them, including the use of PKI (hopefully, they look at Federation). and it all looks like it could be an effort to improve the security of an individual’s authentication through government efforts. To that, I say:-
It’s about time! But the government involved in e-Authentication?!? Scary!
Look, I don’t want to come across as big government. This isn’t a commentary about politics, either left or right. My job is to comment on cybersecurity architectures and practices. So one of the core focus points for me is always going to be around Identity and Access Management simply because, if not done properly, IAM can completely bypass any security solutions an organization puts into place.
But with all the hacking going on around the world and all the personal records being accessed for identity theft, there needs to be a better way of improving authentication. And that means moving away from username and password to some form of elevated authentication.
For a long time, the Social Insurance Number has been required by all businesses as a way of identifying who you are. It becomes the defacto “2 Factor” authentication because it was supposed to be the “what you have” component of 2 Factor Authentication. But it’s important to remember that SIN numbers were created back in the 1970s (depending on which country you are in) and weren’t supposed to be used for anything other than government documentation.
Along the way, though, people forgot that they weren’t required by law to give their SINs out. It became an obligation that businesses were asking for. Scope creep, in essence.
Now? Now, we are so connected to the digital world that a paper based second factor of authentication just isn’t relevant anymore. In fact, it’s just another piece of information about a person like what the colour of a person’s eyes are. It can’t be used as a useful form of identification. How can you confirm that the Social Insurance Number that you are given isn’t fraudulent. Or, for that matter, how can you confirm that it isn’t someone else’s?
So enters the concept of PKI. You see, the core concept of PKI is that there is a central authority that can corroborate the certificate that you are providing to a service provider. In short, you are now improving how you confirm that you are who you say you are. A “trusted” form of second factor authentication. So the concept works.
And the trust factor associated with this certificate has to come from an organization that is trusted. It has to come from someone that you can feel a certain level of assurance for the systems that are providing the certificates. Which is where the ‘rub’ comes in. I don’t have a level of trust associated with governments running cyber systems. The politics is off the chart when it comes to putting in place and running a PKI solution.
The Government of BC has been using the Canadian PKI solution for a long time and they were supposed to get off it around 2 years ago. They knew that and started working towards a solution at least 8-9 years ago. And they still aren’t off it because they just can’t come to an internal agreement as to how to do it. It isn’t a technology problem and it isn’t a Vendor problem. They just can’t get themselves to move forward.
Back when Federation started out, there was a concept called a “Circle of Trust”. That concept holds that there is a group or organizations that have internal Identity Providers and that, by having regular audits and a set assurance level, you could have a level of assurance associated with the Identity Provider’s token. The higher the assurance, so the concept holds, the more you can trust it and the more sensitive the data that the user could access WITHIN the various Circle of Trust partners. It’s a very decentralized model.
I suggested back then that a hybrid model of a series of Circles be built around the Charter Banks and that they would manage the identities. I trust banks. They have a track record of keeping my money safe so I trust them to hold my identity safe. And then the Identity Providers within the Banks could communicate with each other and, all of a sudden, you have a network of trust that is much more secure than a Government providing the same.
It will be interesting to see what direction the Whitehouse goes in. One other thing to note is that the US Government created, back in January 2005, version 1.o of the Electronic Authentication Partnership Trust Framework. It was meant as a way to provide a level of assurance for any Vendor that wanted to connect to the US Government through Federation. That is something that they may want to look into.
But the time for Social Insurance Numbers has passed and it’s time to replace them. I wonder what will take it’s place.
Hope this helps …