A tech-savvy editor and reporter with more than 12-years experience in emerging technologies
The United States is joining other nations in making online security a priority. Many citizens within the European Union (EU) have electronic IDs (eIDs) that serve as their national ID card, and allow them to validate their identity and access services online. Services include claiming social security and unemployment benefits or filing tax returns. Now, the European Commission is piloting a project that will ensure cross-border recognition of national eID systems and enable citizens to easily access public services in all thirteen Member States, not just their home country.
Back in the United States, it is thought that Obama's group, the National Strategy for Secure Online Transactions, will eventually recommend ways for consumers to be “vetted,” meaning establishing your identity with some type of background check, and then advising a technology you can use for better security when conducting business online.
Officials familiar with the project say the President wants consumers to use strong authentication, something more secure than user name and password, that adds another “factor” for security.
For example, user name and password is one-factor security, something you know. But additional factors can be added. A token or digital certificate, something you have, adds a second factor for even stronger security. This is called two-factor authentication. If you add a fingerprint or other biometric, something you are, it's increased to three-factor security. The more factors, the better the security.
It's not yet known what the National Strategy for Secure Online Transactions group will recommend for consumers but there are many potential technology options. They include:
One-Time Password tokens: In some parts of the corporate world these tokens are standard issue. Individuals enter a user name, password and then hit a button on the token that gives them a one-time passcode to enter as well. Because a legitimate passcode can only be created by the user's token, this creates a second factor of authentication, the "something you have." These tokens come in a variety of form factors, such as keyfobs or embedded in a standard credit card form. Some of the vendors also have released applications that enable users to get the passcode from a smart phone instead of having to carry around another token.
|"Computer manufacturers also have started including smart card readers in laptop."|
Smart Cards: which contain a secure microprocessor chip, have been around for a long time and are being issued by the U.S. federal government for employees' credentials. Computer manufacturers also have started including smart card readers in laptops, and the cost of adding one to a PC is nominal. Your smart card is used along with your username and passcode as your "something you have" to gain access to computer networks and Web sites.
Digital Certificates and Public Key Infrastructure: A digital certificate is just what it sounds like: a digital file that provides assurance of your identity. An individual certificate, another example of "something you have," can be stored on a USB drive, secured on a smart card or downloaded directly to a personal computer. A Web browser can then automatically check the certificate along with user name and password to enable Web sites for two-factor authentication. Public Key Infrastructure (PKI) is responsible for issuing digital certificates, ensuring the distribution of these certificates through a directory, and validating certificates. Deploying national PKI would be complex and expensive, though in the long run it may be the best option because PKI is one of the most secure technologies available, officials say.
|“Biometrics is an example of “something you are,” and can be a fingerprint or an iris scan.|
Biometrics: Biometrics is an example of "something you are," and can be a fingerprint or an iris scan. Although some computer manufacturers are embedding fingerprint readers into laptops, this is most likely a long shot for a nationwide secure authentication solution. If the scanners aren't included in a PC, they can be expensive. Other biometric options haven't made inroads to the desktop yet or are too costly.
Smart Phones: This, too, may seem like a long shot but some government officials see mobile devices being the key for online authentication. People will leave the home without a wallet or ID badge but rarely do they forgot their mobile phone. With Near Field Communication (NFC) on the horizon it could be identification rather than payments that brings the technology to the forefront, some officials say. NFC enables a mobile device to transmit information using the same protocol as the contactless smart card you may have in your wallet.
The snag in this plan is that most PCs aren't equipped to read contactless smart cards and those readers are more expensive than those used for contact smart cards. But could the smart phone connect via a USB until contactless readers are embedded in computers? It's a possibility that wouldn't cost very much.
Using the mobile device for identification would be less expensive than any other type of
card or token. There wouldn't be any issuance cost because most people already have a mobile device. Users would just download the application onto the smart phone and use it from there.
After the National Strategy for Secure Online Transactions finishes its work, it's likely
that a combination of these technologies will be recommended. You will be able to choose which
technology you want to use based on your specific wants and needs. At that point the more interesting question is how consumers will be vetted and how the chosen technologies will
be issued. For these answers, we just have to wait and see, but the end result should be a more secure online environment where you and your identity are safe.
Zack Martin, Editor
A tech-savvy editor and reporter with more than 12-years experience in emerging technologies publishing, Zack brings a strong focus in government and enterprise ID programs to AVISIAN. Prior editorial roles with industry publications such as IDNewswire, Card Technology, and Card Marketing add to Zack’s unique market insight. He is a graduate of DePaul University’s journalism program.