Skip Navigation Links Home   »  About CGA-Canada  »  CGA Magazine  »  2003  »  Sep-Oct  »  Digital IDs

Digital IDs 

Select the archived issue you wish to view: 

 

Double Click

Digital IDs

Authentication measures verify digital identities; which authentication measure to choose depends on the degree of security required.

 

FROM: SEP-OCT 2003 ISSUE | BY ROBERT GAGNON

Many children dream of being a superhero — to live a life of adventure and to have a secret identity. But secret identities aren't exclusive to superheroes anymore. On the Internet, one can be a mild mannered reporter by day and an online Casanova by night.

Recognizing the identity of the party you are dealing with is essential in all human interaction, whether in person, on the phone, by fax, or in cyberspace. Once you know who the other party is you may share confidential information meant exclusively for that particular person. Face-to-face, the identification process is instantaneous. Over the phone or by fax, caller ID will often tell you who the caller is. But having failed to properly identify callers, some people have been lured into giving their credit card numbers over the phone only to find fraudulent purchases made after the fact. The new challenge is how to ensure that parties clearly and honestly identify themselves in the digital arena. This is particularly true given the international focus on security following 9/11.

We also hear regularly of worms and viruses destroying databases and stored information by wiping out hard disks. With computers now remaining online 24 hours a day, the importance of having firewalls and anti-virus software has never been greater. Even opening an e-mail from a known source can be a devastating experience — ask anyone who received the "I love you" virus from a friendly party by opening the attachment expecting sweet words of love.

Hackers have learned to extract e-mail addresses from address books, thereby making recipients believe that e-mails are from a known source. Having a proper method of identification such as a digital identity is just one of the many tools to use to avoid such security issues.

How do we define a digital identity? According to the Digital IDWorld Web site, "a digital identity is the representation of a human identity that is used in a distributed network interaction with other machines or people." In simple terms, a digital identity will increase the level of trust of a computer user toward another party with which the user is interfacing (whether it is a Web site, e-mail, or other electronic communications means over the Internet) by confirming the second party's identity. Depending on the type of interaction and the sensitivity of the information, the degree of authentication required can vary significantly. There are three generally recognized levels of authentication based upon:

  • Something you know;
  • Something you have; and
  • Something you are.

Following is a brief discussion of the strengths and weaknesses of each authentication measure, and applications for each.

Something You Know

The most common authentication measures are a combination of a unique user name and confidential password. This is the most commonly used method because it is the simplest and least expensive. It integrates seamlessly into just about any Web site requiring user authentication and it is facilitated by browser application features that automatically store user names and passwords as cookies that give you access to a Web site without having to login every time.

This authentication measure is normally made up of a user name that everyone knows and a password that only the user is supposed to know. However, the security of a user name/password combination is limited to each user's ability to maintain the confidentiality of the information. Users should avoid using easy-to-guess passwords. While this is great in theory, the proliferation of passwords we all must remember makes it next to impossible for users to remember long and complicated ones.

Ideally, administrators of user name/password combinations should request that users change their passwords regularly. This is not always the case. Some Web sites never ask you to change your password. The ones that do normally face the ire of users who complain about having to remember multiple passwords for multiple applications that change many times a year at different intervals. As a result, a number of Web sites have given up asking users to change their passwords regularly.

This method also relies on how well the Web site protects the information. There have been a number of reported cases where hackers were able to access not only the user name/password combination, but also all of the information attached to the combinations. Credit card information was stolen. Since then, security on Web sites containing credit card details has been reinforced. Even so, hackers are good at finding ways to crack open tight security measures given enough time.

Something You Have

This category is wide and includes items such as smart cards, tokens, and other devices encoded to be unique identifiers. According to ArticSoft, a company specializing in IT security, the most common token authentication method is the RSA Security SecureID token. RSA can provide hardware or software solutions to generate the token, which is based on algorithms that generate a random code every 60 seconds that will be recognized by the server together with a PIN number.

The combination of the random code and PIN number significantly increases the security of a network and minimizes the possibilities of hackers infiltrating it. However, the cost can be prohibitive and is typically reserved for very specialized applications. A number of banks use this type of technology for large corporate customers. But it doesn't guarantee the user is who he says he is since he could give the device and PIN number to someone else.

Something You Are

As any fan of espionage movies or television shows can attest, we live in the era of biometrics. Biometrics measure specific characteristics of a person, comparing the results to a base measurement to determine a person is who she says she is. The different measures include voice, fingerprints, face, retina, iris, and handwriting. This is the ultimate digital identification method.

But, while this technology has evolved significantly, there are limitations to biometric identification. It relies on a stored database of measurements, against which a current measurement is compared and the software has to allow for differences due to angle of measurement, lighting, and the position of the subject vis-à-vis the reader. Therefore, the results of a biometrics scan could be wrong.

Nevertheless, biometrics is the most advanced method of digital identification currently available. It is also the most expensive and its use is restricted because of the high costs associated with it.

No Secrets

At the core, a digital ID is a means of authentication that allows someone to be recognized in the digital world. The level of security required increases depending on the sensitivity of the information. Authentication methods range from the simple user name/password combination to the addition of tokens, to the use of biometrics. And the higher the level of authentication, the more difficult it is for superheroes to protect their secret identities.

    

Some sites on Digital IDs

CNET (www.cnet.com)
Digital ID World (www.digitalidworld.com)
ArticSoft (www.articsoft.com)
Ping ID (www.pingid.com)
VeriSign (www.verisign.com)
SC Infosecurity News (www.infosecnews.com)
Aberdeen Group (www.aberdeen.com)

[ TOP ]

Robert Gagnon, CGA, is vice-president, finance and information technology, at Frisco Bay Industries Ltd., in Montreal. He has served on Canada Customs and Revenue Agency's technical advisory group on electronic commerce since 2000.

© 2008 CGA-Canada

Please Upgrade Your Browser

This site's design is only visible in a graphical browser that supports web standards, but its content is accessible to any browser or Internet device.