Authentication's Chicken 'n' Egg Dilemma
"The idea is that in many transactions today, one has to provide a bunch of information about oneself that is not strictly necessary for the transaction in order to be authenticated by the service provider that you are doing business with," Bruce McConnell, counselor to Homeland Security Deputy Undersecretary Philip Reitinger, says in an interview with GovInfoSecurity.com (transcript below).
"In the vision that we have put out in the strategy, that is no longer necessary. In that vision, you only need to provide the attributes that are specifically necessary for the specific transaction. If you are going someplace and the only thing that is needed to know is that you are over 21 years of age, then that information can be provided without providing all of the other information about you. You can then be authentication in pseudonymous, not completely anonymous, in that transaction."
McConnell says true anonymity on the Internet is critical in many situations to allow citizens to exercise their First Amendment rights or access medical and tax information from the government without disclosing their identities.
In the interview, McConnell also discusses:
- The goals of the National Strategy for Trusted Initiative in Cyberspace.
- How economics and a lack of standards and interoperability have stood as barriers to widespread adoption of two- and multifactor authentication.
- The role the government should play in identity proofing, the process in which a credential issuer validates the identity of individuals, organizations and technologies.
With extensive experience in IT security, procurement and management, McConnell serves as senior advisor to Reitinger on a variety of strategic and policy matters.
From 2000 to 2008, he created, built and sold McConnell International and Government Futures, boutique consultancies that provided strategic and tactical advice in technology, business and government markets. In the two previous years, McConnell served as director of the International Y2K Cooperation Center, where he coordinated regional and global critical information technology infrastructure organizations to promote information sharing and joint action.
According to his DHS biography, McConnell, as chief of information policy and technology in the Office of Management and Budget from 1993 to 1999, led the government-industry team that reformed U.S. encryption export policy, created an information security strategy for government agencies, redirected government technology procurement and management along commercial lines and extended the presumption of open government information onto the Internet.
McConnell holds an master in public administration from the University of Washington and a bachelor of science from Stanford University.
ERIC CHABROW: To start off, tell us a little bit about the National Strategy for Trusted Identities in Cyberspace and why is it an administration cybersecurity priority?
BRUCE McCONNELL: As you will remember last May (2009), the president released the Cybersecurity Policy Review, and in that one of the top 10 near-term items was issuing a strategy in this area. We are very excited to get this out on the street for public comment. We put it out (in late June) and we are getting a lot of interesting comments from people, very helpful suggestions about how we could improve the strategy and our goal is to release it later this year, probably in October, in final form.
The goal of the strategy really is to paint a road map on the way forward for this key area. You will remember, 15 years ago, the famous cartoon in the New Yorker, where two dogs are sitting in front of a computer screen and the dog says to the other dog, "The great thing about the Internet is nobody knows you're a dog." That is still true and it is still somewhat funny, but in a world where many, many important transactions and interactions occur on the Internet it is not so funny in those situations.
The goal of the strategy is to lay out a path forward that people can voluntarily engage in a system which will give them and whoever they are dealing with, whether it is an institution or another individual, much higher degree of confidence that they know who they are dealing with.
CHABROW: Are there other notable initiatives underway at DHS or elsewhere in government to improve authentication?
McCONNELL: This is the capstone initiative, this strategy, which is the way forward for a variety of other things that are going on right now. For example, every department and agency has different things that they are doing to increase the trustedness of electronic and physical electronic interaction. For example, here at DHS, we are working to create two-factor authentication for logging onto our internal systems. We are developing a situation where we can as a result of that have single signs on so people don't have to remember so many different passwords. We are hoping to extend to the use of smart phones and PDAs, and that is happening in a number of agencies.
Similarly, NIST (National Institute of Standards and Technology) and GSA (General Services Administration) are working together to build out the FICAM (Federal Identity, Credential and Access Management) framework for G2G, G2B and G2C transactions involving citizens. All of those things are happening under this larger strategy that really goes beyond the government to creating and stimulating the creation of an infrastructure that will allow trusted transactions to occur both in the private sector as well as within the government.
CHABROW: Let's talk a little bit about two-factor, multi-factor authentication, and that is where individuals provide something they know, such as a password/PIN; something they have, such as a card containing an ID chip or a digital key; or something that is unique about an individual, as an iris scan or a fingerprint. As it relates to the IT systems, networks on the Internet, where are we in practical terms in replacing single authentication? What are the barriers preventing widespread acceptance of two or multi-factor authentication?
McCONNELL: There are two key barriers to adoption of a strong and reliable authentication scheme if you will for the country.
The first one is the business case. This is your classic chicken and egg issue because it is one of those areas where the economics of networks come into play, so if the value of a network becomes greater, the more people join the network, but if it is a very small network it is not worth very much and not very valuable. If this whole area had a hard time getting off the ground (it's) because there has been no advantage to make investments in it because there has not been a big demand for it.
That business issue is complicated by the other barrier, which is then the lack of consistent and interoperable policy and standards around authentication. There has not been an agreement about interoperable credentialing, provisioning of credentials and authentication in a way that allows smaller groups, firms and the government to develop systems that will then interoperate.
Those have been the two main barriers to moving forward in the whole scheme of things. Those barriers apply specifically to the use of two-factor authentication, which is one piece of this.
CHABROW: Do you see any kind of resolutions on that soon?
McCONNELL: One of the goals of the strategy is to create some momentum in this area by laying out a vision and promoting the idea, promoting the business case, thus getting some adoption. Another piece of this is the development of pilots of experiments where some of these things can be tested out in a broader scale and that kind of thing.
This is the beginning of the way forward. You can't get someplace if you can't see where you are going and that is what we are trying to do here. The strategy is important from a cybersecurity standpoint, but it is also very important from an economic standpoint because with increased trust there will be less fraud and more confidence in the Internet and then that way people will bond new kids of transactions and thus be a boost to the economics of the Internet.
CHABROW: What role should government perform as either an authenticator or an organization that certifies third party organizations to authenticate individuals, organizations and technology?
McCONNELL: As you had suggested earlier, there are kind of three parts to the process, right; there is identity proofing, there is the credentialing and then the authentication, and I think that the jury is still out on where the government's role is in each of those areas. There is certainly a tradition in our country to have a strong government role in identity proofing, for example, the Post Office doing that work for people as they apply for a passport and that kind of thing. The goal of this is to assure that there are both government and private-sector players in the space and that there's not just one way of getting it done. The key there will then be to have agreements and understandings and confidence in the level of trustworthiness of any of those players so that you can make a decision in any particular transaction or business arrangement whether you want to accept that credential across providers.
CHABROW: Anything else you would like to add?
McCONNELL: One of the most exciting things about this strategy in my view is the way that the vision lays out that stronger authentication can actually increase privacy. The idea is that in many transactions today, one has to provide a bunch of information about oneself that is not strictly necessary for the transaction in order to be authenticated by the service provider that you are doing business with.
In the vision that we have put out in the strategy, that is no longer necessary. In that vision you only need to provide the attributes that are specifically necessary for the specific transaction. If you are going someplace and the only thing that is needed to know is that you are over 21 years of age, then that information can be provided without providing all of the other information about you. You can then be authentication in pseudonymous, not completely anonymous, in that transaction.
A related piece to that is the recognition of the importance of true anonymity on the Internet. There are many situations where anonymity is critical, whether it involves exercising your First Amendment rights or just finding out information from the government about medical information or tax information that you don't want necessarily tied back to your individual identities. The system we envision in this strategy is one that has a lot of flexibility for the user and for the service provider in arranging just for the right amount of information to be shared.