In honor of Data Privacy Day 2009, APRPEH presents the article from 2006 "It’s Me, and Here’s My Proof: Why Identity and Authentication Must Remain Distinct - Technet Microsoft - Steve Riley" mentioned last week by Bruce Schneier on Schneier on Security. Schneier's blog is a great place online to go for security information.
When discussing identity we must first determine the audience to whom we are speaking. To some people identity is who they are. "My name is Ploni". To others identity might be a reflection of some important fact to which they identify answering the questions what they are, what they do. "I am a doctor", "I am a Republican", "I am a Jew". But is this really identity or something else?
Identity is defined in the information management and protection world as a way that an individual can be universally distinguished from another person and the access rights set for that person are enabled. Failure to authenticate identity results in denial of access.
For databases which the consumer visits, identity also means proof of identity and access level (authorization). In the article linked above, the reader will learn that identity is provided initially by the individual. Authentication is defined as proving who you are. Access is defined as setting user limitations. But of these three, identity and authentication can be faked by a perpetrator of identity theft. When the perpetrator acquires enough knowledge about the consumer to enter a less secure database - user name and password, we end up with hacked Paypal accounts and hijacked Facebook sites.
Truly secure databases will utilize two or multi factor authentication. This is how your ATM card operates. One factor is something you have (the card). One factor is something you know (PIN). Other factors could include some biometric or challenge question in addition to the PIN. Combining these authentications along with requiring them to change on a regular basis will provide the greatest level of security. None of this however will prevent a data breach. Only proper encryption of data can reduce the likelihood of stolen data being utilized by a perpetrator. Think of it this way. You cannot always prevent a traffic accident. But when you wear your seat belt and have an air bag, you can reduce the chances of serious injury to the driver and passenger when you do have an auto accident. Same with encryption. Not all encryption is equal and not all encryption is unbreakable. However, in the world of data theft when data is stolen, bought and sold daily - why bother wasting the time finding someone who can break the encryption (or steal the key).
However, in at least one high profile breach, the consumer information - encrypted and encryption key were stored on the same network.
{Avivah}Litan's sources in the financial industry have told her that thieves hacked into a as-yet-unknown system, and made off with data stored on debit cards' magnetic stripes, the associated "PIN blocks," or encrypted PIN data, and the key for that encrypted data.
The recommended multi-factor authentication will also not protect a consumer who's computer is vulnerable to key logger programs and malware. When your computer is transmitting all your user names, passwords, PINs, etc. to a fraud perpetrator along with what websites you visit, falling victim to at the very least account takeover is a sure bet. Real identity theft could be the result of your Social Security Number and Date of Birth being accessed from your computer. Computer security must be kept up to date. Again, this is the best protection possible but not fool proof.
In any event, data system designers need to think through these questions and try to solve the equation of security vs. user experience. While most people will say they want businesses they do electronic commerce with to be good stewards of their personal identifying information, the reality is that if the experience on that website is disappointing, the consumer will not come back again. Efficient access to identity and authentication on demand, along with storage or custodianship of information, information about us which we trust the custodian to protect, and policies which limit access to that information to an "as needed" basis is not the future of IT. It is the present. The future may look very different. The answer to the future of identity and authentication may be "you". I do not endorse stand alone biometrics mind you. But along with other authentications, maybe randomly applied authenticators along with private, trusted 3rd party identification warehousers, bio is coming.
It’s Me, and Here’s My Proof: Why Identity and Authentication Must Remain Distinct - Technet Microsoft - Steve Riley Published: February 14, 2006