Biometrics is one of the options raised in the New Zealand government’s discussion paper on authentication.
The government’s authentication project, which is chaired by the Department of Internal Affairs and the State Services Commission, mainly concerns transactions between the government and individual citizens.
The paper, released last month, does not favour any single solution for authenticating individuals. But it sees problems with biometrics.
Initially, the paper says, biometric security is high because it cannot be shared. The biometric identifier cannot be lost and is highly portable, travelling with its owner at all times. But biometrics needs readers which are not generally available, are costly and often unreliable. There are also issues of privacy and cultural acceptability. Digitised fingerprint/iris scans, for instance, must not be stolen, and once the biometric attribute has been compromised it cannot be replaced, the discussion paper notes.
The paper is still open for discussion and talks with “stakeholders” are due for completion this month to produce a final analysis. Whatever options are favoured, the government says authentication is vital to ensure services delivered over the internet are delivered to the right person, people are whom they say they are and privacy is protected at all times.
The e-government strategy, launched in April, promises that by 2004 the internet will be the main way to access government information, services and processes.
The discussion paper shows many manual and online authentication systems are used in New Zealand, to varying degrees of success.
These include passwords, PINs, “secret questions”, digital certificates, software or hardware based encryption keys and biometrics. It also comments on their main advantages and disadvantages.
- User-name/password, PIN, secret answer: These are the most common systems and are cheap and simple to set up and are based around what people know. They require little education for users and a password or PIN is easy to replace if compromised or lost. However, security can be poor as most users tend to selct simple passwords that are easily guessed (such as names). It is also easy to find software designed to “crack” passwords. Passwords are also often forgotten, often shared on Post-It notes and users may give away a password from someone purporting to be the helpdesk.
- Digital certificates: These are issued by certification authorities (CAs) that carry out initial identification of certification holders and provide the bona fides of the certificates that they issue. A user will send their public key and proof of identity to a CA. If the CA is satisfied as to the users identity, the CA will issue a digital certificate containing the user’s public key. In effect, the certificate is a transaction to the world, “authorised” using the CA’s own private key.
- Public key infrastructure (PKI): A PKI makes widespread use of public key encryption possible through the use of digitally signed certificates. Each user generates an encryption key which is stored either in software or in hardware; this “private key” can be used to “authorise” transactions. But PKI can be risky because of the security around private keys and the initial authentication by registration authorities. Although PKI does not enable private keys to be forged, it cannot discern who is actually using one. Poor security around the keeping of keys (especially when stored on computers) can severely compromise the level of authentication actually provided by PKI solutions.
- Software-based keys: A private key is stored on disk and uses encryption to keep the private key confidential and authenticate anyone wishing to use this private key, which is accessed through a password or PIN. This is stronger than PIN or password alone. But extra software must be bought and installed on each PC used and buying digital certificates are another cost. Private keys can also be stolen or deleted by gaining access to the PC and they can be lost due to software or hardware problems.
- Hardware-based keys: These use a physical device (generally called a token) to hold the private key and the corresponding digital certificate. They offer most of the advantage of software-based keys, including robust security. Certificates are easy to use and can be supplemented with a password or PIN to access the information stored in the token (eg a smartcard with a pin). Unlike software-based keys, the secret is not stored on a PC that might be vulnerable to attack, but always travel with the user. It can therefore be used at any location that has an appropriate token reader. But hardware-based keys are costly and need extra software to validate them. Smart cards may also need extra hardware on each PC to read the key. Tokens can also be lost, stolen or shared.
- Public key encryption: This uses a second key so a message encrypted with one key can only be decrypted with the other. By publishing one key — making it “public” — and keeping the other key secret — “private” — the person who generated the keys can receive confidential messages and “authorise” transactions, the discussion paper says.