E-government policy makers don't appear to be paying much attention to smartcards as a potential government-to-person (G2P) authentication tool.
Smartcards are given passing and not very favourable mention in a discussion document on techniques for G2P authentication issued a fortnight ago by the State Services Commission’s e-government unit.
Both smartcards and disk-based authentication "keys" -- referred to in the paper as "hardware keys" and "software keys" respectively -- offer robust security and ease of use, it says.
With the hardware, or smartcard key "secret information is not stored on a PC that might be vulnerable to attack, but always travels with the user", the paper says. "It can therefore be used at any location that has an appropriate token reader."
On the other hand, the report notes, "some hardware-based devices such as smartcards also require additional hardware on each PC to read the key. Tokens [cards or disks] can be lost, stolen or mislaid (for example, left at home). Like passwords, tokens can be shared; although once the token has been given back to its owner the compromise no longer exists.
"Technical difficulties can also arise, as most computer applications have no native support for authentication by either proprietary hardware devices or keys such as those used in digital certificates."
The paper also describes the use of digital certificates, public key infrastructures for encryption and simple password or PIN schemes, none of which necessarily implies a "token" like a smartcard or disk to be carried securely on the user’s person.
The stringency of authentication needed will vary according to the likelihood of the user suffering harm through misidentification. For example, just obtaining general information from a government website should not need any authentication, and it is highly unlikely that an impostor would attempt to pay a citizen’s tax or rates bill in their name. A financial transaction in the user’s favour, an establishment of entitlement to a benefit or registration of a change in status, the document suggests, are examples where the perceived value of stringent authentication might come ahead of cost or convenience.
E-government unit boss Brendan Boyle outlined this concept of graded protection for different purposes in a conversation with Computerworld much earlier this year and little in the essential argument seems to have changed since then.
The discussion document seeks input from "stakeholders" including the public, government agencies and hardware and software developers, on approprate levels and methods of authentication. It does this by posing a set of brief questions at intervals through the explanatory text.