|This article needs additional citations for verification. (December 2007)|
Electronic authentication, also referred to as e-authentication is the process of establishing confidence in user identities electronically presented to an information system. Authentication is a process closely related to identification. In online environments, the username identifies the user, while the password authenticates that the user is whom he claim to be. E-authentication presents a technical challenge when this process involves the remote authentication of individual people over a network, for the purpose of electronic government and commerce.
In the conceptual e-authentication model, a claimant in an authentication protocol is a subscriber to some Credential Service Provider (CSP). At some point, an applicant registers with a Registration Authority (RA), which verifies the identity of the applicant, typically through the presentation of paper credentials and by records in databases. This process is called identity proofing. The RA, in turn, vouches for the identity of the applicant (and possibly other verified attributes) to a CSP. The applicant then becomes a subscriber of the CSP. The CSP establishes a mechanism to uniquely identify each subscriber and the associated tokens and credentials issued to that subscriber. There is always a relationship between the RA and CSP. In the simplest and perhaps the most common case, the RA/CSP are separate functions of the same entity. However, an RA might be part of a company or organization that registers subscribers with an independent CSP, or several different CSPs. Therefore a CSP may have an integral RA, or it may have relationships with multiple independent RAs, and an RA may have relationships with different CSPs as well.
The role of tokens
Tokens generically are something the claimant possesses and controls that may be used to authenticate the claimant’s identity. In e-authentication, the claimant authenticates to a system or application over a network. Therefore, a token used for e-authentication is a secret and the token must be protected. The token may, for example, be a cryptographic key, that is protected by encrypting it under a password. An impostor must steal the encrypted key and learn the password to use the token. Authentication systems are often categorized by the number of factors that they incorporate. The three factors often considered as the cornerstone of authentication are:
- Something you know (for example, a password)
- Something you have (for example, an ID badge or a cryptographic key)
- Something you are (for example, a voice print or other biometric)
Paper credentials are documents that attest to the identity or other attributes of an individual or entity called the subject of the credentials. Some common paper credentials include passports, birth certificates, driver’s licenses, and employee identity cards. The credentials themselves are authenticated in a variety of ways: traditionally perhaps by a signature or a seal, special papers and inks, high quality engraving, and today by more complex mechanisms, such as holograms, that make the credentials recognizable and difficult to copy or forge. In some cases, simple possession of the credentials is sufficient to establish that the physical holder of the credentials is indeed the subject of the credentials. More commonly, the credentials contain biometric information such as the subject’s description, a picture of the subject or the handwritten signature of the subject that can be used to authenticate that the holder of the credentials is indeed the subject of the credentials. When these paper credentials are presented in-person, authentication biometrics contained in those credentials can be checked to confirm that the physical holder of the credential is the subject. Electronic identity credentials bind a name and perhaps other attributes to a token. This recommendation does not prescribe particular kinds of electronic credentials. There are a variety of electronic credential types in use today, and new types of credentials are constantly being created. At a minimum, credentials include identifying information that permits recovery of the records of the registration associated with the credentials and a name that is associated with the subscriber.
In any authenticated on-line transaction, the verifier is the party that verifies that the claimant has possession and control of the token that verifies his or her identity. A claimant authenticates his or her identity to a verifier by the use of a token and an authentication protocol. This is called Proof of Possession (PoP). Many PoP protocols are designed so that a verifier, with no knowledge of the token before the authentication protocol run, learns nothing about the token from the run. The verifier and CSP may be the same entity, the verifier and relying party may be the same entity or they may all three be separate entities. It is undesirable for verifiers to learn shared secrets unless they are a part of the same entity as the CSP that registered the tokens. Where the verifier and the relying party are separate entities, the verifier must convey the result of the authentication protocol to the relying party. The object created by the verifier to convey this result is called an assertion.
e-Authentication in government
Infrastructure to support e-authentication is regarded as an important component in successful e-government. Poor coordination and poor technical design might be major barriers to electronic authentication. In several countries there has been established nationwide common e-authentication schemes to ease the reuse of digital identities in different electronic services. Other policy initiatives have included the creation of frameworks for electronic authentication, in order to establish common levels of trust and possibly interoperability between different authentication schemes.
In the United States
E-authentication is a centerpiece of the United States government’s effort to expand electronic government, or e-government, as a way of making government more effective and efficient and easier for the American people to access. The e-authentication service enables users to access government services online using log-in IDs (identity credentials) from other web sites that both the user and the government trust. By enabling the government to rely on log-in IDs that citizens already have from trusted identity credential issuers (such as web sites and digital certificate issuers), e-authentication is providing a simple, convenient, secure way for the American public to access government services via the Internet. E-authentication is a government-wide partnership that is supported by the agencies that comprise the Federal CIO Council. The United States General Services Administration (GSA) is the lead agency partner. E-authentication works through an association with a trusted credential issuer, making it necessary for the user to login into the issuer’s site to obtain the authentication credentials. Those credentials or e-authentication ID are then transferred the supporting government web site causing authentication. E-authentication was created in response of an inter-governmental memorandum to the heads of all government departments and agencies on December 16, 2003. That memorandum was issued through the Executive Office of the President, Office of Management and Budget. Memorandum M04-04 Whitehouse. That memorandum updates the guidance issued under the Government Paperwork Elimination Act of 1998, 44 U.S.C. § 3504 and implements section 203 of the E-Government Act, 44 U.S.C. ch. 36 and provides guidelines for governmental departments and agencies when implementing E-authentication.
E-authentication is a centerpiece of the Russia government’s effort to expand e-government, as a way of making government more effective and efficient and easier for the Russian people to access. The e-authentication service enables users to access government services online using log-in IDs (identity credentials) they already have from web sites that they and the government trust.
- E-Government Unit
- Electronic authentication
- Electronic services delivery
- Online consultation
- Online deliberation
- Open source governance
- Transformational Government
- Digital Government Society of North America
- Australian Government Information Management Office.
- Breaking Barriers to eGovernment (Draft Deliverable 1b), eGovernment unit, European Commission, August 2006. See table 1
- An overview of International Initiatives in the field of Electronic Authentication, Japan PKI Forum, June 2, 2005.
- Australia, Canada, US (M04-04).
- Government`s Regulation of the Russian Federation on November 28, 2011 № 977.
- US government E-authentication Web Site
- E-authentication Directive Memorandum M04-04
- DigiD - a common, digital identity implemented by the Dutch tax administration and 'GBO.Overheid' (Gemeenschappelijke Beheerorganisatie)
- Cartão do Cidadão - A Portuguese document that enables its holder to securely identify him/herself both in the physical and in the digital world