Electronic authentication is common in this information-driven society, as daily transactions through electronic services and the Internet require remote electronic authentication. Online transactions are increasingly seamless through the connection of multiple devices which offer services to consumers that were previously unattainable. Many authentication systems collect and use the personal information of users in a way that compromises their privacy and security. Authentication systems must be designed to give consumers more control over their personal information, promoting user security and effective privacy protections.
What is authentication?
Authentication in this context refers to the verification of user identities in an electronic information system. Authentication can be discussed in terms of three factors, or authenticators:
- Something that is known by the individual (e.g. a password, personal identification number, account number, etc.)
- Something that the individual has (e.g. a bankcard, token, identity card, digital certification, etc.)
- Something that the individual is or does (e.g. a biometric, such as a facial image, retinal scan, voice print; or a person’s signature)
Single-factor authentication is the traditional security process. In this type of authentication, the user must provide an authenticator in one of the above categories. For instance, before a user has access to an account, he/she must provide a username and a password. Single-factor authentication is more likely to result in compromised privacy or security.
Two-factor, or multi-factor authentication requires authenticators from two or more of the above categories. For instance, before accessing a system, a user must provide a physical token, such as an identity card and a security code. Authentication that is based on more than one authenticator from the same category is known as multi-layer authentication.
Electronic Authentication in Canada
A 2008 study conducted by the Public Interest Advocacy Center (PIAC) focused on electronic authentication of consumer financial transactions. It established that Canadian consumers were particularly attentive to electronic authentication methods in their daily transactions, which included banking and financial services, airport check-in and online shopping. While many online banking services required two-factor authentication, the most common online authentication is single-factor authentication with a username and password.
A 2004 study revealed consumer frustration with the lack of security provided by online banking services and online retailers. A later 2005 study showed that Canadian consumers were more concerned about security and privacy than their American counterparts; 40% of Canadians avoided online shopping due to security issues, compared to 24% of Americans. The Privacy Commissioner of Canada continues to note concerns with the increasing trend of collection, use and retention of personal data.
In May 2004, Industry Canada released the Principles for Electronic Authentication to provide guidance for the development, implementation and use of authentication services and produces in Canada. The Principles complement existing authentication governance through establishing benchmarks for products and services. They also ensure compatibility with international developments in authentication.
The Principles for Electronic Authentication are outlined below:
1. Responsibilities of Participants
Participants in authentication processes should be aware of their functions and responsibilities. Responsibilities should be proportional to the degree of knowledge and control they can reasonably be expected to have. Functions may include: administration, specification, end use, standards development, compliance assessment and infrastructure provision.
2. Risk Management
Any risks associated with authentication processes should be identified, assessed and managed in a reasonable, fair and efficient manner. Risks may include financial risks, loss of confidentiality or privacy, damages to reputation or identity theft. Assessment should be done in the context of the six functions listed in the previous principle.
Participants in authentication processes should be responsible and accountable for security. A security incident that only affects a single participant may have implications for all participants. Participants have a responsibility to mitigate risks through sound security practices, but most of this responsibility lies with infrastructure providers and authentication administrators. Review and assessment is essential in ensuring the ongoing efficacy of security programs.
Organizations involved in the design or operation of authentication processes should comply with data protection regulations set out in privacy legislation. The collection, use and disclosure of personal information in the context of authentication should be minimized. For instance, the authentication of a business should be focused on business attributes, rather than personal attributes of individual employees.
5. Disclosure Requirements
Organizations offering authentication services should disclose information, such as policies, practices and procedures, to other participants. This will ensure that all participants are aware of the risks and responsibilities associated with participation. Disclosure should not include any information that would introduce vulnerabilities or increase risk. The extent and nature of the information disclosed may vary, depending on whether the end user happens to be an individual or an organization.
6. Complaints Handling
Organizations that implement authentication processes should establish a complaints-handling process in order to enable participants to effectively resolve complaints and respond appropriately to non-compliance issues. Adequate complaints-handling processes should reflect the following characteristics: visibility; accessibility; responsiveness; fairness and objectivity; free of charge; confidentiality and privacy; accountability; continual improvement; and third-party dispute resolution processes for unresolved complaints.
Authentication Initiatives Since 2004
Since the publishing of the Authentication Principles, governments and consumer groups have been involved in several electronic authentication initiatives:
- The Data Protection Working Party adopted a working document on online authentication services. It studies the efficacy of the Microsoft .NET passport, which reduces the number of accounts a user needs to create and makes more services accessible through a single authentication process.
- In June 2007, the OECD released their Recommendation on Electronic Authentication as well as the OECD Guidance for Electronic Authentication, which lists a number of foundational principles for authentication.
- In September 2007, the Department of Finance began discussions regarding the expansion of the Debit Card Code to cover a broader array of electronic payments.
Authentication Principles, Revisited
In October, 2008, the PIAC released a report calling for a substantial overhaul to Industry Canada’s Authentication Principles. The report cited the Principles’ widespread failure to provide adequate protection when conducting online business transactions. While consumers are becoming increasingly careful around security and privacy risks online, the report urges federal and provincial governments to play a greater role in the regulatory process.
The following is an outline of some of the criticisms and recommendations made by the PIAC regarding the Authentication Principles:
- Criticism: The Authentication Principles provide insufficient assurance of consumer security. Principle #3 is based on security, but it is too vague to be meaningful as it does not indicate how an organization might achieve appropriate security.
Recommendation: Authentication should move beyond multi-layer single-factor techniques. Two-factor authentication provides only minimal security for highly sensitive transactions. One-time-passwords can be provided to the consumer through the financial institution or retailer. This strategy has been implemented internationally, but has yet to be introduced in Canada.
- Criticism: The Principles do not clarify who is liable for losses. Consumers should not be held liable.
Recommendation: Standard form contracts must make clear who bears the liability for losses. Banks and retailers should bear the burden of responsibility for unpreventable losses.
- Criticism: The Principles fail to adequately protect consumer privacy, especially in light of continually evolving security breaches.
Recommendation: Prioritizing consumer privacy would help to minimize the harm that results from security breaches related to authentication. The Principles should tie in corresponding sections of the Personal Information Protection and Electronic Documents Act (PIPEDA) fair information practices. Sensitive personal information should be used as authenticators only in very limited situations. Consumers should be able to choose the pieces of personal information they use as authenticators.
- Criticism: The Principles must mandate full public disclosure and consumer education.
Recommendation: Implementation of authentication processes should be transparent. This includes notifying consumers if the authentication system has changed; making information available before the user creates an account; providing full public disclosure of audits and compliance reviews; providing security breach notification; and providing consumer education.
- Criticism: Consumers are not guaranteed protection in a voluntary framework. Consumers need a better regulatory framework to address electronic authentication.
Recommendation: Regulate authentication through sectoral regulation. Strengthen online authentication through implementing two-factor authentication. Regulate authentication in the retail sector. The Privacy Commissioner of Canada should oversee authentication practices.
This article examines the concept of electronic authentication in a consumer context. Single-factor, two-factor and multi-factor authentication are explored. Industry Canada’s Principles for Electronic Authentication are defined and later criticisms and recommendations are raised. The article also looks at other authentication initiatives that have developed in Canada since 2004.
In preparation for the Certified Information Privacy Professional/Canada exam, a privacy professional should be comfortable with topics related to this post, including:
- Security Controls: Authentication (V.A.a.i.)