Identity control online
As technology improves, establishing who’s who, especially online and through non-traditional identification methods, is becoming increasingly difficult.
Spyware captures usernames and passwords. Credit card skimmers capture the supposedly secure contents of payment cards. And law-abiding people are impersonated online.
So, as we move toward this future of uncertain identities, teams of researchers are trying to stay ahead of the electronic crooks and keep villains away from information, both in the real world, and over electronic networks.
Dan Bogdanov is a research project leader for the Estonia-based technology firm, Cybernetica, a partner in the European Commission Seventh Framework Programme’s VirtualLife project, designed to create a secure virtual-world platform. Cybernetica also created the Estonian electronic voting system and a range of e-Government solutions.
Some of the primary challenges Bogdanov says he faced in the pursuit of Cybernetica’s electronic identification efforts include: establishing where information comes from; whether someone in the “real world” verified it; and if the identity of the person claiming to be communicating is in fact the person sending the communication.
In pursuit of verifying a secure identity, Bogdanov says one reliable solution is in using peer-to-peer communication. “When two users want to communicate with each other, they establish a direct network connection, negotiate a secure channel and prove their identities to each other with standard public key cryptography,” Bogdanov says. “That’s one of the best solutions there is.”
The challenges inherent in online identification also apply in the bricks-and-mortar world. Irvine, California-based HID Global believes it has developed a technological platform to tackle the problem of establishing and controlling identities, even as those physical spaces become less defined and more spread out.
The Trusted Identity Platform, or TIP, is a framework designed by HID Global to transfer credentials and establish identifications over unsecured networks while maintaining a level of control akin to a system confined to a traditional secured building.
This is an issue that is growing in importance as systems are evolving.
Traditionally, access systems were managed and kept secure through physical building security, says Daniel Bailin, director, program management of strategic innovation for HID Global.
“Now maybe we want to put the credential on a phone. And maybe we want the reader on a laptop, and so the old method doesn’t scale into this new world,” he says. The TIP technology allows such out-of-the-box credentialing to be possible.
TIP relies on three primary concepts: a “Secure Vault,” a “Key Management Policy” and a technological protocol to operate over public networks.
“These systems give us the ability to provision a card or a reader outside of the four walls of a secure building and we can use all the mediums that are inherently insecure,” Bailin says.
Using the TIP technology, companies could conceivably establish a secure connection, for example, with an NFC-enabled wireless telephone, install a credential into that phone, and eliminate the need for the owner to carry a smartcard to establish a secure positive identification.
“That is the big competitive advantage that TIP gives us,” Bailin points out. “It works, not just on hardware that HID produces, which was the model in the past, but it can also use hardware anybody else creates. It allows open-source end devices that we didn’t design to still work securely.”
But even with an open-source system, securely establishing identification could rely on costly readers, which might rule out large institutions with huge amounts of end users, such as universities.
So, many universities are looking to some other alternatives to securely establish identity in the virtual space. This is becoming important as activities, such as online testing, mandate that the identity of the end-user be verified.
US lawmakers have even weighed in on the matter in the latest version of the Higher Education Opportunity Act. That law mandates that universities develop secure methods of identifying and verifying the identities of students enrolled in online classes and who take tests remotely via computer.
The key to this “remote proctoring,” university security officers say, is to find a solution that offers a higher level of security than just a username and password combination, but with a very low cost for the end user.
One solution that is emerging is a software-only approach, such as keystroke biometrics. With keystroke biometrics, and with a related technology that uses computer mouse clicks, software can analyze patterns in how long each key on the keyboard is depressed, how long it takes for a finger to fall on a set combination of keys, unique mouse usage patterns or other idiosyncrasies that each computer user develops over years of computer work to identify the person whose hands are on the keyboard.
University of Maryland University College used just this type of system during a one-month pilot program involving 27 students and three faculty members. Students who volunteered for the program used behavioral biometrics to establish their identity before taking an online test. Most participants told researchers that the program was effective, non-intrusive and convenient.
Other universities are exploring a whole host of options to comply with the identification mandate. Some options include using Web cameras, which are nearly ubiquitous on new computer models, to capture photographs of users, or even establish identification through facial-recognition software. Others are even considering requiring students purchase inexpensive USB fingerprint readers to periodically spot check the users’ identities throughout the testing process.
But one of the primary problems with biometrics is their relatively high incidence of “false negatives,” where the correct user is rejected by the system, an especially frustrating prospect for someone in the middle of taking a test. For example, several systems using technology similar to the pilot program at UMUC suffer from false negative rates approaching 4 percent, much higher than the more proven credentials used with the TIP technology.
Moving into the future, Bogdanov says that establishing secure identities through an evolving array of settings will become increasingly important. “Jokingly, I would add that one day computers may get better with voice and video synthesis and be able to have anyone say anything. So identity research really can’t rest very easily,” Bogdanov says.
By Michael Giusti