French Justice Portal Authentication methods and technologies n 1
Agenda Definitions Authentication methods Risks and threats Comparison Summary Conclusion Appendixes n 2
Identification and authentication Authentication is the process of determining whether someone or something is, in fact, who or what it is declared to be. Identification precedes authentication in order to be recognized by the system. Identification is communicating someone's identity to the system. One person can have multiple identities (idcard, driver license, passport, social security card, credit / debit cards, phones...) Authenticating is verifying someone's identity. n 3
Strong authentication An authentication factor is a piece of information and process used to authenticate or verify a person's identity : Something I know (password, PIN code ). Something I have (USB key, smart card, smart tokens ). Something I am (biometrics). Something I can do (behavioral biometrics). Two-factor authentication (T-FA) is a system wherein two different factors are used in conjunction to authenticate. Using more than one factor to authenticate is called strong authentication. n 4
Authentication methods Simple password authentication (logon + password). One Time Password (OTP) : Hardware generated OTP : OTP tokens (SecurID, ActicCard). Software generated OTP sent by sms or email. Digital certificates : Software certificates. Certificates on contact devices : smart cards, USB Tokens. Certificates on contact less devices : RFID induction technology. Biometrics. For more information see appendix 1 n 5
Risks and threats Hacking or cracking : Physical theft (password, smart card, computer, ). Logical copy (certificate, random numbers, ). Key loggers, screen grabbers. Phishing. Public internet terminals require special attention (cyber cafes, public interactive terminals,...). Multiple authentication factors reduces the threat. For example, the pin code is a supplementary protection when your smart card is stolen. n 6
Comparison criteria Main comparison criteria for authentication methods are : Security level. Deployment : important criteria for mass diffusion. Costs : Deployment cost (important criteria for mass diffusion) Total cost of ownership (TCO). Mobility : usage in multiple terminals (home, office, cybercafes,...). We exclude these authentication methods from the comparison : biometrics (public acceptance, cost). certificates on contact less devices (cost). All proposed authentication methods are now mature and industrialised. n 7
Authentication methods - comparison Criteria Mobility Security level Deployment Cost Authentication methods Simple password Software OTP Smart token OTP Software certificate USB Token certificate J J K one factor L transfer not easy K usb port + driver Smart cards certificate K reader + driver J J J J J K reader and device distribution K K device distribution device distribution J K K K L sauf si sms Example of use End user usability Digital signature compliant Webmail, online bankin, E-CB Activ Card, SecurId French Gov. Taxes, VPN access,... French notariat (REAL), lawyer (@vocats) French notariat K J K J J 2 steps process complex installation L L L J J n 8
Authentication methods comparison summary Advantages Inconveniences Comments Simple password + low cost - basic authentication Low security level application with large public deployment Software OTP Software certificate + cost / strong authentication + strong authentication + digital signature compliant - 2 steps authentication process - cost if sent by sms - mobility is difficult - administration, installation Smart token OTP + strong authentication - deployment cost - distribution process - no digital certificate (signature) USB token certificate Smart card certificate + strong authentification + digital certificate for signature - deployment cost - complex distribution process Suitable for large public deployment with high security level Not suitable for large public deployment with occasional use Not suitable for large public deployment Not suitable for large public deployment with occasional use. Prefer existing national digital identification solution. n 9
Conclusion For a short term approach, we recommend usage of low cost solutions without any hardware device deployment : Simple password for procedures with basic authentication needs and low security requirements. OTP (email or sms) for procedures requiring a higher security level. These 2 methods are not compliant with digital signature. Further, we recommend using the future French digital ID Card (CNIE) certificates for authentication and signature. The CNIE project is managed by the French national agency for secured ID (ANTS). n 10
Appendixes 1 authentication methods detailed presentation 2 authentication methods comparison n 11
Appendix 1 Authentication methods detailed presentation n 12
Simple password authentication The user is authenticated with a login ID and a password. Password authentication is the most common and the most simple authentication method. Security level is low. A well managed password is not easy to crack : minimal length, type of character used, password duration... n 13
One Time Password The password is dynamically generated at each connection request and has a short life time duration. The password is generated by a software calculator. The calculator is protected with a pin code (it could be stolen). Often the OTP is combined with a simple password authentication for a two factor authentication (T-FA). n 14
Digital certificate A digital certificate is a digital identity card whose purpose is to identify a physical or non physical entity. A digital certificate is a link between the physical and digital entities, delivered by a trusted third party (CA = Certificate Authority). X509 is the ITU-T standard for digital certificates. Depending on security level, there a several certificate classes : Class 1 certificate : delivered by mail. Class 2 certificate: a proof of identity is required. Class 3 certificate : physical presentation of the requester to the delivering authority is required (face to face). Class 3+ certificate : class 3 certificates are directly generated on a token, for example a smart card, delivered with a face to face process. The higher security level is obtained with certificates on hardware support such as smart card or USB Token. n 15
Biometrics Biometrics is often used in the mean of uniquely recognizing humans, based upon one or more intrinsic physical or behavioural traits. Biometric characteristics can be divided in two main classes : Physiological, related to the shape of the body : face recognition, fingerprints, iris recognition, hand geometry, DNA,... Behavioural, related to the behaviour of a person : signature verification, keystroke, voice,... Biometric identification appears very intrusive to a majority of persons and public acceptance is a great concern. The cost of biometric devices is high. n 16
Appendix 2 Authentication methods comparison n 17
Gartner hype cycle n 18
Costs elements Recent technologies are expansive (biometrics, vocal recognition). For mature technologies (password, certificates) the initial acquisition cost disadvantages technologies with physical devices to deploy (cards, readers, ). The total cost of ownership (TCO) must include managing costs (help desk, password management, ). n 19
Mobility Some authentication methods may be useless depending where the user is connected. Simple password Software certificate OTP USB Token certificates Smart card certificates Home PC Justice interactive terminal Public cyber area Other PC 1 1 1 4 2 3 OK KO 1 : One certificate per person. 2 : if the PC have a compatible card reader. 3 : if software components ares installed. 4: if the smard card reader is also provided n 20