The trouble with weak IDs building strong identities
January 2014: This quarter, Gareth Thomas, Board Member of the Secure Identity Alliance looks at the trouble with weak IDs building strong identities
Last month Zach Klein used his Facebook profile to board a plane in the US having discovered he’d left his ID at home. News (and shock) exploded across the internet. This isn’t, of course, the security catastrophe it first appears. Or so it would seem. The U.S. Transportation Security Agency (TSA) has a policy in place that allows airlines to accept passengers without physical ID – so long as they can substantiate their identity using, for example, publically available databases. Whether FaceBook should qualify is a question for another article. But it did in this case. And it gave us an illustration of a major Identity challenge causing great and growing concern for across the world - namely, the ability for weak IDs to create strong identities. Let’s assume a less than honest individual recreated a legitimate Facebook profile, which he then used to prove his identity when applying for a driving license. Using his new license he gets a copy of the birth certificate of the legitimate Facebook user. He then has a strong identity - which he uses this to get a passport, citizenship, state benefits, unrestricted travel and so on.
LinkedIn, FaceBook and the traunch of other social services are weak IDs because they are not anchored to a legitimate identity in the first place. They are created by the user and then validated by the user’s friends or business contacts. While this may be enough for the chat room, it clearly fails to provide any form of stronger authentication or a clear point of trust that might be accepted by a bank or (as probably should be the case) an airline.
Substitute the social media starting point with another form of weak, stolen or counterfeit identity and the dangers quickly become apparent – from financial fraud through to homeland security.
The question is one of trust. Are we confident that the base identity was authorized and issued by a legitimate agency that we trust? If the answer to the question is no then we have a problem throughout the chain. Regardless of the integrity of the identity tokens from this first point on, ID will be compromised if we can’t trust the anchor.
This is a real concern for governments, of course. And not just from a national security perspective. The ability to leverage authorized identities offers opportunity across the eGorvernment sector to improve service delivery and dramatically reduce cost. Similarly, the ability to extend that identity out to the private sector – in banking, insurance and finance will accelerate fraud reduction strategies.
Added to this there are undoubted opportunities to work with the internet giants to investigate their role as identity providers (but based on this single trusted ID rather than user-generated one).
But if we’re working with identities that can be easily stolen, replicated or simply invented then it’s all at risk.
It makes perfect sense that governments play a key role in managing citizen identities in both the physical and the digital worlds - from birth, marriage and death certificates, through passports and driving licenses to national identity cards.
Of course we live in a global world. The realities of regional and international migration certainly create identity management challenges – but with global passport systems already well established mobility (and traceability) isn't the problem it once was.
Ultimately, to secure identity throughout the chain we need to begin (and trust) at the very bottom. And the Secure Identity Alliance is working with governments across the world to help them do just that.
