Passport to the Web

Our system for authenticating international travelers' identities is solid. Why can't we create a similar process online?

I’ve been thinking about identity recently. I’m in the middle of moving from Cambodia to Chile, with a month or so in the U.S. en route. So, of course, I’ve needed to prove to many, many people that I really am who I claim to be. There are some interesting contrasts between that process and the one we currently use for online identity.

The first identity check that I needed was upon departure from Cambodia. There were a few items that were used here, most importantly my passport and visa. The two had been previously linked by the government of Cambodia so that I could live there.

Cambodian officials checked my photo in my passport, checked my name in my passport, correlated my last arrival entry in the immigration database to my departure, and made sure that there weren’t any notes in the system relevant to my departure (e.g., was I fleeing from the police, did I overstay my visa, etc.).

The specific checks that were made (i.e., the authentication process) are interesting, but to me, the trust model was more important. The credential I presented – my government-issued passport – was linked to biometric data and my physical appearance, and the government of Cambodia trusted that the government of the United States did a good job of validating my identity before issuing the passport. I was identified by the immigrations officer as matching the passport, and the passport validated that I was allowed to stay for a certain period of time. Everything was OK.

The process of entry and departure for two other countries on my journey, Thailand and Japan, en route was similar. Upon my arrival in the U.S., the passport was used to validate my nationality, again using the immigration officer as the trusted intermediary to link my biometric data to my credentials. Once my identity was authenticated, I was authorized to enter the country.

So how does this compare to the online authentication process? Well, it doesn't, actually. This physical process is a very reliable one – certainly not foolproof, but close enough for national security purposes. It got me wondering: What would be required for such a process of identification and authentication online?

First, a trusted entity would need to issue a difficult-to-forge credential analogous to a passport. The obvious choice for this credential seems to be an X.509 certificate. The process of issuing a certificate could be similar to the process of issuing any other form of government ID, such as a driver's license or passport.

The resulting credential would be digital in format, and could be stored on a smart card, USB dongle, or some similarly portable device. It could have biometric data embedded (fingerprints, photos) or not, but the process of authenticating it would need to be well known and thoroughly tested.

The PKI needed to issue such a credential would, of course, be enormous. But as with all infrastructure projects, there isn’t much alternative to a governmental implementation. Nobody expects that highway systems can be reasonably constructed and maintained by the private sector. The government designs and funds the development, with implementation handled by private contractors.

When it comes to online authentication, however, we currently have the private contractors, but there is no real initiative to develop the infrastructure. As a result, every time I go to do an online financial transaction, I have to manage a separate identity document, which is usually quite pathetic, amounting to a username that I myself have chosen. If I could present the online organization with a government-validated identifier, it would simplify the process of establishing relationships with organizations, as well as improving security.

X.509 certifications allow for a hierarchy that would allow the federal government to simply sign certificates, leaving the remainder of the process to be handled by state or local governments. Why don’t we have anything like this yet?

— Nathan Spande has implemented security in medical systems during the dotcom boom and bust and suffered through federal government security implementations. Special to Dark Reading

Recommended Reading: