Skip to Content

You are in the AGIMO archive | Archive Home Page | Return to the AGIMO website | Contact Us

AGIMO archive > Publications (NOIE) > 2002 > July > Online Authentication - A Guide for Government Managers > Authentication

The Australian Government Information Management Office Archive

The content on this page and other AGIMO archive pages is provided to assist research and may contain references to activities or policies that have no current application. See the full archive disclaimer.

Authentication

2.1 What is it and why is it needed?

Authentication is the solution to the need for certainty in the identity of the other party to a transaction. Where services are provided via traditional, non-electronic systems, various authentication mechanisms are used. Clients are required to sign forms or letters or other types of correspondence as proof that they supplied the information contained in those documents. Clients may be required to supply an identification number or a case number, and they may be required to provide evidence that they are who they say they are, such as a driver's licence or a birth certificate. In some cases, clients may need to attend the relevant government office in person.

Most of these methods will not work online. Where services are provided online, agencies will need to reassess how they authenticate users. Notably, the use of existing methods of authentication requiring physical presence may reduce or eliminate the convenience of the online service.

Failure to properly authenticate a transacting party may lead to situations such as the illegal transfer of funds, unauthorised ordering of goods or the mischievous alteration of data. Authentication therefore underpins confidence in electronic transactions and is a vital component of e-commerce, which depends upon transactions being accepted as valid and binding.

Broadly speaking, authentication relies on one or more of the following:

These can be implemented in a number of ways, as described in the following section.

It is important to note that authentication is not the same as security. Authentication must operate in conjunction with an organisation's overall security framework.

2.2 What alternatives are there?

An organisation may implement online authentication in a number of ways, including:

Each method or technology has its own strengths and weaknesses, including cost and ease of implementation and use. They may also be used in combination.

2.2.1 Passwords, PINs and User IDs

The most common method of authentication for computer systems today is password based. In its report, A digital certificate road map, research company Forrester calculates that 98 per cent of companies still use passwords as the primary method of authentication internally. A roughly similar percentage of e-business sites use passwords as the primary method of client authentication. Outside of traditional IT systems, magnetic stripe cards are the most pervasive authentication technology.

For example: When entering a password-protected website, the client would be asked for a User ID and password which has been supplied to them via email. If the password and User ID match, access is granted. These details must be entered correctly each time the site is accessed, ensuring it can only be viewed by authorised users.

Under a password system, a client accessing an agency's electronic application is requested to enter a 'shared secret' such as a password or PIN number along with their User ID. (The secret is shared as it is known both to the user and the system.) The system checks that password against information in a database to ensure its correctness and thereby 'authenticates' the client. Multiple passwords and password encryption may be utilised to strengthen this technique.

User IDs are usually used in combination with passwords. They are generally created from easily remembered or referenced information known to the client and an agency. The User ID is not necessarily kept private and may be made up of several simple pieces of information. For example, John Smith may have the User ID 'jsmith'. User IDs may also contain numbers to help distinguish between clients with similar or identical names e.g. 'jsmith572'.

Typically, password based authentication requires no third party products or services. It is thus much cheaper to implement than most rival systems. However, it only provides a limited degree of authentication, and relies on users keeping their passwords secret.

Good password management contributes to the reliability of authentication systems. Password policies generally cover the following elements:

User awareness of the need to protect and maintain passwords is essential to maintaining good password practice. Consider whether the system will be accessed often enough to eliminate the risk that users will forget their passwords and need to have new passwords issued. In some cases, the costs involved in resetting and reissuing forgotten passwords can be substantial.

Agencies may wish to develop their password management practices based on a risk assessment. The Defence Signals Directorate (DSD) has provided an example in ACSI 33 Handbook 3 - Risk Management.

For more information, visit: http://www.dsd.gov.au/infosec/acsi33/HB3.html

2.2.2 One-time passwords

Because passwords can be lost, forgotten or stolen, they are not suitable for some applications. A one-time password eliminates this risk by using a hardware device that generates a unique password to be entered each time the application is accessed.

For example: When entering a website protected by a one-time password, the client could be asked for a password that is automatically generated by a connected piece of hardware. This password must be associated with a unique User ID. If the appropriate password and User ID match, access is granted.

A token of this type might use a symmetric key (see 2.2.6) to generate the passwords. The agency's IT system knows which password is valid at that time for that user. This process makes it difficult for unauthorised individuals to access or determine the password at any given time. However, all clients would need to be issued with suitable hardware and software systems, which could increase costs significantly.

For more information on one-time passwords, visit: http://www.rsasecurity.com/products/securid/tokens.html

2.2.3 Challenge and response systems

This authentication method can be implemented either manually (using registered information) or automatically (using a hardware device or token). In a manual process a customer might enter a User ID and password to gain initial access to a system. They could then be asked to respond to a random challenge that is based on information in their client record, or on 'secret' phrases lodged with the agency.

For example: When entering a challenge and response website, the client will first be asked for a User ID and password. They would then be asked for unique information, such as the middle name of their second child. If all data matches, access is granted.

An automatic method could be based on asymmetric cryptography (see 2.2.7). For example, clients would be issued with a private key on a hardware device. The associated public key would be securely held by the agency. When logging in, the client would enter their User ID and password. The agency would then automatically send a random number for the user to key into their device. The device employs the private key to process the random number and produces a result which the user enters into the agency's login process. If the agency is able to retrieve the original random number by reversing the process with the corresponding public key, then the client is authentic.

For more information on challenge and response systems, visit: http://webopedia.internet.com/TERM/C/challenge_response.html

2.2.4 Cookies

A cookie is a small piece of data that is placed on the user's hard drive by some websites. This piece of data acts as a form of authentication to identify the user when the user next enters the same website.

For example: When entering a password-protected website, the client is asked for a User ID and password. When these are verified the website downloads a cookie to the client's hard drive, saving the login details. When the client next enters the website the cookie activates the login details so that the client does not have to enter this information again.

Not only can cookies help websites recognise returning users, they can provide access to specific resources, track online purchases or provide customised web pages. Properly used, cookies can greatly enhance the user's experience of web resources and increase convenience. However, it is possible for cookies to be used to track the activities of users over time and across different websites. Where cookies are linked with personal identification information, they can be used to track the browsing habit of individuals. Stolen cookies can also be used to gain access to resources.

Misuse of cookies raises obvious privacy and security issues, and because of this some users may be reluctant to visit government sites that use cookies. Before making use of cookies agencies should conduct an assessment to identify the relevant risks and benefits. If cookies are used, it should be mentioned in the website privacy statement.

Agencies considering the use of cookies can find more information in the NOIE Better Practice Checklist Number 4. Visit: http://www.noie.gov.au/projects/strategy/better_practice/checklists/4_cookies%20.htm

2.2.5 Biometrics

Biometric technologies use physiological or behavioural characteristics to identify an individual. Examples include iris scans, retina scans, facial scans, finger scans, hand geometry, voice verification and dynamic signature verification.

Unique physical characteristics such as voice patterns, fingerprints and the blood vessel patterns on the retina of one or both eyes can be converted into digital form and interpreted by a computer. Among these are voice patterns (where an individual's spoken words are converted into a special electronic representation), fingerprints and the blood vessel patterns present on the retina (or rear) of one or both eyes.

With biometric technology, the physical characteristic is measured (by a microphone, optical reader or some other device) and converted into digital form. This information is then compared with a copy already stored in the computer and authenticated as belonging to a particular person. If they match, the authentication will be accepted by the software and the transaction allowed to proceed.

For example: Before being allowed to access a secure PC, a client passes their finger through a scanner. This fingerprint is compared to one stored in the system. If they match, access is granted.

Biometric applications can provide very high levels of authentication, especially when the identifier is obtained in the presence of a third party to verify its authenticity. However, as with any shared secret, if the digital form is compromised, impersonation becomes a serious risk. As with passwords or PINs, such information should not be sent over open networks without being encrypted or otherwise protected.

As well, measurement and recording of a physical characteristic can raise privacy concerns. If biometric data is compromised, substituting a different, new biometric identifier may have limitations. For instance, you may be able to employ the fingerprint of a different finger but people only have one voice.

Agencies need to verify the identity of the individual using conventional methods prior to employing the biometric solution. This may include the presentation of a birth certificate or some other appropriate identification method to satisfy the agency that the individual is who they say they are.

Biometric authentication is best suited for access to individual devices. It is less suited for authentication to software systems over open networks such as the Internet.

Applications for biometrics include automatic teller machine access, personal computer network logon, time and attendance, enterprise-level data security, physical access and customer verification.

Biometrics is currently used in a number of government applications in the United States. The Commonwealth Scientific & Industrial Research Organisation (CSIRO) is also investigating applications for this technology.

For more information on biometric authentication, visit: www.biomet.org and http://www.csiro.gov.au/index.asp?type=achievement&id=Services_ Biometrics for tomorrows industry

2.2.6 Conventional encryption

Conventional encryption is a form of cryptography (the encoding and decoding of text). It is sometimes referred to as 'symmetric cryptography'.

The system uses a secret key, which is a computer file that includes a mathematical value. This can be used in conjunction with an algorithm to encrypt or decrypt a message. Conventional encryption is used for both encryption and decryption of information, and can be performed very quickly by modern PCs.

However, there are problems associated with secure key distribution. For a sender and recipient to communicate securely using conventional encryption, they must agree upon a key and keep it secret between themselves. If they are in different physical locations, they must trust a courier or some other secure communication medium to prevent the disclosure of the secret key during transmission. This can be expensive in cost and resource terms.

2.2.7 Public key cryptography (digital certificates)

The problems of key distribution associated with conventional encryption are solved by public key cryptography. Public key cryptography uses separate pairs of keys for authentication (or signing) and encryption (or confidentiality). The key pairs are referred to as public keys and private keys. Public key cryptography is often referred to as 'asymmetric', as the public and private keys are different.

Public key cryptography handles authentication and encryption in the following fashion:

Authentication (or signing). When using an authentication key pair, you publish your public key to the world while keeping your private 'signing' key secret. Anyone with a copy of your public key can decrypt something encrypted with your private 'signing' key. This will provide them with a level of assurance of your identity. On its own, the public key cannot be used to sign a document; it can only be used to verify who has signed it.

Encryption (or confidentiality). In the same fashion, to use an encryption key pair you publish your public key to the world while keeping your private 'confidentiality' key secret. Anyone with a copy of your public key can then encrypt information that only you can read. The information encrypted with your public 'confidentiality' key can only be decrypted using your private 'confidentiality' key.

The primary benefit of public key cryptography is that it allows people who have no pre-existing security arrangement to exchange messages securely. The need for sender and receiver to share secret keys via some secure channel is eliminated; all communications involve only public keys, and no private key is ever transmitted or shared.

Several prominent authentication solutions make use of public key cryptography. These include PKI, PGP and SSL/TLS, each of which is discussed below.

2.2.7.1 Public Key Infrastructure (PKI)

PKI is a set of procedures and technology that enables users of a network such as the Internet to authenticate identity, and to securely and privately exchange information through the use of public key cryptography. To achieve this, public and private keys and a digital certificate can be obtained through a trusted third party authority, known as a Certification Authority (CA). The CA links the public key to the digital certificate and vouches for the identity of the key holder. Registration Authorities (RAs) collect and manage the appropriate levels of Evidence of Identity (EOI) from applicants for digital certificates. Dependent upon the PKI business model employed, appropriately accredited RAs may also create keys and certificates.

The use of PKI ensures authentication, integrity, non-repudiation and confidentiality for e-commerce applications.

These features are provided with some or all of the following systems:

2.2.7.2 Pretty Good Privacy (PGP)

PGP is a security software application that enables you and known transacting parties to exchange information securely with each other. PGP can be utilised for small groups of people who know each other and wish to communicate securely. In these instances it is easy to manually exchange diskettes or emails containing each owner's public key rather than publishing public keys to the world. Each member of the group holds a copy of each other's public key.

Difficulties associated with holding large numbers of public keys means that PGP is practical only to a certain point. Beyond that point, it is necessary to put systems into place that can provide the necessary security, storage and exchange mechanisms for co-workers, business partners or strangers to communicate if need be. PKI systems (discussed above) provide these kinds of features.

While PGP is a widely used technology, implementations can vary widely. Therefore PGP is not listed on the Defence Signals Directorate (DSD) Evaluated Products List. For further advice on the use of PGP in any application, consult with the Information Security Group at DSD.

For more information on PGP, visit: http://www.pgpi.org

2.2.7.3 SSL and TLS

The Secure Sockets Layer (SSL) protocol is a set of rules governing authentication of servers (such as web servers), and encrypted communication between clients and servers. The protocol was developed to secure the transmission of data over the Internet.

The authentication process under SSL uses public key encryption and digital signatures to confirm that a server is in fact the server it claims to be. It does not authenticate the user. Once the server has been authenticated, the client and server use techniques of symmetric key encryption to encrypt the information they exchange. A different session key is used for each transaction. This impedes a hacker's ability to decrypt messages.

It should be noted that SSL and Transport Layer Security (TLS) only provide confidentiality and integrity for the server. They do not provide non-repudiation and unless supported by a combination of appropriate private key protection, user willingness and ability to validate digital certificates, they do not provide effective authentication.

SSL is well known because of its use in Netscape Navigator and Internet Explorer web browsers. In May 1996, development of SSL became the responsibility of an international standards organisation, the Internet Engineering Task Force (IETF), which develops many of the protocol standards for the Internet. TLS, an enhanced version of SSL, was released in early 1999.

SSL is a widely used technology and versions of the product may be suitable for use by Commonwealth agencies. However, SSL implementations can vary widely and therefore SSL is not listed on the DSD Evaluated Products List. If further advice is required on the use of SSL in any application, consult with the Information Security Group at DSD.

Information and guidance on use of SSL by agencies is available from the DSD website: http://www.dsd.gov.au/infosec/publications/SSL_policy.html

2.2.8 Australian Business Register (ABR) and Australian Business Number (ABN)

Agencies wishing to authenticate the existence of a business can look up the ABR to associate a business name with an ABN. The ABR contains all the publicly available information provided by businesses when they register for an ABN. It was established under s.24 of the A New Tax System (Australian Business Number) Act 1999.

The ABR is a publicly available register of businesses. Its benefits are:

An ABN is an 11 digit number issued by the Australian Business Registrar, currently the Commissioner of Taxation. If an enterprise already has an Australian Company Number (ACN), their ABN will consist of two digits plus their existing ACN. Unincorporated and new enterprises will be given a new ABN by the Australian Business Registrar. To be entitled to an ABN a business must be:

For more information, visit: http://www.abr.business.gov.au

Legal Notices