SMS one-time-password no longer enough for national electronic health record

Example personalized conversion table

Although not a very pressing matter because the introduction Dutch national electronic health record is delayed due to privacy concern in the Dutch Senate (Eerste Kamer), there is now a change of mind with respect to how citizens have to authenticate themselves to access their own health record. The responsible ministry VWS asked PWC and Radboud University to re-assess if their assessment from December 2008 on using SMS one-time-password is still valid.  In Decmeber 2008 they assessed a two-factor user/password is secure enough (although with an added face-2-face registration step compared to the ‘normal’ DigiD level 2). The reason why VWS asked for this only a year and halve after the previous assessment is that a practical attack on the encryption algorithm A5/1 used in GSM seems increasingly likely. I guess most if not all experts agree that within a couple of years GSM SMSes are simply not a valid authentication means for any service that requires high security, see e.g. Govert.nl’s opinion. Certainly not as a single factor, but also not when combined a not-so-secure second factor like username/password.

To increase safety PWC/RU propose a third factor. This is a personalized conversion table that is, typically, send by snail mail to the user’s home address. Users have to use this conversion table to char-by-char replace the one-time-password with another character (see above for an example picture of conversion table). This may be an easy solution/work-around to implement, but I think is a usability nightmare since it basically means that users are required to become crypto algorithms! Without some user research showing otherwise I wouldn’t dare to recommend it. My colleague Martijn Oostdijk proposed today in a blog post to implement the conversion table as a SIM application on a mobile phone, that may help here. This of course requires the corporation of all three mobile operators in the Netherlands, this may not be trivial, quick or cheap to get.

The reason that this is all so complicated is because the Dutch citizen-2-government authentication solution DigiD is not really that secure. This may not have been needed so far, but with increasing likelihood of practical attacks of the SMS one-time-password, and government services needing higher levels of assurance, the current DigiD level 2 is simply not “good enough security” anymore. A likely candidate to make DigiD more secure is a smart card solution called eNIK, which adds a electronic authentication function to the new Dutch ID card. Plans for this exist already for quite some years, but hopefully they will be able to speed up this process, or find another solution in the near term. Since actual attacks to read SMSes are not here yet, I think we should use this time to come up with a better solution to make DigiD safer than a work-around which requires users to become crypto algorithms!!

One Response to SMS one-time-password no longer enough for national electronic health record

  1. […] At a high level they seem to have things under control. They use two-factor authentication (username/password and SMS one-time-password), combined with a face-2-face check where I had to show my passport (or ID card or drivers license). This is roughly the same as is proposed for patient access to their the national health record (at least, till eavesdropping of SMSes becomes to…). […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s