A Dutch government body responsible for establishing open standards for elektronic exchange (Forum Standaardisatie) published a guide for government service providers to help them classify e-services to Levels of Assurance. They use the EU STORK Quality Authentication Assurance levels for this, which classify authentication solutions in four levels. Since Novay was responsible for defining these levels in the EU STORK project, and we’ve helped several clients in applying STORK levels, we read this guide with great interest. In the below text we discuss the Levels of Assurance concept, and give our opinion on the guide.
We recently did an assessment of a so-called SIM augmented authentication token, or VASCO’s new DigiPass Nano product to be more specific. We did this for SURFnet, for which we previously also did an assessment of Mobile PKI. We liked Mobile PKI, but it has a big disadvantage: you depend on your mobile network operator to be able to use it (and in the Netherlands they are not deploying this any time soon). This disadvantage is the main motivation to look at SIM augmented tokens. These are, as the term suggests, added to in stead on being ‘inside’ the SIM card.
So what is a SIM augmented authentication token? Physically it is a sticker with an embedded chip that you stick on your SIM card and sits between the SIM card and the mobile phone. The chip stores a secret used for authentication, which is more secure than storing the secret in a ‘normal’ mobile app. This secret is used by an authentication application that is also runs from this chip. This application, from the perspective of the mobile phone, appears to be a normal SIM application, and can work on basically any phone (smart of dumb). The only SIM augmented authentication token that I’m aware of is the above mentioned DigiPass Nano from VASCO (let me know if you know of others?). The DigiPass Nano implements an event-based one-time-password functionality, i.e., it generated a new code every time the user asks for it.
We did an assessment of the usability, security and business model aspects. Below I copied the conclusions, but the bottom-line is that we believe from a security perspective this is a good alternative to other one-time-password solutions, and it more secure than solutions implemented as a mobile app. The main benefit is that it works on basically any phone (also non-smartphones), and you you can deploy it without needing help (and investments) from your mobile operator. The main disadvantage is the user experience. We did some limited testing with putting the sticker on, which was ok, but the user experience of getting a one-time-password can be troublesome. It requires the user to find SIM applications on their mobile phone, which are often hidden somewhere deep in the menu’s. My estimate is that this usability limitation will need to be addressed for this technology to get acceptance beyond specific enterprise use-cases. Or to put it differently, I’d do very carefull usability optimizations/testing before deploying this to millions of consumers.
This assessment was joint work with my colleague Martijn Oostdijk, see his blog for more details on especially the security aspect. The full report of our assessment is available via the SURFnet website. If you’re looking for a wider perspective on the combination of mobile and digital identity, see this previous blog post on our mobile-centric identity vision.
The Digipass Nano uses a form factor that is relatively unique in the authentication token market. It is a SIM augmented token, a thin patch/sticker including an embedded chip that sits between the SIM and the user’s mobile phone. The key advantages of this form factor are:
- secure storage of credentials under a “security domain” that is distinct from the other stake holders (e.g. mobile operators, handset vendors),
- while at the same time the ability to use the user-interface of the user’s existing GSM handset,
- and, potentially, the use of the mobile phone’s GSM or 3G network.
As most users will always carry their mobile phone with them, this means that the token will be present during transactions in many different contexts.
The technology underlying SIM augmentation is based on standards that have existed for a long time, are present in billions of GSM handsets around the world, and have proven to be relatively secure given the threat landscape thus far. The DP Nano does not use all features offered by this technology (it only uses the user interface features, not, e.g., the network features present in GSM 11.14). However, a number of variations of the DP Nano exist (see , apparently targeting different markets) which do utilise the networking capabilities of the GSM SIM, and which appear to more strongly bind the token to either handset (“IMEI lock”) or SIM (“IMSI lock”).
On paper, from a technological and security perspective, SIM augmented tokens compare well to other mobile and possession based tokens such as SMS OTP, OTP tokens, mobile soft tokens, and smart cards. As to the security, threats from malware on the handset are minimal as long as the SIM toolkit API interface is properly implemented on the handset.
The user experience may cause some problems for certain groups of users, depending on the issuance and installation process (e.g. whether users are required to install the token themselves). The DP Nano requires the user to navigate through unfamiliar text based menus in order to start up the application when asked by the SP to provide an OTP. This is the most prominent drawback when compared to e.g. the Mobile PKI experience (as described in ) where the authentication application on the handset it triggered over the air.
From a business model perspective SIM augmented tokens are interesting as they separate the role of SIM based authentication provider from the role of MNO. Obviously, being the first of its kind and relying on a server side licensing model and proprietary implementation, whether a choice for the DP Nano provides a positive business case when compared to MNO provided SIM based authentication remains to be seen.
Interesting features to add could be:
- Lock the token to IMSI or IMEI (possible, according to )
- Use the network to initiate authentication transactions (drawback: implies sending service SMS messages to the token, which may mean cooperation of a MNO or at least per-transaction costs)
- Use the network as an OOB channel during an authentication session (e.g. to display transaction details, similar drawback as above)
- Use the network to “blacklist” a token when a token is reported stolen
- Combine SIM augmented solution with a handset resident application to provide a better user experience (may be dependent on operating system and handset to provide installed apps with an API for communication with SIM)
The latter option is particularly attractive as a way to enhance the security of SURFnet’s tiqr solution (see ) and other mobile app solutions.
Since a one-size-fits-all solution to authentication does not exist, in the end SIM augmented solutions will likely find a market alongside authentication tokens with different form factors.
The Dutch Banking Association (NVB) provided numbers on how much fraud there is in the Netherlands with internet banking (in Dutch). Since we’re doing a project called cidSafe for several companies in the financial sector in the Netherlands on consumer identity (see this recent presentation in English, or the website which is mostly in Dutch), I was very interested in these numbers.
The fraud with internet banking in NL is €4.3M for the first 6 months. Although I agree with the NVB that this in itself is not a huge number, the increase is very big. In the whole of 2009 the fraud was €1.9M, thus an increase of about 450%! By the way, victims of internet banking fraud are usually reimbursed by their banks, and all Dutch banks use two-factor authentication. Compared to the numbers recently released in Germany, internet banking fraud seems a somewhat bigger problem in the Netherlands than in Germany (with an estimate of €17M in 2010 about twice as much fraud as NL, but with 5 times more inhabitants). Also in Germany there is a big increase in internet banking fraud compared to 2009.
The NVB press release mentions phishing as the main method of fraud. I couldn’t find more details on this, but simple phishing of username/password won’t work since all internet banking services in NL use some form of two-factor authentication (smartcard or SMS one-time-password based). Malware attacks are becoming more advanced, as e.g. the recent “Zeus In The MObile” malware showed that can even spread from desktop to mobile using social engineering. This article (sorry, again in Dutch) states that most attacks are a combination of relatively simple phishing or malware (keylogggers) with social engineering to get the second factor.
If the increase in internet banking fraud would continue for a couple of years this will become a very serious financial problem (€39M in 2011?, €174M in 2012?). Add to this the emotional impact on victims and reputation loss for banks, and this increase in fraud is something to worry about. The weakest links appears to be 1) the home PC (and smart phone) and people’s ability to keep this malware free, and 2) people being subject to social engineering attacks. The question for me therefore what is more effective for banks to invest in:
- educating their customers, on the importance and ways to keep their PC/smartphone malware free, and to make them less susceptible to social engineering attacks, which will no doubt help but is not a silver bullet, or
- invest in technology, by providing more secure authentication means that are (not or) less sensitive to malware and social engineering attacks, which is very expensive and can be very annoying for users.
The alternative for banks is to wait and see if others (police, government, operation system vendors, anti-malware vendors etc) will be able to counter this increase in internet banking fraud, this is however not what I expect they will do, as is also shown by the new awareness campaign by NVB.
I’m at the ISSE 2010 this week, which takes places in Berlin this year. I’ll share my impressions on two subjects that were hot (in the first two days, since I write this with one more day to go).
The ‘hottest’ item is the new German eID card (nPA), which will be issued starting 1 November. This is a ‘normal’ ID card, with an eID contactless chip. Technically the eID function seems to be better than what I’ve seen before, but more interesting for me was the business model behind it, and how they handle privacy.
With respect to the business model, it is interesting that it can be used for consumer-2-business authentication, thus increasing usage beyond citizen-2-government services. This is for free from the perspective of the relying party (aka service provider). Of course, running a so-called eID server to ‘talk’ to the eID card is not trivial, and much more complicated than becoming e.g. an OpenID relying party. There are companies ready to take care of this on behalf of the relying party, this will of course costs money. Citizen have to pay for the card, but since it is (I think) mandatory to have one …
With respect to the digital signature function, this is not present by default. A citizen has to go to a commercial party for this, i.e., a different business model for the signature function as for the authentication function. Reason seems to be that this is not considered a government responsibility (contrary to authentication/identification), and companies are already offering this as a service (I expect not a lot to consumers though). This probably also means that there will be only very few people that go to this trouble (and costs), and thus little coverage for consumers/citizens.
With respect to privacy: what is interesting is the ability to be a pseudonym-only authentication device, that relying parties need to register and motivate which attributes they want to read, user consent and proof-of-age function that does not reveals ones age. Also interesting is that kids below 16 are not allowed to use it to identify themselves, for privacy reasons I assume (can’t trust those kids to know what they’re doing J).
The Germans life up to their reputation of being privacy-conscious with this new eID card, good for them. When looking at some of the details, they also life up to another reputation of being very sensitive to academic grades: Doktorgrad is a data field for the card… Not sure how important this is for security purposes though, but at least the border control or webshop can properly address “Herr Doktor” J
The big question is now if this takes off with both public and relying parties, and how long this takes. There are examples in other countries that were earlier, where this went very slowly of not at all (e.g., Belgium).
There were some, mostly German, talks on phishing and malware. Quite scary actually how this is progressing. Cybercrime seems to become more professional, and is scaling up. I’m a strong believer in “good enough” security, especially when it concerns damage that is ‘only’ money/fraud, contrary to privacy loss. To quote a number, the German government (Bundeskriminalamt) estimates a €17 million fraud for phishing/malware in Germany for online banking for 2010 (with €3500 average damage). This in itself is not a number that surprises me, it is even lower than I expected, but if the growing trend (71% up from last year!) continues the coming years this number will increase quickly. Of course, costs to properly counter these threats, and the userunfriendlyness that often comes with it, are also huge.
I recently stumbled on a possibility offered by my pharmacy to get online access to my medication dossier (access to previously prescribed medication, functionality for repeat prescriptions). My pharmacy is part of a larger franchise chain in the Netherlands, and this Digital Medication Dossier is offered for all member pharmacies. In itself I think offering this online access is a good idea, I want to have easy access to information about medical information about me, including my medication… Also because national initiatives are going quite slow, I appreciate innovation by individual healthcare providers. So I went to try it out. Of course, I was especially focused on how they handled the identity/authentication/privacy aspects.
At a high level they seem to have things under control. They use two-factor authentication (username/password and SMS one-time-password), combined with a face-2-face check where I had to show my passport (or ID card or drivers license). This is roughly the same as is proposed for patient access to their the national health record (at least, till eavesdropping of SMSes becomes too easy).
There are however three major concerns that I want to discuss.
Re-use of identities. I have to create a separate identity just for this service. I will of course forget my password, have to remember to register a new phone number should this change, have to go there to show my passport etc. I want to re-use a previously established identity! As far as I can see there is no reason why they couldn’t use the Dutch national citizen-to-government identity solution DigiD level 2, possibly supplemented with a face-2-face check by themselves (this is lacking in current DigiD level 2, but is expected to be added for access to the national health record).
Sidenote: earlier this year NICTIZ asked me to write a whitepaper on how to deal with online identity for consumers/patients. It is available on their website (in Dutch, titled “e-identity: zorgeloze identificatie van zorgconsumenten”). I advocated the re-use of existing identities, including usage of DigiD (at an appropriate level of assurance). It is targeted at non-identity experts, such as policy makers in healthcare and people working for health providers that want to deploy e-health services. Related to this, an article in the Dutch ICT Zorg magazine has some interesting quotes on using DigiD for health services.
Reset of password by email: Another point is that when someone forgets their password, a new password is sent by email. This password is thus send unencrypted (and it is only 4 chars). Not a good idea I think. What I considered is worse than it being unencrypted is the risk this poses for people that lose their smartphone. If someone else has access to your smartphone, it typically means that the thief/finder has access to not only SMS messages but also email since smart phones are typically set up to receive emails without requiring the user to provide a password. With increasing penetration of smartphones (about 1 out 5 persons in NL and increasing) this is significant. Or put differently: I do NOT consider access to email and SMS as separate factors anymore.
HTTPS inside a frame: the privacy and security sensitive information is I think sent over a HTTPS connection. I checked this for one of the pages where this is the case, and suppose they did they for all other pages as well. This is however basically hidden from the user since the service runs inside an iFrame that is in a webpage that uses HTTP. The address bar therefore does not say “https”, and there is no “padlock” next to the address bar to click on to check the certificate. It is therefore not transparent for users if HTTPS is used, nor can they verify with who the secure connection is set up. Even if lots of users won’t be aware, empowering users to check these things is the least we can do. In addition, the webpage displays a padlock-icon inside the page that when you hoover over it, that will say that SSL is used. This is training users the opposite of what we should train them. Phishers and other cybercriminals will be grateful.
My guess is that my pharmacy does it like this because the Digital Medication Dossier is actually offered through another company (Pharmeon), and offered it inside a frame is an easy way to integrate the Digital Medication Dossier in the website of the pharmacy. This is however not nearly a justification IMHO.
Especially my first two concerns could be addressed if they simply used a high-trust government (DigiD level 2+) or non-government federative identity solution. High-security non-government identity solutions for consumers are not yet available in the Netherlands, but we’re working on this in the cidSafe project.
UPDATE: update deeplink url to Nictiz whitepaper on 12 January 2011
UPDATE: and again on 26 May 2011
Although not a very pressing matter because the introduction Dutch national electronic health record is delayed due to privacy concern in the Dutch Senate (Eerste Kamer), there is now a change of mind with respect to how citizens have to authenticate themselves to access their own health record. The responsible ministry VWS asked PWC and Radboud University to re-assess if their assessment from December 2008 on using SMS one-time-password is still valid. In Decmeber 2008 they assessed a two-factor user/password is secure enough (although with an added face-2-face registration step compared to the ‘normal’ DigiD level 2). The reason why VWS asked for this only a year and halve after the previous assessment is that a practical attack on the encryption algorithm A5/1 used in GSM seems increasingly likely. I guess most if not all experts agree that within a couple of years GSM SMSes are simply not a valid authentication means for any service that requires high security, see e.g. Govert.nl’s opinion. Certainly not as a single factor, but also not when combined a not-so-secure second factor like username/password.
To increase safety PWC/RU propose a third factor. This is a personalized conversion table that is, typically, send by snail mail to the user’s home address. Users have to use this conversion table to char-by-char replace the one-time-password with another character (see above for an example picture of conversion table). This may be an easy solution/work-around to implement, but I think is a usability nightmare since it basically means that users are required to become crypto algorithms! Without some user research showing otherwise I wouldn’t dare to recommend it. My colleague Martijn Oostdijk proposed today in a blog post to implement the conversion table as a SIM application on a mobile phone, that may help here. This of course requires the corporation of all three mobile operators in the Netherlands, this may not be trivial, quick or cheap to get.
The reason that this is all so complicated is because the Dutch citizen-2-government authentication solution DigiD is not really that secure. This may not have been needed so far, but with increasing likelihood of practical attacks of the SMS one-time-password, and government services needing higher levels of assurance, the current DigiD level 2 is simply not “good enough security” anymore. A likely candidate to make DigiD more secure is a smart card solution called eNIK, which adds a electronic authentication function to the new Dutch ID card. Plans for this exist already for quite some years, but hopefully they will be able to speed up this process, or find another solution in the near term. Since actual attacks to read SMSes are not here yet, I think we should use this time to come up with a better solution to make DigiD safer than a work-around which requires users to become crypto algorithms!!
Two things happened today that made me think about how current measures against identity theft are so very naive. The first is a US bank that I’m a customer with. I hardly ever log in on their website, and of course had forgotten the password. To assure that I am myself, I had to provide two answers about myself that I’m sure many (10s or 100s of) people know, and many more can very easily find out (including place of birth, which I had to put on page 5 of my PhD thesis that is publicly downloadable). And since the web interface did not allow me to do what I wanted (to terminate the account), I had to call them. During this call I had to provide those two same answers, plus my home address (which is listed in the phonebook). The funny thing is that I had to provide these answers twice during the same phone call, which did not make me feel more secure at all …
This type of static knowledge authentication is simply NOT suitable to authenticate any transaction that requires more than a very minimal level of assurance, and it is very naïve to use it for online banking (see also).
The second thing that happened today is a commercial I saw from the Dutch government, part of a campaign for a safer internet (“Veilig Internet. Heb je zelf in de hand”). The campaign seems to focus on peoples own responsibility to prevent identity theft. The commercial however was very limited, stating that people should change their password once in a while, and make sure who you email your personal data. The first recommendation is very naïve because 1) I’m convinced people don’t do this unless forced to and 2) it doesn’t help much against e.g. malware, phishing or using the same password at many sites. The second recommendation assumes that personal data is used to authenticate yourself, which it simply shouldn’t (see the first paragraph).
Although I welcome the attention that this campaign brings to the issue of identity theft, I wonder if spending more energy and time on better authentication and identity solutions for the internet wouldn’t be more effective than this campaign.
Together with my colleague Martijn Oostdijk (see also his post) we did a project on Mobile PKI technology. We did a technology assessment, focusing on security and also usability, and consulted our client SURFNet on its application for higher education and research.
It proved to be a very interesting project, not only because of the interesting and promising technology, but also because we are advocating what we call mobile centric identity, and Mobile PKI is a good example of “use your mobile phone as an authentication device”. We concluded that Mobile PKI is both a secure and usable technology, and that the main issue is the business model (since the SIM is owned by the mobile operator).
The report that came out of the project is publicly available: in Dutch and in English. Among others, SURFnet employees Roland Rijswijk and Joost van Dijk also provided input and feedback on this report. Below I’ve copied the management summary.
A GSM/UMTS telephone has a SIM card. This is a standardised smartcard that is issued to the user by the telecom operator and is primarily used to authenticate the user on the mobile network. However, the SIM card has more potential uses. For instance, it allows for secure storage of digital keys that can be used for online authentication and digital signatures. This is referred to as Wireless PKI and Mobile PKI.
This report is an assessment of Mobile PKI technology and its potential application for authentication in education. This assessment focuses on its security and its application within the educational domain, with a specific emphasis on applications for SURFfederatie.
Mobile PKI employs encrypted SMS text messages that are used to represent authentication or a digital signature. The user has to express consent by entering a PIN code that secures the private key and which typically needs to be entered for each transaction separately. The relevant standards for this are well established and are supported on all mobile phones. This has advantages compared to other secure means of authentication. For instance, no additional authentication device is required, which also means that no software needs to be installed by the user on either the phone or on other client devices such as a PC. Neither is there a need to manually enter codes, as in the case of one-time passwords via SMS text messages. This improves user-friendliness. Malware such as viruses and key loggers that may have been installed on a PC cannot interfere with Mobile PKI.
This report considers the issue whether Mobile PKI is a secure means of authentication. The analysis identifies a “man in the middle” channel. However, the authors of this report deem Mobile PKI to be more than sufficiently secure compared to other means of authentication and considering the kind of applications in (higher) education.
In our view the most important issues regarding Mobile PKI technology are not related to security or technology but have to do with the costs and the business model. In the Netherlands, Mobile PKI technology has only been deployed for limited pilots and it is therefore difficult to estimate the costs. These could turn out to be too high for many applications in the educational domain if there are no other large-scale deployments of Mobile PKI. A related aspect is the business model. Use of this technology requires the cooperation of the mobile operator, who is the owner of the SIM card. This means that the cooperation of all mobile operators is required for a large-scale deployment.
The final conclusion of this report is that Mobile PKI provides a secure means of authentication that in time will find wide application within the educational domain in the Netherlands. For the near future Mobile PKI will only be employed for services that require a high standard of security and that are used by a limited group of employees due to a) the expected costs, b) insufficient insight into the business model, and c) limited support from the mobile operators. It seems too early for a deployment for students or for general authentication for SURFfederatie or any other large-scale application for SURFnet, Kennisnet or other service. In the meantime it may be useful to consider one-time passwords via SMS text messages as step-up authentication or for password reset because this is cheaper and prepares users for Mobile PKI.
In both EU and US there is a lot happening on how citizens identify themselves for e-government services, especially the STORK project in the EU, and the ICAM work in the states. Their approaches to e-government identity are drastically different, but I’ll focus in this post with what they share: levels of assurance. Basically level of assurance refers to how certain an identity provider is w.r.t. the identity of the user, which depends on both the used authentication means and the identity binding process (see, e.g., here for an informal explanation) . Both sides of the ocean use (more or less) the same four levels that originate from NIST:
- Level 1: Little or no confidence in the asserted identity’s validity.
- Level 2: Some confidence in the asserted identity’s validity.
- Level 3: High confidence in the asserted identity’s validity.
- Level 4: Very high confidence in the asserted identity’s validity.
Looking at the US profiles for OpenID and InfoCard, what got my attention right away is that OpenID is only permitted for level 1 (i.e., no confidence), and that InfoCard is permitted for levels 1 to 3 (I couldn’t find the levels for SAML). This seems to me a good decision, OpenID is much less secure than InfoCard, and (in it’s current version) should IMHO only be used for low security e-services. I had a brief discussion with my colleague Bob Hulsebosch, who was the main author of STORK D2.3 deliverable (Quality Authenticator Scheme) that describes the mapping of the different national authentication levels to the STORK (NIST based) levels. My conclusion from this discussion is that I’m not convinced of the need for an assurance level 1 solution for e-government, and, as a consequence, of the usefullness of OpenID for e-government. Most e-government services I expect are level 2 and up. This is also confirmed by the fact that many EU countries (including the Netherlands) do not have a level 1. Also the examples in the US document “E-Authentication guidance for federal agencies” for level 1 seem somewhat far fetched IMHO. And even if there are some significant e-government services for which level 1 would be ok, then still InfoCard would be much preferred because of it support for higher levels as well.
Of course, I only follow the US e-government identity discussion from a distance, and maybe there are excellent reasons for supporting a level-1-only scheme. Anyone who has a pointer to an explanation for this, please send this to me. Also a motivation for the Levels of Assurance decisions for OpenID, InfoCard and SAML is very welcome.
What I didn’t cover explicitly in this post is the very interesting choice to support all three major identity (federation) standards OpenID, InfoCard and SAML. Most (all?) governments that I’m aware off use only SAML.