Guidelines for Identification and Authentication
As is the case with many privacy laws, the Personal Information Protection and Electronic Documents Act (PIPEDA) requires, with a limited number of specific exceptions, that an organization only disclose personal information with the consent of the individual to whom the information relates. In addition, PIPEDA requires that organizations protect personal information with security safeguards appropriate to the sensitivity of the information. In order to comply with these requirements, organizations may need to be able to identify their customers and clients.
Authentication processes can contribute to the protection of privacy by reducing the risk of unauthorized disclosures, but only if they are appropriately designed given the sensitivity of the information and the risks associated with the information. Overly rigorous authentication process, or requiring individuals to authenticate themselves unnecessarily, can be privacy intrusive.
This document is intended to help organizations devise methods of identifying and authenticating customers in ways that respect the fair information practices in PIPEDA and ensure compliance with its security provisions by providing the strongest protection for customers’ personal information.
The scope of the document is limited to identification and authentication techniques between organizations and individuals. Business-to-business (B2B) authentication is beyond the scope of the guide. For specific advice on authentication in an electronic environment see “Principles for Electronic Authentication: A Canadian Framework” developed by a multi-stakeholder working group led by Industry Canada, http://e-com.ic.gc.ca/epic/internet/inecic-ceac.nsf/en/h_gv00240e.html.
Although the guidelines are primarily intended to deal with authentication between organizations and individuals, organizations should have authentication processes in place to authenticate employees who have access to customer or client personal information. For example, organizations should have a means to authenticate employees to deal with situations such as an individual posing as an employee to obtain access to customer records.
The terms identification and authentication are frequently used interchangeably but in fact mean different things.
Put very simply, identification involves a claim or statement of identity: “I am John Doe,” “I am the customer associated with this account,” etc. Authentication is a verification of that claim.
Many businesses need to identify their customers. While some transactions (retail sales, for example) can be concluded in complete anonymity, many other transactions require that the business knows with whom it is dealing.
Identifying a customer allows a business to ensure that the customer’s transactions are associated with the correct account, and that records of a customer’s transactions are retrievable. The identity that is attached to the customer need not be a “real world” identity such as a name (e.g., John Doe). It could just as easily be an identity created for the purposes of the business relationship (e.g., customer A167).
When someone presents themselves to the business and claims to be a customer with whom the business has a relationship, the business typically needs to authenticate that claim. This is especially critical if the person wants to conduct a transaction on the customer’s account, or obtain records relating to the account.
The information age is dramatically changing the ways and situations in which individuals are identified and authenticated.
As societies and economies have become more complex, and social and economic interactions more impersonal, identifying and authenticating customers has tended to rely less on personal relationships and more on things that theoretically only the customer knows such as a password, or that only the customer will possess, such as an identification card. Authentication in the information age is critical to countering new and emerging threats to the individual, including identity theft, monetary fraud, and loss of privacy.
Designing identification and authentication systems involves some delicate balancing.
- Security requirements need to be balanced with convenience and operational requirements. Organizations authenticating individuals want to be able to do so quickly and effectively. Identification and authentication processes must be stringent enough that an impostor is unlikely to be successful without being overly complex or likely to be perceived as overly intrusive by the customer.
- Customers need assurance that authentication processes are sufficiently effective and stringent that an impostor cannot easily defeat them to invade their privacy, or steal their identity or money. At the same time, an authentication process that falsely rejects legitimate customers can also create problems both for individuals and organizations, particularly those in competitive markets.
- An organization needs enough information about individual customers to identify them and authenticate their identity, but needs to ensure that it does not collect, use, or retain unnecessary personal information that intrudes on personal privacy.
One way to help achieve this balance is by involving the customer. As discussed below, authentication processes must take into account the sensitivity of the information and the risks associated with that information. Similarly, they also need to reflect that individuals will have different expectations and needs. Organizations cannot take a one-size-fits-all approach to authentication.
One- Two- and Three-Factor Authentication
Authentication is often discussed in terms of the three factors of authentication (that is, three different kinds of things that can be used to authenticate an individual):
- Something that is known to the individual (for example, a password, a personal identification number or PIN, an account number, favourite colour, name of first pet);
- Something that the individual has (for example, a bankcard, token, identity card, public-key digital certificate); and
- Something that the individual is (for example, a biometric, such as a facial image, retina scan or voice print) or does—a signature.
In some cases, any one of these factors can be used alone to authenticate an individual; in others, combinations are used. For example:
- Access to e-mail using a password: This represents a single-factor authentication process that relies on something the individual knows.
- Access to a physically secure area using an identity card with an embedded chip (a smartcard) and a hand-scan biometric: This represents a two-factor authentication process: it relies on something the individual has (the smartcard) and something the individual is (the biometric).
- Access to a secure area using a valid magnetic strip card, a four-digit PIN code and a hand-scan biometric: This represents a three-factor authentication process: it relies on something that the individual knows (the PIN), something that the individual has (the card), and something that the individual is (the biometric.) All three factors must be satisfied in order for the individual to gain entry.
True two-factor or three-factor authentication requires using elements from two or three of the above categories. Authentication based on two elements from the same category, for example an account number and a password—both things that someone knows—is more appropriately referred to as “multi-layer authentication.”
Risk and Threats
Identification and authentication are fundamentally about the management of risk:
- The risk to the organization of, through bad authentication practice, either denying access to a legitimate customer or giving access to an impostor;
- The risk to individuals that their personal information is lost or inappropriately disclosed, and that their identity, finances, and privacy are compromised.
“Risk” should always be understood to have two aspects: the likelihood of an event occurring and the severity of the consequences if it does occur. Proper risk management requires that both these two aspects of risk are considered.
In the information age, the threats to personal information are constantly changing and new threats are emerging. As the threats evolve and are better understood, organizations should adapt their policies and practices to manage these new risks.
Some threats involve sophisticated scams that rely on information and communication technologies. For example, with the growth of Internet use and e-commerce, we have seen the emergence of “phishing” where individuals are tricked into believing that they are being asked by e-mail to verify certain authentication or personal information with a service provider, usually their financial institution. Clicking on the link provided in the fraudulent e-mail will typically route the victim to a web-site that looks authentic and familiar but is in fact fraudulent. At this apparently authentic web site, the individual enters their authentication information (e.g., their identifier and password.) This authentication information is then routed from the fraudulent web site to the fraudsters, without any obvious indication of its diversion to the “victim.” The fraudsters then use this authentication information to their benefit and to the “victim’s” loss.
This demonstrates an inherent risk in using e-mail to send information to the customers because the receiver of an e-mail cannot readily authenticate the sender—the e-mail address is simply an identifier. The receiver needs other information in order to validate the message (and the sender) as authentic. Furthermore, the receiver has little assurance that the information he or she receives is what was sent and that it has not been intercepted and changed before receipt.
Never using e-mail to request validation of authentication information is one way to mitigate this risk. If e-mail is used, multiple factor authentication processes, “one-time” passwords or shared secrets and public-key certificates, would manage this threat and greatly reduce the risk to both the individual and the organization.
At the same time, organizations should not overlook more conventional “low-tech” threats. For example, a significant amount of identity theft is perpetrated by someone who knows the victim. The identity thief could be a family member or a co-worker who knows many of the “personal identity facts” of the victim, for example, a date of birth or a mother’s maiden name, and who may have access to the victim’s personal effects, for example, a wallet or purse, containing bankcards or a SIN card.
Processes that use personal identity facts, or one-factor authentication, are more easily taken advantage of by insiders who know the victim. The use of multiple-factor authentication and personal authenticators that do not involve personal identity facts can help mitigate this type of threat and greatly reduce the risk to organizations and their customers.
In summary, risk needs to be assessed in relation to the sensitivity and value of the service or information that the individual is accessing, the threats to the service or information—theft, unauthorized disclosures etc.—and vulnerability. Identification and authentication risk analysis is often a complex and structured process that needs to reflect the enterprise’s culture and needs to be regularly re-assessed.
Guidelines for Identification and Authentication
The following guidelines are intended to help organizations develop appropriate identification and authentication processes. As stated above, the scope of these guidelines is identification and authentication techniques between individual citizen/consumers and organizations.
Only Authenticate when Necessary
An individual’s identity should only be authenticated by an organization when it is necessary given the nature of the transaction. This is consistent with Principle 4.4 in PIPEDA that “the collection of personal information shall be limited to that which is necessary for the purposes identified by the organization.” Requiring individuals to identify themselves when it is not necessary limits their control over their personal information. Similarly, organizations should only authenticate to the extent necessary.
Level of Authentication Commensurate with the Risk
The stringency of authentication processes should be commensurate with the risk to the information being protected, risk being a function of the sensitivity of the information or service in question, the vulnerability of and the perceived threat to that information or service. In general, the higher the risk or the more sensitive the information or service, the greater the number of factors that should be used to authenticate the individual. For example
- A simple single-factor authentication process may be appropriate to allow an individual to obtain access to voice mail or to check the account balance of a loyalty program;
- Obtaining an account balance for a utility bill may require an account or membership number and a numeric access code, (i.e., multilayer single-factor authentication); and
- Financial services that permit the issuing of payment instructions and making transfers to third-parties for large amounts may require a two-factor authentication process.
As well, the level of authentication and the methods of authentication may vary depending on the nature of the interaction with the customer. For example, in some cases, an organization may require more authenticating information when opening an account than it will require when providing access to account information. During subsequent interactions an organization typically authenticates based on information collected when the relationship was established, perhaps supplemented by a password or shared information (e.g., the balance on last month’s statement.)
Responding to Changing Threats
Organizations should regularly reassess risks and threats for each service delivery “touch point” and deploy risk mitigation measures, including adjusting the strength of authentication processes, to address changing threats. This entails keeping abreast of changes in business practices and technology that either strengthen existing authentication processes or undermine them.
Organizations also need to be constantly vigilant in relation to “risk creep”, not just from changing threats and technology but also in relation to the practice of regularly adding new services onto existing services. In such cases, organizations need to ensure that the authentication processes in place are sufficiently strong to mitigate the potential additional risk of the newly added service. For example, an authentication process that may be appropriate to allow an individual to check an account balance may not be appropriate to allow an individual to access usage or transaction information.
Regularly Monitor Threats
Organizations should regularly measure attempted attacks, breakdowns, and losses as part of a structured threat- and risk-assessment program, and evaluate customer awareness of and confidence in the authentication processes in place.
Organizations should ensure that all customer service representatives and other employees who have access to personal information receive appropriate training on the importance of protecting customers’ personal information, including the importance of protecting it from unauthorized access and disclosure.
As part of the ongoing training for customer service representatives, organizations should provide training on authentication policies and processes including examples of potential threats to privacy, such as “pretexting.” The training should be updated to reflect policy and process changes and new threats.
The Role of Individuals
Individuals have a role to play in the protection of their personal information by questioning and avoiding the use of weak authentication processes, choosing strong authenticators (for example, passwords and PINs that are difficult to guess), and responsibly and continuously safeguarding their identifiers and authenticators.
Changing Authentication Information
Organizations should give individuals the option of periodically changing their identifiers and personally selected authenticators.
Individuals should be provided with choices and identification/authentication options in order to manage their personal identity and privacy risks. For example, individuals should be allowed to choose:
- Their own identifier and should not be required to only use, for example, their name. (However, there may be situations, for example, when opening a banking account, where organizations are required to collect specific information and the use of a “nickname” or other alternative identifier is not possible.)
- Their personal passwords and/or shared secrets, including passwords or PINs that exceed a standard minimum length, for example, four characters.
- Questions and answers (Q&As) where personal preferences are used for authentication;
- Unique passwords and shared secrets for different but complementary services (for example, Internet service and telephone services provided by the same enterprise);
- When to change their authenticators; and
- Whether or not to use their personal identity facts for authentication (see below).
Organizations should provide enhanced authentication processes to individuals who request them. For example, organizations should allow individuals to add a password to accounts to prevent unauthorized individuals from obtaining access to billing information or calling records.
Easy to Remember, Difficult to Guess
Where the individual chooses an authentication factor that is based on something that the individual knows, it should be easy to remember or disguise, but difficult for someone else to guess or disclose. Individuals should be encouraged to follow this guideline and the authentication process and awareness programs should support these objectives.
Individuals should protect their passwords, PINs, etc. against unauthorized or inadvertent disclosure which typically means they should not keep a record of their passwords. However, in an environment where individuals may have a dozen or more passwords or PINs to remember, rather than “writing them down” an individual may simply resort to using the same, possibly weak, password for a variety of applications, which will increase the risk to the information or services. In these circumstances, therefore, it may be unrealistic to expect that they will never be written down. Individuals who feel they must keep a record of their passwords should be encouraged to store them securely, for example in an encrypted computer file.
Personal Identity Facts:
Ideally, authentication should not be based on:
- Personal identity facts (i.e., identity information that does not change, such as date of birth, mother’s maiden name and place of birth), or
- Other information and identifiers that individuals acquire during their lifetime that are not easily or often changed (for example, a social insurance number or a driver’s licence number).
These identity facts and numbers are likely to be known to others, they can be relatively easy to obtain and after they have been compromised they are difficult or impossible to change.
As a means of authentication, “tokens” (for example, identity cards, drivers’ licences, passports, etc.) can be used with more confidence when the authenticity of the token can be verified. In general, the issuer of the token is in the best position to assess the appropriate reliance to place on the “token.” Ideally, tokens should only be used for their original intended purpose (for example, a driver’s licence should ideally not be used as an identity card.) In other situations, an organization should only rely on a token when it has some assurance of the integrity of the issuance process. For example, relying on a driver’s licence from a foreign country may entail more risks than relying on a licence issued in Canada.
Integrity of Authentication Processes
Authentication processes should include effective safeguards to ensure the confidentiality and integrity of authentication information while being validated and stored. Authentication techniques should not be easily replicated. Authentication material should not be easily replicated or spoofed and should be readily verifiable. Given that it is relatively easy to spoof e-mail addresses and Caller ID, organizations should be very cautious about using e-mail, e-mail addresses and originating telephone numbers to authenticate individuals.
The authentication process should maintain reliable audit records of authentication transactions including the date, time and the outcome/result. Such trails should also record and manage attempted and failed authentications and provide a mechanism for identifying and responding to patterns of unauthorized behaviour. Audit records should not contain the actual authentication information. As well, audit records need to be protected since they create data trails that can reveal information about the individual.
The level of detail in the audit logs should reflect the risks associated with the information or service.
Under PIPEDA and many other privacy laws, responsibility for personal information resides with the organization that collected the information (e.g., the financial institution or utility providing the service) even when the processing of the information is outsourced to a third party. In a situation in which an organization outsources a customer service function to a third party, primary responsibility for ensuring the adequacy of the identification and authentication processes that are used remain with the servicing organization that the individual has chosen. Even though the actual authentication may be done by the third party outsourcer, the organization remains accountable, through contractual and other means, for ensuring that the authentication processes meet its requirements and reliably protect their customers’ information and assets.