In the aftermath of the Office of Personnel Management (OPM) data breach, there has been quite a bit of discussion of the need for better authentication for people accessing the Internet. Interestingly, and perhaps not coincidentally, there have also been several articles recently on e-government in Estonia. Not coincidentally because Estonia's e-government system can address some of the issues America now faces.
Estonia loves to tout its digital society story. Estonia's path to being an e-government leader came in part out of necessity -the Internet proved to be the most cost-effective and efficient solutions for providing services. The Estonian system is decentralized - like the US - but new e-government solutions are built on a common platform that can be used by multiple government agencies. (A simple but rich description of its architecture can be found here.)
One key benefit that Estonian citizens get from the system is that it has a robust electronic identity system (e-ID). The e-ID is so important because:
The e-ID is considered definitive because it is a two-factor authentication system. When you log onto a website using a user name and password for security, this is a "single factor" authentication. All the computer system knows is that two pieces of information have been typed into the system. Two-factor identification requires two separate and distinct items to be combined to authenticate a person. A good example of this is an ATM card. The card is issued by a trusted agent - a bank - after a person provides proof of who they are (from an approved list of documents). An ATM card is useless though until it is combined with a second piece of information: your personal identification number (PIN).
The Estonian e-ID is a form of two-factor identification. In 2002, the Estonian government began providing all of their citizens with an identification card - much like our driver's license, except it has a digital identification chip in it. If you take the card and put it into a card reader attached to a computer, a person can use the card, along with their PIN, to log into websites as diverse as the Estonian tax office or their local bank. The two-factor identification also allows a person to digitally sign - or e-sign documents, since the presence of both the card and the correct personal identification can be taken as evidence that a person is who they say they are. This system is a critical feature of the Estonian Internet voting system that the country has used since 2005.
In the US, we suffer from an amazing lack of ability for people to effectively authenticate themselves online. Today, we live awash in passwords and breaches of data security in part because we do not have an effective system for securely signing onto computers or onto websites. Using your Facebook or Google accounts to login may be convenient but it fails to provide the website on the other end of the transaction with any proof that you are you.
Fortunately, in the US there are effective tools already in use for effective authentication. One system, similar to the e-sign system used in Estonia, is the Common Access Card (CAC) system that is used by the Department of Defense. The CAC is a "smart card" that has many of the same features of the Estonian system, allowing individuals to authenticate themselves online, digitally sign documents or emails, and also serves as a traditional form of identification as well for Department of Defense buildings.
In response to the OPM data breach, more government agencies have started to adopt digital identification technologies. For example, the US Department of Interior has mandated that individuals log into the agency's website using a government issued "smart card."
What is missing from all of this discussion is any effort to provide such identification to the general public. A story written after the recent IRS data breach, stated, "Among the options now under consideration [by the IRS] for expanding online security: Giving every taxpayer the option to use an IRS-supplied PIN number." Even though an improvement, such a system would lack the effectiveness and security of a "smart card" and would still prevent the IRS from authenticating individuals effectively.
With the large number of military and government workers in Maryland, Virginia, and Washington, DC, it is surprising that none of these jurisdictions have thought to adopt a smart card technology as a part of their standard government identification system. Some people would no doubt worry about the "big brother" aspect of the smart card technology but there is no reason why individuals could not choose to opt out of the system. However, it is easy to imagine banks, government agencies like the IRS, and online retailers providing people with discounts and other benefits if they used a smart ID when using their services. It could also benefit the democratic process; people could e-sign petitions and everyone would know that the signatures were authentic. Companies and government agencies alike would benefit from this system; they could be less worried about fraud and could more easily trust that you are who you say you are. And given the state of online security, everyone may want a bit more trust and a lot less fraud.