Establishing and Securing Identity in a Distributed World
September 2, 2005 | 10 Comments
We have found ourselves in an interesting position. We need to establish, ensure, and maintain identity with remote users without ever exchanging SSN or other highly confidential identifiers or information. Popular solutions include security questions, requiring initial email address, authoritative remote identity providers (ex. notary), or physical presence. First let me debunk all of these in our environment.
Security questions:
- limiting questions to predetermined ones, simplifies ability to automatically guess answers.
- with increased personal information becoming available online, personal questions may have answers easily found.
- open questions often lead to simple question/answer combinations (ex. what color is the sky? blue.)
Initial email address:
- we provide email accounts as a service, requiring an email account to get an email account is laughable
- expired or abandoned accounts are a dead end for ongoing use
Remote identity providers:
- time consuming and cumbersome for the user
- costly for the user
- much manual work
- difficult globally
Physical presence:
- could be time consuming
- online education implies never needing to come to campus
- difficult globally
- not remote, if they have to come here
One potential solution in this space is Faces. This is also potentially cumbersome and the cost is unknown.
Now let me present our solution.
Upon account creation at the institution (student, faculty, guest, alumni, etc), we generate a 32 character password change authorization code, or PCAC, (ex. KLAS-DFHL-KASD-FKLJ-KKL3-243I-HF34-POI2) and a unique username. The account is initially locked. The user receives the username and code through the postal service to a known address, in person, or it is presented to them online if they are able to establish an account-creating relationship online.
Once they have the PCAC, they are instructed to keep it in a safe permanent location (ex. with birth certificate or social security card). They are also intructed to use this code to activate their account and set their password online. From anywhere in the world they can enter the PCAC and username into a secure web form, to set their password.
Once the user has a known username and password combination they use this to access all their services.
This same procedure can be used in the future to instantly reset their password if they have lost or forgotten it. Of course if they know their password they will always be allowed to use that to change it to something else.
At this point they have established identity, received credentials, and with their PCAC can always recover from lost or forgotten passwords. All these steps can be performed online, self-service. The security of their account is primarily in their hands. No one at the institution ever knows their password, and their is no formulaic way of figuring it out. There are no guessable hints.
All of this explains the situation where the user has their PCAC or password. In the contingency where they have lost or misplaced their PCAC, they can have a new one created immediately in person, or request a new one to be mailed to them via an online form.
I have posted this with hopes that people will review this and comment on their opinion of its viability. Please leave comments if you see problems or advantages in this we have not.
This solution is not useful for schools with a PKI solution, but could be used very easily as a cheap intermediary solution while that area matures.
Flowchart of this process (PDF)
PCAC Example (PDF)
Jon Emmons’ article on this same topic: Password Management in an Identity-Theft World
(This proposal authored by Jon Emmons and Zachary Tirrell - 2005)
Tags: faces, identity, identity management, information technology, it, Jon Emmons, password, password management, passwords, PCAC, pki, pooch, security, Zach Tirrell, Zachary Tirrell