Citizens throughout the world now have the ability to use the internet and technology to accomplish a variety of tasks which could previously only be done either in-person or through the use of physical materials. In less than 50 years, email and text messages have replaced countless numbers of physical letters. Online banking offers a wide variety of services which render bank passbooks and checkbooks nearly obsolete. Pure pencil-and-paper examinations now include on-screen options, and smartphone applications now challenge cash as the main means of payment in several countries. This is increasingly evident in government transactions, where citizens are able to register tax returns online, apply for a driver’s license or passport, or request library as well as refuge services. Now, i-voting, or online voting, also has the potential to serve as a complement to traditional voting methods.
Of course, in order for any of these services to function as intended, a prerequisite is that users must not only be able to identify themselves, but also for the system hosting the service, or the organization they are transacting with, to be able to confirm that they are who they say they are. Previously, in the physical world, this authentication requirement was met by viewing the person’s face physically and recognizing them or cross-checking it against identity documents, such as a passport, driver’s license, or ID card. These techniques have been used successfully at institutions such as banks or polling stations for decades. Now, as many processes move into the digital realm, authentication has taken on new forms but nonetheless remains critical in preventing fraud and malfeasance.
What are we covering?
What is authentication and how is it used to confirm eligibility?
Put succinctly, authentication is “the process of recognizing a user’s identity.” In other words, authentication is proving that a person is who they say they are. In days prior, this was once as simple as officials recognizing eligible voters by being acquainted with them. This allowed them access into public buildings to shout or raise their hands to vote on a variety of matters, a practice which continued well into the 1800s. As citizens desired more privacy and officials wished to streamline and formalize the authentication process, addresses, personal numbers, and official forms of identity became more common. More recently, fingerprints and even iris recognition have been used to support in-person transactions.
In the context of voting, authentication of eligible voters became more salient as suffrage, or the right to vote, was gradually expanded from male landowners to the general populace. A far cry from the days of dropping small clay balls in pots to vote (from which the word “ballot,” originally ballotta or “small ball for voting” in Italian, originates), governments now had more citizens of which they had to keep track in order for eligible voters to participate in elections. Civil registers, largely compiled through sporadic censuses dating back millenia, now had to be expanded to include records of who was eligible to vote and who was not.
The law itself determines the eligibility of voters to participate in elections (the standard in much of the world now being universal suffrage, making all adults of a certain age eligible to vote, with limited exceptions), but the process of registering them varies from country to country, and even from state to state within a country. In just over half of the world, eligible voters are required by law to be listed on electoral registers. Some countries such as Australia and the UK make eligible citizens responsible for registering themselves, while others like Argentina and Hungary automatically create electoral registers from census data. In other countries, neither registration nor voting are compulsory for eligible voters, but registration is a necessary prerequisite for voting. As such, citizens of countries such as South Africa or the United States must authenticate themselves twice in preparation to vote: once, to prove that they are eligible to vote, and twice, that they are who they say they are when casting ballots.
How can authentication be done online?
While proving oneself eligible to vote and being added to an electoral register in years prior was a matter of presenting proper identification at a local election or municipal office, many of these processes have now moved online as the electorate has expanded. In US states such as California and Maryland, online voter registration requires only a driver’s license number, as one must be physically present to verify oneself to obtain a license in the first place, and this is considered to be sufficient evidence of one’s identity. Similarly, authenticating oneself as eligible in private or shareholder elections can be as simple as presenting evidence of owning a stake in the company or being a salaried employee, leaving it to companies to determine eligibility.
When conducting certain processes online, such as opening a bank account, paying taxes, or voting, stronger authentication methods are likely to be required, as the consequences associated with incorrect authentication or impersonation are much higher. This may require the voter or citizen to share far more detailed personal information about themselves, in comparison to online shopping or dating. With this in mind, citizens need to be assured that the data they are providing remains safe. This requires higher levels of online safety awareness on the part of the user, as a proliferation of lookalike websites, which claim to offer useful services but are in fact attempting to steal personal data, are also a growing cause for concern.
Citizens and voters should always perform due diligence when seeking online service provision, but are there online authentication methods that provide the necessary level of assurance to the service provider of the identity of the person completing the transaction, whilst sufficiently protecting the sovereignty of the personal data of the individual? Some technologies which may enable this are explored below.
1. Integrated Digital IDs
Throughout the world, as both public and private sector services have moved online, the convenience provided through digital IDs which are used to access them cannot be understated. Many in the Nordic countries were designed for private sector services, such as Norway’s and Sweden’s BankID, but have now expanded in scope. Now, one ID enables citizens to shop, access healthcare, pay taxes, and much more. In Denmark, since the introduction of NemID in 2010, Danes now only need their personal ID number, a passcode, and an authentication app to use a number of services, including renewing library rentals and requesting criminal records.
In Estonia, the only country which engages in internet voting (i-voting) on a national scale for all public elections, citizens have had a state-issued ‘e-identity’ for twenty years. This single digital identity is used for digital signatures, i-voting, checking medical records, and a variety of other tasks. Citizens have a variety of options for how they use their e-identity to authenticate themselves, including a ID card equipped with a microchip containing the e-identity, a ‘Mobile ID’ with the e-identity uploaded onto a SIM card in one’s smartphone, or a ‘Smart ID’ which uses a mobile app. These forms of e-identities can provide assurance of identity for both the citizen interacting with the service and the service provider. Estonians are relieved of the burdens of having to remember login info for different services or constantly authenticating themselves, and service providers using e-identity are assured that users are not misrepresenting themselves.
2. Multi-factor authentication
At one time, passwords were perhaps the gold standard for online security: unique, freely selected, and secret. Now, however, brute force hacking attacks can crack most people’s passwords within a matter of days, minutes, or even seconds, a risk that will only increase as access to quantum computing nears. To address this, multi-factor authentication, or MFA, has come into prominence, with the core idea behind it being to add another level of security to login and authentication processes. Similar to how one must both insert a bank-issued card and provide a PIN number in order to use an ATM, with MFA, one must first input a password and then provide a confirmation of the login, often via an app or SMS message, in order to use online services.
MFA is surprisingly effective at curtailing false login attempts, with one source claiming that it effectively remedies nearly “all password safety issues” and its adoption also picking up pace as both public and private entities work to bolster their online security. In the case of Denmark, citizens have become quite familiar with MFA since the introduction of NemID. In order to use NemID or MitID, one needs not only a personal identification number and unique PIN, but also a code card or smartphone app to confirm the login. Similarly, to use one’s credit or debit card online in Norway, one must not only provide the card information, but also log in with one’s BankID through a username, password, and one of three things: a random code which appears on a keychain, a picture of one’s passport or ID, or a picture of one’s face. Through this, the vendor can confirm that the customer is who they say they are.
3. Digital signatures & Hash Functions
A digital signature is akin to a “digital fingerprint:” a “coded message” which “securely links a signer with a document in a recorded transaction.” It is unique to a person, similar to a physical fingerprint, and is a way of ensuring that important data has not been tampered with since being sent from a particular signer. Commonly used in sensitive documents such as university transcripts, digital signatures use mathematical algorithms to regularly confirm that the form or document has not been altered. These often involve hash functions, which “take an arbitrary message of arbitrary length and create an output (a hash) of a fixed length” which corresponds only to that message, say for example a person’s identity. Due to the nature of the process, “it is difficult to find a different message that would produce the same hash,” meaning that data produced could not be altered without significantly altering the associated hashes and being detected. In this way, digital signatures backed by cryptographic hashing serve as a vital means through which individuals (and the content of what they are sending) can be authenticated digitally.
What does the future hold?
The above avenues of authentication have certainly served well thus far in enabling entities to authenticate themselves via digital means. But, as digitization progresses, will such methods need further bolstering or even replacement? These questions can only be answered with time, but some potential paths for enhancement are worthy of mention.
1. Facial recognition
For those owning iPhones or Windows computers, this is not something entirely new. However, incorporating such technology into digital authentication methods does address the elephant in the room with digital authentication, namely how a person can in fact be identified and authenticated when they are not physically present. As previously mentioned, the Norwegian BankID already offers such an authentication method via an app, while Australia and New Zealand have introduced the technology to streamline border control via “SmartGates” where passengers can pass through immigration with just a passport and facial scan.
2. Biometric authentication
Again, this is not a new concept for many who use Apple or Samsung products, as using one’s fingerprints to unlock personal devices has been standard for several years now. Biometric authentication, however, can extend beyond fingerprints, with other examples including retinal or iris scans. In India, a program launched in 2011 deemed Aadhaar, in which citizens and residents may submit their fingerprint and iris scan in order to receive a unique digital identity, has grown into the world’s largest biometric ID system. With this ID, citizens can be easily authenticated to vote or receive government services.
Ultimately, there is no fool-proof method for authentication of individuals and entities online. In spite of this, there are a myriad of tools available for use which enable governments, firms, and citizens to better authenticate themselves as well as the actors with whom they wish to engage.