special feature
e-authentication
Online Services
in a Safe Mode
With the employment of internet and mobile communication tools, the government is aiming to build a transparent, easy and user-friendly mechanism for rendering public services to the citizens. One of its attempts can be clearly envisioned in its – round the corner - ‘National e-Authentication’ framework
By Inder Kumar
A
s the government feels the need of a model to streamline its critical information exchange, that too in a secure manner, hence, here comes into effect - a model of e-Authentication framework. Planned to be spread out across the nation, the very new model lays down the taking up of technology use for safer transactions and for paperless & seamless exchange of information by using a single dedicated identity profile. The model enables to use a single window system for multiple government services. National e-Authentication framework is only a means to avail the government services. It serves as a platform between a user (the one who is seeking public services) and the concerned department
What is e-Authentication? Electronic Authentication (or “e-Authentication”) is the process of electronic verification of digital identity of a user. The user is a person who accesses the government
22
services online or through mobile. It will be implemented using credentials, each of which is composed of a User ID and Password. It also incorporates
egov / www.egovonline.net / November 2011
one or more methods of authentication to verify the user, including passwords, digital certificates or hardware or software tokens.
(provider of the services). It acts as a policy/ framework that will be presented to various government departments for authenticating their services and enabling transactions in a secure, paperless & transparent manner. It is beneficial both for the public and the departments as well. According to Sunil Abraham, Executive Director of The Centre for Internet and Society, based in Bangalore, “the framework is quite different from other programs falling into the e-governance domain”. For an example, where objective of the UID was to make citizenship to the government, on the other hand, this framework aims to enable government transactions transparent to the citizen. He added that the single authentication system is going to be very useful and should have support for digital signature for information or services, coming under higher sensitivity level. Having said that many countries have implemented this system, he said that even India should adopt this policy.
e-authentication
Why e-Authentication? The border question that strikes the mind is what is the need for this kind of framework? Answering this in an interesting manner, Dr. Rajendra Kumar, Director (Projects) at National e-Governance Division - who initiated the entire cocneptualisation, got this draft prepared and released it for the consultation – says that the need for a platform where one can avail government services with a single login ID and Password and giving citizens an unique experience to avail facilities in a trustworthy & a user-friendly manner resulted in the coming up of the draft. He added that the other factors considered to devise this framework were bringing more transparency in government services, presenting a cost-effective mechanism to the departments and forwarding a trustworthy platform for transactions. He went on to say that the mechanism would also help improve privacy and efficiency as well.
How e-Authentication Begins The framework begins with the registration of a user. This would be a one-time registration that would ensure the user should be allowed to avail government services. The step would authenticate the user through his/her digital identity and provide a secure way for the users to access the government services via electronic media (mobile/internet). The authentication would be followed by issuance of a credential that will be used in the e-Authentication process. Once the authentication is done, there comes the next step for authortisation.
One time Registration followed by Verifying Identity Loging ID-Password will be Issued Select Transanction Type Now Comes Authorisation Commenting on the step of authorisation, Dr. Rajendra Kumar said, “Authorisation is another level of authentication. It decides the type of service that a user can avail. Authori-
sation is the process of verifying that a known person has the authority to perform a certain operation on a given resource. Authentication, therefore, must precede authorization”. Authorisation is required for services that come under higher sensitivity level. Authorisation is the last milestone to reach the desired application.
Once Authorisation is Complete Access to Application “According to Draft National e-Authentication Framework, where Authentication checks is this the person he/she claims to be, and authorisation checks what is this person allowed to do.”
How it Secures Sensitive Information? To define different levels of sensitivity levels for various services and guarding framework for those, Dr. Kumar said, “Different levels of services come under different sets of sensitivity. Therefore, it was decided to put different security levels for the different sensitivity sets. Higher the sensitivity of a service, higher will be its security level.” These are five levels of application sensitivity for web and mobile based applications ranging from Level 0 to Level 4 that help secure the information. The Level 0 is the lowest application sensitivity level whereas Level 4 is the highest. Level 0 will not require any form of authentication and will be used for providing public information over the web or mobile. All applications will therefore authenticate users using Level 1 authentication by default.
What about authenticating websites? However, the task of authentication does not end with the access of application, while delivering the public services through online mode, it is not only important to authenticate the user for her/his identity, but it is also important to authenticate the website that the user is accessing for availing various public services. Considering the number of phishing attacks that take place over the web every day, the user must be able to correctly identify that the
special feature
website that she/he has opened is actually the right website that it is claiming to be. Lack of appropriate security measures in ensuring the authenticity of websites may lead to the user revealing her/his personal credentials over a fake website, which can amount to severe financial and social losses to not only the user but also to the concerned department whose web interface was imitated for this purpose. During the registration process, the user selects (or is assigned) a specific image and also some user defined text (optional) with user defined font and colour. The image is one of the potentially hundreds of available images and is intended to help the user distinguish the real web-site from an impostor. The actual process of authenticating the website is split into the following three steps:
User submits username (only) to the website Website shows the personal “watermark” image to verify that site is correct Password would be submitted only if image is correct • The user submits her/his username (only) to the website • The website shows the user with the personal “watermark” image (with text if supplied), allowing her/him to verify that she/ he is at the correct site. • If the watermark image is correct, the user should enter her/his password to complete the login process. If the watermark image is not correct (or not shown), the user should not proceed as she/he is likely to be at a wrong/phishing website. On the whole, there are multiple ways of ensuring website authentication with the help of hardware tokens, software tokens, biometrics, PKI etc. However, the need for a particular mechanism can be derived based on the level of criticality of a website as well as the profile of its user base in terms of their capabilities to use such mechanisms. November 2011 / www.egovonline.net / egov
23
special feature
e-authentication
“Sensitivity Matrix” for identifying the right level of authentication for web/mobile based service:
Sensitivity Level
Level 0
Level 1
Level 2
Level 3
Level 4
User Experience
No inconvenience
Minimal inconvenience
Minor inconvenience
Significant inconvenience
Substantial inconvenience
Scenarios
Public information
Information with minimal impact in case of theft
Information having social impact but no financial/ security impact
Information having financial/security impact
Information having very high financial/security Impact
Examples
Election Results
Examination Results
Personally Identifiable Information (birth certificate, death certificate, land records etc.)
Financial Information (Bank Accounts), Service Impairment (such as IRCTC website being brought down)
National Security Information (CCTNS, RAW, CBI Cases, etc.)
Suggested Authentication Method
No Authentication required
Username-Password
Digital certificate/soft token for mobile-Username – Password + Q&A
Token along with Username and Password for mobile Username – Password + OTP
Two factor authentication: Biometric + Token / Username and Password
Fraud Management Layer Required
No
No
No
Yes
Yes
Source: National e-Authentication Framework Draft
Role of IT Security in e-Authentication The framework would definitely give a boost to the role of Information Technology, where securing the data of different sensitivity level is going to be a tedious task and at the same time this is the domain where IT security tools come in and carry forward the task of the utmost importance.
IT Tools to be used in Authentication: LDAP v3 – Directory l X.509 certificate l Hardware/Software Token and OTP
Talking on the role of IT security, Dr. Kumar said, “managing different levels of sensitivity (in terms of technical development) was a big challenge.” He added, “the role of IT security tools is very crucial in storing and managing the data in a secure way. The tools would help improve interface between the users and the government. We are in talks with some corporate players for roping up for IT services.
24
egov / www.egovonline.net / November 2011
This is a very good development that would encourage a lot of people, to register and apply for services online, who were earlier used to switch from one window to another, said Tanmoy Chakrabarty, Vice-President, Government Industry Solutions, Tata Consultancy Services (TCS). He also said, “As the framework gets its hold, the focus will definitely shift to the need for IT security tools. Commenting on the fact that with the expansion of policy, the sensitive and confidential information will be stored and made accessible, Mr. Chakrabarty added that the center point, while implementing the program, will undoubtedly shift towards the security. The government would be seeking high-end security tools to secure the crucial information that caters to the public but can lead to catastrophic consequences, if falls into the wrong hands. Thus, the role of IT security tools undeniably gets the boost. The VP also commented on what would be the TCS’s stand, if it is being approached by the government, to employ its technology in securing the framework practice. He responded by saying that we will definitely look forward to the opportunity. We will demonstrate out technology and tools that are rel-
evant to the agenda. We will also showcase our work that we have done in Andhra Pradesh, Madhya Pradesh and Maharashtra. Reacting to the initiative, Nirmal Prakash, Smart ID, said, “It is a welcoming step. This would do-away with all the frauds and manipulation works that a poor and an illiterate person had to grapple with. Talking on the role of IT security, he said, “Biometric is the best tool for securing the data. It is beneficial even for those who cannot read and write. Moreover, nobody can try to influence the security methodology involved in working of a biometric. While talking to another private player, involved in domain name registration business, Manish Dalal, Vice-President of Verisign Naming Services, it was found that the framework is receiving welcoming hands. Mr. Dalal went on to say that this is a great step and we welcome this initiative from the government.
The Big Q - Implementation The bigger question comes to our mind is that turning a project like this, that involves citizen participation at a very large scale level, into a successful one is a tedious task. Moreover, its implementation in those areas, where internet availability is absent and mobile connectivity is
e-authentication
almost nil, is going to be a hard-nosed mission for the government and the private players involved in it. Many fear the implementation could be vague and many predict that implementation would not be horizontal. According to Social Activist, Shabnam Hashmi, (who is also heading ANHAD - an Indian socio-cultural organization), the major hindrance that the framework may come across is the limited reach of internet. Where just 8 percent of country’s 1.2 billion people have access to internet, how the government will be able to implement it, on a wide scale. The reach of mobile is very low, such as in the remote areas of country, the scope of access through technology also goes down. The social worker went on to say that this framework is good in those states that are well developed but how will it be successful in those areas where people do not have the facility of even electricity. However, Hashmi suggested for a simultaneous social transformation and requirement of a uniform and balanced infrastructure development for the successful plantation of the program.
“Where just 8 percent of country’s 1.2 billion people have access to internet, how will the government be able to implement the framework, on a wide scale?” Shabnam Hashmi Social Worker “The implementation should be a combination of ‘click and brick.’ Where the government has come out with a policy, it should also bring out a supporting infrastructure, for an example, the regulatory body should energize the Common Service Centers.” Sunil Abraham Executive Director the Centre for Internet and Society
Responding to the question that India lacks wide infrastructure reach to make this policy available in those areas where internet and mobile network is limited, Mr. Abraham said that it is not sufficient for the program to be on paper only, for good implementation there should be a simultaneous development of internet reach and mobile availability. He expected that the recent Telecom policy
special feature
should come up with more reach of broadband network and cost-effectiveness so that more people could reach the fruits of the framework. The TCS official went on to comment that very few people have access to internet and mobiles, if we go across the remote areas of the country. Having said that the implementation should be a combination of “click and brick”, Mr. Chakrabarty said, “Where the government has come out with a policy, it should also bring out a supporting infrastructure, for an example, the regulatory body should energize the Common Service Centers through which services can be availed, mechanisms for wide publicity and other effective tools should be employed for the successful run of the program.” For all pros and cons, the government is all set to implement this, on the other side, even the private players are on the welcoming mode, what left is the general public – who will be the ultimate decision-maker of the success of the service. The status, as of now, is of wait and watch kind, and keeping the fingers crossed, there emerges a sense of hope that another milestone in the e-governance plan may soon be achieved.
RECOGNISING EXCELLENCE IN ICT
November 2011 / www.egovonline.net / egov
25