NASCIO faces authentication

According to a report last month from the National Association of State Chief Information Officers, states should have significant privacy concerns related to authenticating electronic communications.

E-Authentication technologies are designed to verify user identities during electronic transactions. Simple E-Authentication uses passwords, while more complex methods include smart cards, USB fobs and biometrics. NASCIO's report was titled "Who Are You? I Really Wanna Know: E-Authentication and its Privacy Implications."

The man who shepherded the document through NASCIO, Les Nakamura, stressed that officials weigh privacy risks in choosing security levels. "The overriding concern is that CIOs need to be sure that they protect personal information in the course of doing electronic-based business," he said. CIOs need to be sensitive to concerns about secondary use of collected and stored data.

Nakamura, chairman of NASCIO's Privacy Committee and a division-level administrator for the state of Hawaii, said CIOs must do risk assessments and choose the right level of authentication to match privacy concerns. "Collect what you need to authenticate that person and [do not] collect in excess," Nakamura said. Also, firewalls, antivirus software, digital certificates and anti-spyware programs can help. In a lot of cases, biometrics might be overkill, he said.

Several drivers are moving E-Authentication forward for states:

* Urgency to improve security against the threat of terrorism, following the Sept. 11, 2001, attacks.

* Increased instances of identity theft and fraud.

* Marketplace expectations, due to people's experience in the private sector.

"The general trend in doing business with government is to do more things online," Nakumara said. Also, E-Authentication is more cost-effective.

States' role in E-Authentication is greater than at the federal level. States create identities through birth certificates, change identities through name changes on driver's licenses and end identities, ensuring that a deceased person's birth certificate and driver's license cannot be used by anyone else.

A range of solutions greets CIOs. States can use something you know, such as passwords or personal identification numbers. Another option is something you have, such as a radio frequency identification chip, magnetic strip card or smart card. Finally, the most secure method is something you are, based on voiceprints, iris scanning and even handwriting. The more secure the procedure, the more invasive to privacy.

To protect privacy, CIOs should carefully manipulate these solutions. Many experts recommend that states should not use names for authentication when e-mail addresses will suffice. Also, linking Social Security numbers across multiple authentication systems can create privacy concerns. Each new link creates the possibility for a privacy leak. At the state level, government agencies generally opt for E-Authentication based on what people know, typically a password, which is less likely to compromise privacy.