BOX 6.1
On the Nature of Credentials

Understanding the nature of credentials is an important component of understanding authentication technologies, processes, and systems, since the “verifier” in an authentication transaction verifies credentials presented by the “presenter.” Credentials may be bound in some way to the individual to whom they were issued, or they may be bearer credentials. The former are necessary for identification, while the latter may be acceptable for some forms of authorization. A driver’s license or a passport is an example of the former, while an admission ticket for an entertainment event or a discount coupon is an example of the latter. Cash is a true bearer credential with very good anticounterfeit protection. A credential intended to be bound to a specific individual should effect the binding in some way that can be checked by a verifier; otherwise it risks becoming a bearer credential. Most driver’s licenses, employee ID cards, and all passports include a photo to allow a human verifier to determine if the individual presenting the credential is the one to whom the credential was issued. Machine-verifiable credentials may be bound to bearers through use of personal identification numbers or biometrics.

Most credit cards do not include a photo, even though they are credentials intended for use by a specific individual. Instead, most credit cards contain a signature strip, and verifiers (merchants) are supposed to compare the purchaser’s signature with that on the card for what are referred to as “card present” transactions. This signature-verification approach to user authentication is generally poorer than the photo ID approach, and it is not always used by merchants, especially in the United States. A growing number of credit card transactions are conducted as mail order or telephone order (MOTO) transactions or Internet transactions, and in these cases neither a photo nor a signature is available to the verifier to be checked. To help address this deficiency, credit card verification generally entails an online check. This is necessary in part because the credit card, as an authorization credential, is tied to data that cannot easily be maintained on the credit card, for example, the outstanding purchase total relative to the cardholder’s credit limit.

This example points to another aspect of credential systems: off-line versus online verification. Thanks in part to ubiquitous networking, credit cards have effectively become online verification systems, which they were not when they were first used. Online verification may be effected simply by querying a database using an identifier (for example, a credit card number), or it may involve a complex interaction between the credential and its issuer (for example, as many smart cards operate). Online verification also is attractive in that it supports rapid revocation of credentials. Many credentials are issued with an explicit period of validity. They must be periodically renewed. The issuer can revoke a credential by refusing to renew it, but this is not a very responsive way to revoke a credential. If failure to renew is the only way to revoke a credential, the issuer must trade off the costs of more frequent renewal against accepting the costs imposed by delaying revocation until the next renewal period. If the issuer can physically recall a credential, an intermediate form of revocation is possible; but in a world where an increasing number of transactions are not conducted in person, physical revocation is often not a viable option. (If one tried to use an invalid credit card in a store, it might be retained or destroyed by the merchant, but card confiscation is not possible when the transaction is conducted via the phone, mail, or Internet.)

For any physical credential, there is always a concern about how easily the credential can be forged or altered. If one can readily modify a credential or create a bogus credential and have a verifier accept the credential as valid, then the credential system has failed. For credit cards, knowledge of a legitimate credit card number (plus expiration date and billing address) is sufficient to effect most MOTO transactions. Credit card account numbers (and expiration dates and addresses) cannot be well-protected secrets, because they must be transmitted to merchants to effect transactions. This points out a fundamental deficiency of credit cards as credentials in the MOTO environment: the information needed to pose as the legitimate cardholder is not a well-protected secret. Ancillary measures are adopted by merchants to counter credit card fraud—for example, reliance on automatic number identification (ANI) for phone orders placed to toll free numbers, and shipping only to the billing address associated with an account.

An obvious security concern for physical credentials is the ability of a verifier to detect forgeries. Many driver’s licenses and current U.S. passports include antitamper and anticounterfeiting measures—for example, holograms that are designed to make it easy for a human verifier to determine if the credential is legitimate. Many credit cards also make use of holograms, to raise the bar against generation of fake physical credit cards. If legitimate credentials come in many forms, the verifier is less likely to be able to spot fakes. Birth certificates exhibit this problem (among others), since there are more than 17,000 jurisdictions that may issue these documents, and the formats vary widely. Machine-verifiable credentials ameliorate this problem, but they are typically more expensive to create, and the cost of deploying verification technology also creates barriers to deployment.

Against this backdrop, one can examine various forms of credentials to see how they rate. For example, a driver’s license is an identity credential for a named individual. It carries a photo of the individual to whom it was issued and is designed for off-line verification by a human. It can be physically revoked by a law enforcement officer or officer of the court. Because of wide variability in formats and anticounterfeiting measures, forged licenses may be hard to detect, especially when the license does not purport to be from the state in which it is being verified. A license typically contains data—for example, home address—which are not well maintained on the credential and which are not generally essential to the primary function for which the license was issued.

A combination of a user ID and a password constitutes a bearer credential in practice, even when the intention is otherwise. Authentication takes place over a network, and any binding to an individual is based on the assumption that the user did not share the password and that the pair was not guessed by an attacker.

Most credit cards are essentially bearer credentials, although that is not the intention. Cards that bear a photo of the cardholder offer added protection in card-present transactions but do not improve the security of MOTO transactions. Counterfeit cards, even ones that make use of holograms, have been produced by thieves, demonstrating the limits of current, anticounterfeiting measures.

A smart card with a photo ID is a hybrid form of individual credential designed for both human verification and machine-based, typically online, verification. The human verification aspect of such cards is vulnerable to tampering attacks, except to the extent that anticounterfeiting measures are applied. The machine verification aspect of these cards can be of very high quality: That is, creating a fake public key certificate that would be accepted by the verifier can be made infeasible from a mathematical perspective. However, it may be possible to covertly acquire the private key and certificate of a legitimate individual from his or her card and insert them into a smart card with another individual’s photo, thus allowing the second individual to pose as the first for both human and machine verification purposes. This illustrates the difficulty of developing very high assurance credential technology, although technology of this sort does pose significant barriers to counterfeiting.