| Title Page and Notice |
i |
| National Academies Statement |
iii |
| Committee |
v |
| Preface |
ix |
| Acknowledgment of Reviewers |
xiii |
|
|
| EXECUTIVE SUMMARY |
1 |
|
|
| 1 |
INTRODUCTION AND OVERVIEW |
16 |
| |
Definitions and Terminology |
18 |
| |
Authentication in Daily Life |
21 |
| |
Current Tensions |
28 |
| |
Four Overarching Privacy Concerns |
30 |
| |
What This Report Does and Does Not Do |
31 |
|
|
| 2 |
AUTHENTICATION IN THE ABSTRACT |
33 |
| |
What Is Authentication and Why Is It Done? |
33 |
| |
|
Three Parties to Authentication |
36 |
| |
|
Authenticating to Authorize |
37 |
| |
|
Authenticating to Hold Accountable |
38 |
| |
What Do We Authenticate? |
41 |
| |
|
Identifiers |
42 |
| |
|
Attributes |
43 |
| |
|
Statements |
44 |
| |
How Do We Authenticate? |
45 |
| |
|
Authenticating Physical Identity |
47 |
| |
|
Authenticating Psychological Identity |
47 |
| |
|
Authenticating Possession of an Artifact |
49 |
| |
Identification |
50 |
| |
The Relationship Between Authentication and Identification |
51 |
|
|
| 3 |
PRIVACY CHALLENGES IN AUTHENTICATION SYSTEMS |
55 |
| |
Privacy Impact of the Decision to Authenticate |
56 |
| |
Access Control and Information Systems |
57 |
| |
The Legal Foundations of Privacy |
62 |
| |
|
Constitutional Roots of Privacy |
63 |
| |
|
The Common Law Roots of Privacy Law |
68 |
| |
|
Statutory Privacy Protections |
69 |
| |
Information Privacy and Fair Information Practices |
71 |
| |
Privacy of Communications |
75 |
| |
Concluding Remarks |
78 |
|
|
| 4 |
SECURITY AND USABILITY |
80 |
| |
Threat Models |
81 |
| |
|
Threats |
81 |
| |
|
Dealing with Threats |
84 |
| |
Authentication and People—User-Centered Design |
86 |
| |
|
Lessons from User-Centered Design |
87 |
| |
|
Lessons from Cognitive and Social Psychology |
90 |
| |
Factors Behind the Technology Choice |
95 |
| |
Systems and Secondary Use |
97 |
| |
Concluding Remarks |
101 |
|
|
| 5 |
AUTHENTICATION TECHNOLOGIES |
104 |
| |
Technological Flavors of Authentication |
104 |
| |
Basic Types of Authentication Mechanisms |
106 |
| |
|
Something You Know |
107 |
| |
|
Something You Have |
110 |
| |
|
Something You Are |
120 |
| |
Multifactor Authentication |
123 |
| |
Centralized Versus Decentralized Authentication Systems |
125 |
| |
Security Considerations for Individual Authentication Technologies |
132 |
| |
Cost Considerations for Individual Authentication Technologies |
135 |
| |
Concluding Remarks |
136 |
|
|
| 6 |
AUTHENTICATION, PRIVACY, AND THE ROLES OF GOVERNMENT |
138 |
| |
Regulator of Private Sector and Public Agency Behaviors and Processes |
140 |
| |
|
Government-wide Law and Policy |
141 |
| |
|
Agency- or Program-Specific Law and Policies |
145 |
| |
|
Regulation of Private Sector Information Management Activity |
149 |
| |
|
Policy Activity in the Early 2000s |
151 |
| |
|
Summary |
155 |
| |
Government as Issuer of Identity Documents |
155 |
| |
|
The Tangled Web of Government-Issued Identity Documents |
162 |
| |
|
Threats to Foundational Documents |
165 |
| |
Government as Relying Party for Authentication Services |
169 |
| |
|
Access Certificates for Electronic Services |
170 |
| |
|
The Internal Revenue Service—Electronic Tax Filing |
172 |
| |
|
The Social Security Administration and PEBES |
175 |
| |
Nationwide Identity Systems |
176 |
| |
Concluding Remarks |
177 |
|
|
| 7 |
A TOOLKIT FOR PRIVACY IN THE CONTEXT OF AUTHENTICATION |
179 |
| |
Privacy-Impact Toolkit |
181 |
| |
|
Attribute Choice |
182 |
| |
|
Identifier Selection |
186 |
| |
|
Identity Selection |
189 |
| |
|
The Authentication Phase |
190 |
| |
Concluding Remarks |
192 |
|
|
| APPENDIXES |
| A |
Biographies of Committee Members and Staff |
197 |
| B |
Briefers to the Study Committee |
207 |
| C |
Some Key Concepts |
209 |
|
|
| What Is CSTB? |
213 |
Items in cart [1]
