The French newspaper 20minutes is reporting a French government initiative to do away with internet passwords.
 
 
 
The French secretary of state responsible for the development of the digital economy, Nathalie Kosciusko-Morizet, announced on Monday a scheme to issue internet users with a digital certificate which would allow them to prove their identity to any online service that participates in the scheme. According to the report, more than twenty organisations have already signed up to help design and deliver a technology prototype by the second half of 2010 and become operational in 2011. Those organisations include the French Banking Federation, the Federation of French Insurers and La Poste, so evidently this technology will be aimed at some very sensitive (and criminally attractive) online services. In fact a demonstration of the technology showed the how the single digital identity could be used to take out a loan, make purchases and apply for child benefit.
  
Obviously the technology behind the scheme is still under discussion and development but I would hope that security is at the core of the discussions. A single method of proving the identity of tens of millions of individuals, with serious financial implications will be a powerful attractor for criminals.
  
Security is more than simply asserting identity; it should also include certifying integrity.
  
Multi-factor authentication is not new technology and problems are already apparent. Banks have been deploying this kind of technology for some time now and malware has already evolved to overcome this. In the vast majority of implementations the problem is that only one aspect of the transaction is being authenticated and that is the identity of the customer. I the card holder prove my identity to my service provider by offering my certificate and my PIN number. Once my identity has been proven, a secure link is established and business can continue. So what could go wrong?
  
Well, malicious software can hijack this authenticated session and issue fake commands and requests; it can also intercept and modify any responses that come back from the service provider to hide any trace of its malicious activity. This is called a Man in the Browser attack and is exactly how the banking Trojan, Bebloh, already works. This kind of attack is all but invisible to the victim unless they move to an uncompromised machine.
  
With this in mind it is vital that any scheme of this scope should use the identity technology to verify individual transactions rather than simply authenticate the user, and this will necessitate more than a simple USB or chip and PIN device. The authentication token itself must be capable of accepting direct input, from a keypad for example, relating to the content or the value of the transaction. This can then be verified by both parties and cannot be modified by the malicious “man in the browser”.
 
With so many different proposed uses for this single ID, designing this kind of functionality will be very complex indeed but security cannot be a secondary concern in a national scheme of this magnitude.
 
Ms Kosciusko-Morizet goes on to say how she could forsee the birth of a new type of social netowrk based on “real” identities. Well, yeah as long as no one gets pwned. I wonder how sensible it is really to remove the healthy layer of scepticism from online interactions of that type…