Nothing makes an identity professional think about his work more than crossing into another country. I had the opportunity to consider this truism six times over the holiday break, taking advantage of geography by using Canada as a shortcut between different family locations.
I grew up in Michigan, and my wife grew up in New York. The quickest route between these two locations is through the southern tip of Ontario. Between flying into Toronto to avoid the holiday mess at Chicago O’Hare and driving between the Michigan and New York destinations, I became fairly familiar with each country's border procedures. While I sat in line at the US border, German Shepherds sniffing around the car, I thought it would be interesting to compare a couple of examples of how authentication works in the physical world with their digital counterparts, and how an emerging class of applications mimics and perhaps improves on what's being done in the physical world.
The Physical Realm
First, let’s pick apart what’s happening in physical authentication from an identity professional’s point of view. In day-to-day authentication, a retail clerk asks to see your driver’s license—for example, to see if you’re old enough to buy alcohol. (This hasn’t happened to me in way too long, by the way.) The clerk looks at the license with varying degrees of scrutiny to see if the license appears to be genuine, the photo matches you, the description matches you, and the signature on the license matches your signature in front of them. Most people, however, simply look at the photo and confirm a pattern match with the person standing in front of them.
What is a driver’s license, anyway? It’s a token. This driver’s license “token” has attributes such as a photo, height, weight, and date of birth. It has an expiration date. It’s issued by an authority—the state—that certifies the validity of the values of these attribute. That certifying authority requires a variety of supporting documents, as the US driver’s license is accepted as a means of establishing identity. Its scope as identity credentials, however, is limited to the United States because proof of US citizenship isn't required to get a driver’s license. This is very similar in structure to a Kerberos ticket used in Active Directory (AD) authentication and authorization, or a Security Assertion Markup Language (SAML) token used in claims-based authentication for internet single sign-on (SSO). Both contain a set of attributes with values, and both are issued by a certifying authority.
A passport is also a token, with similar attributes. The primary difference is that a passport’s scope is international because it establishes nationality as well as basic identity characteristics. The certifying authority is the US government, and the document requirements to be issued a passport are more stringent than those of a driver’s license. Unlike a driver’s license, it also has the ability to carry updates by other certifying authorities (the visa section where passport control puts its stamp) after the passport has been issued.
What happens when you drive up to a border crossing into the United States? The obvious checks are confirming that your passport is valid and matches your description, and checking the car’s license for ownership and any outstanding warrants. I’m not a homeland security expert, but it’s safe to say that these checks are a small part of the checks that are done. For example, I recently learned of a fellow who was pulled aside by Customs coming into the United States because border security had detected the residue of a radiological agent! (The man had undergone a physical that involved radiology.) The most important action the border agent performs, however, is to ask you questions and watch your behavior as you answer them. After all, not too many people drive up to the border with something as obvious as a stolen car; behavioral questioning can help expose inconsistencies and falsehoods that simple passport authentication doesn’t expose. As in the physical world, authentication in the digital realm can involve only a simple password or it can use complex multiple factors such as one-time passwords, biometric scanners, time limitations, and location restrictions.
A border crossing involves both authentication and authorization. Authentication determines whether you're really who you say you are. Authorization determines what resources you’re allowed to access and at what level. Once your identity is verified at the border, there's a chance you could find yourself on a watch list that denies your entrance into the country; authorization in this physical case is pretty much binary; you’re either allowed in or you aren’t. If you’re authorized, there’s no restriction to shop only at certain stores in certain states. Apart from the obvious constitutional and legal reasons, this is because national passport authentication systems aren't integrated with commercial systems.