Alternatives Analysis
complete and documented through Think Tank notes - characterizes alternative approaches to e-signatures.
Context for Analysis
- Complying with OMB's guidance for e-authentication, as required by NMFS e-signature policy and procedural directive, requires agencies to work through an analytical process to evaluate e-signature alternatives to match e-signature tools to the e-government application being enabled.
- Neither the OMB policy nor NIST e-authentication technical guidance specifies solutions that agencies must use.
- The first step in the analytical process is to understand the range of e-signature alternatives available to agencies and agree upon criteria for evaluating the e-signature alternatives. (This is the subject of the August 20th meeting)
- The second step is to evaluate a selected set of e-signature alternatives against some agreed-upon alternatives. (This is the subject of the August 27th September 3rd meeting)
- Subsequent meetings will help complete the analytical steps called for in the NMFS e-signature policy and procedural directive.
Proposed Evaluation Criteria
- Usability: ease-of-use consistent with typical commercial online transactions such as consumer banking or personal investor securities trading; portable e-signature capability, not tied to a particular Internet access device or particular type of access device (rules out a signature digitizing pad, fingerprint reader, etc.)
- Ease of Implementation: minimize modifications to agency business rules or technology infrastructure
- Affordability: cost appropriate for business value delivered
- Risk Mitigation: accountability appropriate to mitigate business risk - which is a function of confidence in the original identity assertion (are you sure enough that you have identified a specific individual?), the chain of custody of the identity credentials (did the registrant maintain sole custody of the secret?), the integrity of the signed document (is the document in evidence unaltered from when it was signed?), and the legal framework of the e-signature (is the signature legally binding?).
Representative Design Alternatives
As described in the design of e-signature systems, it can be useful to decompose these systems into component parts, each of which present clear choices among technical alternatives. (Like putting together a five-course meal from an a la-carte menu.) The resulting composite design can then be mapped back to our requirements. The table below illustrates this decomposition and analysis for some theoretical and existing e-signature systems.
Design |
Registration |
Credential |
Credential |
Signing |
Tamper |
|
Ease-of-use |
Portability |
Cost |
Accountability |
|---|---|---|---|---|---|---|---|---|---|---|
HMS Permits: |
Online registration at http://www.hmspermits.gov/ |
Permit number |
Online issuance of permit |
Not called a signature, but does include "I am authorized" checkbox |
Typical transactional database controls |
|
Similar to common e-commerce transactions |
Only "something you know" required |
Clearly less expensive than the paper process |
Low confidence in identity and custody, but may be adequate to mitigate low risk in the context of the full relationship between the parties |
NPS e-signature |
Invitation by USPS mail with unique access code which allows online registration, which includes identity validation via that access code and other shared secrets possibly including SSN |
Username and password |
Online issuance |
Signatory signs with a "something you know" username and password. One-factor authentication. |
Package consists of encrypted PDF of document (tamper-evident) and e-signature metadata |
|
Similar to common e-commerce transactions |
Only "something you know" required |
Clearly less expensive than former paper process |
Moderate confidence in identity, credential, and custody, but may be adequate to mitigate moderate risk. Note that individual permit applications may require additional documentation including USCG Vessel Registration, Articles of Incorporation, etc., which may further mitigate risk but are not part of the e-signature. |
Transactions typically are complete stand-alone packages with registration, content, and e-signature submitted at the same time; registration for subsequent authentication is not an important concept in this context |
Self-Select five-digit PIN with customer's prior year adjusted gross income, or prior year PIN |
An identity credential is not an important concept in this context. The e-signed annual electronic transaction (filing a return) represents a small part of the relationship between the parties, and validation of identity is based on multiple factors from the full relationship. |
Signatory signs with a "something you know" self-selected five-digit PIN. Transaction is authenticated by user providing prior year adjusted gross income. Might be considered two-factor, but likely one factor (prior year AGI). |
Package consists of text of document and e-signature metadata; requires external "seal" to make tamper-evident. User recieves an electronic confirmation number from IRS acknowledging reciept and that also binds signature to transaction. |
|
Similar to common e-commerce transactions |
Only "something you know" required |
Clearly less expensive than former paper process |
Moderate confidence in identity, credential, and custody, but found to be adequate to mitigate risk in the context of the full relationship between the parties |
|
myAlaska e-signature |
Online registration, identity validation via shared secrets from two independent government-issued sources (Alaska Permanent Fund Dividend and driver license) |
Username and password |
Online issuance |
Signatory signs with a "something you know" username and password. One factor authentication for user, strengthened by server side encryption. (Authentication almost two-factor due to obscure, unlikely to be memorized shared secrets, viz., height and weight on driver license, knowledge of which iimplies "something you have".) |
Package consists of text of document and e-signature metadata, and is then digitally signed by the myAlaska server to become tamper-evident |
|
Significantly more complex than common e-commerce transactions, but wide adoption indicates that the complexity is acceptable |
Only "something you know" required |
Clearly less expensive than former paper process |
Moderate confidence in identity, credential, and custody, but found to be adequate to mitigate moderate risk in the context of the full relationship between the parties |
FedEx(R)-like digitized signature: holographic signature using stylus on a digitizing pad |
Signature would not necessarily be electronically associated with the registrant |
Image of a holographic signature |
None required |
Signatory signs a holographic signature on a digitizing pad while the digitizing pad is under the control of agency's e-signature software. One-factor authentication |
Package consists of text of document, e-signature metadata, and image of holographic signature; requires external "seal" to make tamper-evident |
|
Familiar and understandable |
Requires digitizing pad, stylus, and custom software at client device |
Significant cost of stylus and digitizing pad |
Characteristics similar to traditional signature |
Create online profile, then appear in-person at USDA Service Center with government-issued photo ID to activate level 2 credentials |
User ID and password |
Customer specified credentials are electronically activated by USDA Service Center employee |
Signatory signs with "something you know" username and password. One-factor authentication |
Uses database logs, which includes access control record with shared secrets. |
|
simliar to common e-commerce transactions |
Only something you know |
Cost of training staff and maintaining service centers for ID proofing |
Very strong confidence in identity because of face to face proofing, however, custody of credential not guaranteed |
|
Configurable per business requirements; could be fully online using shared secrets |
Choice of 5 hardware authenticators or software for cell phone or PDA |
Hardware authenticators require physical delivery; software authenticators "seed" could be delivered electronically |
Signatory signs with a "something you know" pin or password, and, a one-time use token code generated by their authenticator |
Package consists of signed document and authentication metadata; requires external "seal" to make tamper-evident |
|
Dedicated devices mask deep complexity |
Dedicated device must be present at signing |
Significant cost of dedicated device and licensing |
Strong confidence in identity and credential, good confidence in custody of credential |
|
Theoretical highly rigorous public key infrastructure (PKI) alternative |
In-person proofing at US Post Office or a financial institution. |
PKI private key with password and biometric (three-factor: something you have, something you know, something you are) |
User enables the use of a digital certificate by typing in a passode. The digital certificate would likely be on a storage device or may be stored on a computer. Many web browsers and e-mail clients will work with digital certificates. |
Digital Signature: document hash and biometric and e-signature metadata are encrypted with private key. Requires some type of reader to input the key, a scanner for the biometric, and, PKI-aware and biometric-aware client software |
Package consists of text of document, biometric and e-signature metadata, and digital signature; this combination is tamper-evident by design |
|
Complex, mysterious, many ways to fail |
Reader required (mag stripe, smartcard, usb, etc.), biometric scanner required |
Significant cost of person-proofing and certificate issuance, significant cost of reader and biometric scanner |
Strong confidence in identity, credential, and custody of credential |