INNOVATE
Robust Online Voter Authentication
Exploring different authentication factors
Voter authentication is one of the most important elements of an online voting system. The correct identification of everyone who casts a vote is crucial to ensure that each voter is actually included in the electoral roll and, as a result, that they are eligible to vote in the election. At the same time, it is also important to ensure voter enfranchisement or, in other words, that the system is not preventing voters who are on the electoral roll from voting.
The implementation of an overly complex authentication mechanism could lead to voter disenfranchisement due to its poor usability, especially for voters who are not used to the latest technologies or who have disabilities and require certain assistive technology. Because of this, authentication systems are required to be secure enough to prevent voter impersonation, while at the same time being accessible enough for voters to use.
A robust authentication mechanism is one that provides a very high level of certainty that the person being authenticated is who they claim to be. This can be achieved by using one or, preferably, several factors of authentication, each being a piece of evidence provided by the person and proving their identity. Melanie Volkamer (2009: 25) stated that voter authentication could be carried out using:
- Something the voter knows (knowledge)
- Something the voter has (possession)
- Something the voter is (inherence)
More recently, a fourth factor has become common, the location of the user. In this article we will take a look at the most common factors used within each of these properties.
Secret
This is a secret known by the voter, such as a password, PIN, or code, typed in during the authentication process. This is the most commonly used authentication factor. In some cases, several secrets might be combined. For example, a password provided to the voter and another element that they already know, such as an affiliation or identification number.
This approach is quite user-friendly, as voters simply need to remember their login credentials. However, the robustness and security of the system are affected by the length of the secret(s) used. If the secrets are not very complex or are easy to find, an experienced attacker may be able to guess them or access them in some way, compromising the system. That is why in circumstances where long passwords and secrets cannot be used, it is better to combine them with different one or more of the other factors described below.
Physical Tokens
This is a physical device the voter has, and which may provide authentication and, in certain cases, digital signing capabilities. These devices can work connected to the system, such as electronic IDs (eID) or USB cryptographic tokens, or disconnected, such as bank authentication devices that use a keyword to generate codes via direct interaction with their users.
The security offered by physical tokens is usually very high, especially the connected ones, because they authenticate using very robust cryptographic keys that cannot be extracted from the device. In other words, no duplicates of the device are possible.
Soft Tokens
These are similar to the physical tokens, but with the particularity that they are based on software installed on a smartphone, computer, or similar device. This includes: certificates, which can be installed on a browser to authenticate oneself on certain websites; and authenticator apps, which generate unique authentication codes valid during a certain short period of time and that are linked to the user. The issue with these tokens is that they are based on a secret installed on a device, thus they can be replicated if the secret is leaked.
Account-Based
This authentication is based on the voter possessing a personal service account that can be leveraged as an authentication factor. An example of this include one-time passwords (OTPs) sent by SMS, phone call, or e-mail, in which the voter receives an OTP, or a password that can only be used once, via SMS, phone call or e-mail. They then use this password for authentication.
Another example is the use of push-based notifications, which use an application on a smartphone to request the user’s permission for authentication each time the voter logs into a system.
The first set of mechanisms are widely used, especially in its SMS fashion. However, they are not considered very secure because they are based on unsecure communication technologies that can be attacked relatively easily. There are many cases of SIM cloning, where an attacker requests a copy of the victim’s SIM from the phone operator and then can receive the OTP codes sent. Push-based notification is usually more secure because it depends on the account credentials and some secret set up during its initial configuration. This mode of authentication is sometimes integrated within an authenticator app, such as the one described as a soft token.
Biometrics
This is based on the recognition of physiological characteristics of certain parts of the human body to be used as an additional factor of authentication. Examples are fingerprint, facial, voice and iris recognition. The most commonly used mechanisms nowadays, thanks to the popularization of smartphones, are fingerprint and facial recognition.
The use of this technology has been controversial because it might require the creation of databases to verify that the data obtained from the biometric reader match a certain user. That is why, currently, it is usually not developed at large scale. Instead, it is widely used at a local level to protect the access to certain applications or secrets within smartphones. For example, it can be used to authorize a push notification of an authenticator app when one is received. In this case the biometric material of the user is just stored on their phone own phone and used as an access control mechanism.
GPS Position or IP Geolocation
the location, or approximate location, of the voter can also be a factor of authentication. However, despite this possibility, it is not commonly applicable in a general elections case. For example, the location of the voter would not be very relevant if we want to offer remote voting capabilities irrespective of the actual location of the voter. However, it could be useful if we want to limit the remote voting to certain cases, such as an election for overseas voters only.
As a final conclusion, a single factor of authentication can be robust on its own, such as a long complex password, but such factors often have a low degree of usability because they are not easy for a person to remember. Therefore, the use of several factors can. improve the usability of the authentication system, while maintaining or increasing its robustness. With a multi-factor authentication system, it is much more complicated to impersonate a voter, because the attacker would need to deceive all of the authentication factors used. It is for this reason that we recommend using multi-factor authentication systems for providing robust authentication and guaranteeing i-voting systems with high standards of security.
This article was written by Jordi Cucurull, Cryptography Researcher at Scytl.
