iVote, Electronic Voting, and Security: Controlling Access

used with attribution from StockMonkeys.com
used with attribution from StockMonkeys.com

One of the most important parts of securing any electronic data is making sure that only authorized parties have access to it. This can often be quite a challenge in larger organizations, especially if the user base grows. Assuming voter registration is about the same as it was in 2012, you have to figure out how to secure a system that handles 1.5M total users. Successfully authenticating that many users is quite a challenge, and almost any method used to do so has its pros and cons.

Let’s take a look at some common authentication methods and the pros and cons of each.

Plain old passwords

Despite a consensus that using just passwords is inadequate security, the practice still continues because most other methods are much less convenient. In exchange for that convenience, however, you’re often left creating really bad passwords or often forgetting them. An advanced user like me can setup KeePass and store a new random password for each account I create, but even then it can be a little cumbersome. Given that the integrity of the vote is paramount, letting users rely on just passwords in an unacceptable option.

Two-factor authentication

Many of you have used this to secure logins from banking to Facebook. You’ll either have a little hardware device with a number (disclosure: my employer, RSA Security, makes the SecurID product), an app on your phone that mimics it, or get a code via email or text message. The concept behind this authentication method is that you have to have access to a separate system or device that you either solely or primarily control. Some of these two-factor systems allow you to use them for things beyond their primary use. For example, Google Authenticator can be used to secure WordPress logins.

While these are well-established, it does create the inconvenience of needing to have a second device or account around to perform any login actions. It’s also possible for someone to steal the code generator to perform the login themselves or compromise your email account to intercept messages. You also have to contend with enrollment issues, associating the two-factor device or method with a particular user; you still somehow need to authenticate that the person with the device is who they say they are.

Asymmetric (aka public/private) keypair

This has long been established as a highly secure and near-impossible to forge way to establish the identity of a user and ensure that transmitted data is only seen by intended recipients. PGP is one of the better known standards for keypairs and has thrived since its introduction in 1991. Military organizations use it with strong keys and passphrases to keep data safe as do banks, retailers, and the really paranoid. It also enabled digital signatures so that you can validate that a message came from a particular sender.

Unfortunately, it’s also one of the more technical solutions to implement. A private key is often protected with a passphrase (think really long password) so that even if it is obtained, it won’t be useful without that piece of information. This can create some of the same challenges as passwords except you do not have to transmit it from system to system. You also need to make sure you keep a backup of the key because once it is lost, it cannot be recovered and any data encrypted with it is lost forever. You also have issues with creating the keys and distributing them to users.

One time passwords

Similar to two-factor authentication, a one time password is just what it sounds like. While a token that generates a code is a form of one time password, you can also distribute these via mailed post cards with a limited period of validity. This makes it easier for less technical users to have strong authentication. You can also include features such as QR codes to enable authenticating via an application on a mobile device or PC with a webcam.

Obviously, distributing passcodes via mail costs more money than a purely electronic system. You also need to create a window of validity short enough to prevent a replay attack yet long enough to allow for delivery and use. There’s also the risk of the method used to generate the passcodes being compromised and allowing mass voting by a third party.

What we’re using now

Right now, authenticating voters depends on the method used to vote. Vote-by-mail depends heavily on the security of the postal system. Since it would be very hard to steal and submit a large number of these ballots without it being an easily discoverable inside job, there’s a layer of distributed physical security built in. The signatures on those ballots are also manually validated before they are submitted to be counted. (Don’t worry; the signature portion is removed from the ballot to maintain anonymity during tabulation.)

When voting in person, you have to bring identification to prove that you’re the registered voter in question. Even with fake identification, it would be very difficult to go from polling place to polling place to attempt to fraudulently vote multiple times on behalf of others. A given polling place can’t likely be used multiple times as a poll worker might recognize the perpetrator. These physical deterrents are effective (very high cost for a relatively low reward), but there’s not much of an analog to digital systems.

Is a blended solution the answer?

Obviously, none of these methods is perfect. For any step forward you make in usability, you have to give up some security. The more security you implement, the more likely it is that only hardcore geeks like me (and our friends/family who call us for technical support) are going to be the ones using it. And, of course, state code requires that the integrity of the vote be preserved at all times.

One possible solution (which requires a fix from the legislature) is to allow voters to opt in with the understanding that while every effort will be made to ensure the integrity of the vote, an electronic ballot could be spoiled or compromised anyway. This allows for more flexibility in choosing allowing less secure authentication options for those who are unwilling or unable to pick a more secure one.

What are your thoughts? How would you want to establish your identity with an online voting portal? Are you willing to make sacrifices in either security or convenience to the benefit of the other? Is there a way to establish identity we haven’t thought of? Sound off in the comments below.

Liked it? Take a second to support Utah.Politico.Hub on Patreon!

Related posts