Chapter 5: Digital Authentication

HTML VERSION

Chapter 5:
Digital Authentication

I. The Present Law of Identity Authentication

Access to property and information in digital form, through online portals, must be safeguarded. Under PIPEDA, this duty arises from the “reasonable security arrangements” required to prevent unauthorized access. Proper user authentication practices are a crucial aspect of preventing such unauthorized access.

[See PIPEDA, Sch. 1, Principle 4.7; OPC’s TJX/Winners decision (PIPEDA Report of Findings #2007-389, Sep 25, 2017) at paras. 68-70.]

Authentication issues apply to any aspect of digital life where access is intended to be restricted to one or more specific individuals. Such issues most obviously arise in the financial industry, in the form of:

• fraudulent payment instructions given by e-mail or phone;
• interception of money transfer by e-mail hack; and
• fraudulent 2-factor authentication facilitated by SIM-swapping.

[Compare Du v. Jameson Bank, 2017 ONSC 2422 at paras. 64 and 78 with the Lanark Leeds case, 2019 CanLII 69697 (ON SCSM) at paras. 56-65 re payment instructions by e-mail and e-mail hacks; OPC, “A full year of mandatory data breach reporting: What we’ve learned and what businesses need to know” (Oct 31, 2019) re fraud through impersonation over the phone; Michael Terpin v. AT and T Inc et al, No. 2:2018cv06975, Doc 29 (C.D. Cal. 2019) re $24 million crypto theft through SIM-swap attack; Sean Coonce, “The Most Expensive Lesson Of My Life: Details of SIM port hack” (Medium, May 20,2019). See also cases on insurance coverage due to fraudulent payment instructions, cited in subsection II of Chapter 3 under the paragraph beginning with “Insurance coverage may also become an issue.…”.]

Apart from the general duty in PIPEDA to safeguard against unauthorized access, the only law covering digital authentication in a specific and targeted manner is the Directive on Identity Management (“ID Directive”), and Standard on Identity and Credential Assurance (“ID Standard”). The former was last amended in 2019, while the latter was last amended in 2013. Both documents derive their authority from the Financial Administration Act. Pursuant to these documents, the importance of accurate authentication must be assessed according to four levels. Depending on the applicable level, a different set of requirements apply.

[See Government of Canada, Directive on Identity Management (updated Jul 1, 2019), incl. ss.2 and A.2.3 of same; Government of Canada, Standard on Identity and Credential Assurance (updated Feb 1, 2013); Government of Canada, Policy on Government Security (updated Jul 1, 2019), s.2; Financial Administration Act, RSC 1985, c F-11, s.7.]

However, the determination of which level applies, and whether requirements for the applicable level are met, appear to involve much discretion. The ID Directive and ID Standard also do not address specific authentication issues arising specifically in the online context, for example: with respect to encryption standards for online authentication operations, integrity of personalised security credentials, etc. Moreover, the ID Directive and ID Standard are limited to the public sector, and their initial threshold for applicability cannot easily be ported to the private sector.

The most useful guidance on digital authentication in the private sector is the OPC’s Guidelines for identification and authentication (“OPC ID Guidelines”). The OPC ID Guidelines are not law per se, but helpfully tie digital authentication best practices to the core privacy principles arising from PIPEDA. The OPC ID Guidelines focus on the following topics in particular:

• multi-factor authentication;
• scope of data collection;
• data retention periods;
• consent to collect and process information;
• employee training;
• audit records;
• cybersecurity controls to avoid “man in the middle” attacks;
• data protection;
• trusted ID documents;
• trusted third parties when ID management is outsourced;
• careful approach to biometrics authentication.

[See OPC, “Guidelines for identification and authentication” (June 2016).]

A more helpful and detailed authentication guide has been provided by the Communications Security Establishment (“CSE”), in the User Authentication Guidance for Information Technology Systems (“CSE Guidance”). This document applies to federal government institutions only, but should be treated as a standard within the public provincial and private sectors as well. The CSE Guidance provide specific authentication guidance to combat specific threats. The document borrows “four levels of increasing authentication assurance” from the U.S. NIST framework (referenced below), and stresses the importance of multi-factor authentication in the context of a token authenticator. It also discusses token threats and mitigations, salting and hashing protocols, authentication monitoring, and user education. The high level of rigour can be explained in part by the general mandate of the CSE, which is discussed further in Chapter 9.

[Communications Security Establishment, User Authentication Guidance for Information Technology Systems (Apr 4, 2018), ss.2.1, 4.]

The Treasury Board has also provided technical authentication specifications for participation in the “Canada cyber-authentication environment.” These specifications appear in the Cyber-Authentication Technology Solutions Interface Architecture and Specification Version 2.0 (CATS2 IA&S), and appear to be regularly updated. They should be closely considered by the development team responsible for the authentication gateway.

[Treasury Board, Deployment Profile for CATS2 IA&S (last modified Feb 20, 2018); Government of Canada, Guideline on Defining Authentication Requirements (Nov 30, 2012).]

In addition to the above measures, efforts are being made in Canada to codify a more robust, broader framework for digital authentication. The Canadian federal and provincial governments, along with other private sector participants, are working with the Digital ID & Authentication Council of Canada (“DIACC”) to manage and deliver digital ID services across government and commercial platforms.

[See Government of Canada, “Canada’s trusted digital identity vision” (video, Oct 11, 2018); Government of Ontario, “Ontario Digital Service: key priorities” under “Implement a common approach to digital identity” (last updated Aug 9, 2019); DIACC, “About Us” (2019).]

The DIACC is presently developing a domestic industry framework, called the Pan-Canadian Trust Framework (the “PCTF”). At the time of publication, most material PCTF documents are still in draft. The PCTF is anticipated to provide common terms, expectations, and defined processes to assist with contract drafting for digital ID matters. However, there are no prescribed or model contracts anticipated for the PCTF.

[See DIACC, “Pan-Canadian Trust Framework Work Program”; DIACC, “Pan-Canadian Trust Framework Overview” (Aug 2016) at 8.]

It is probable—or at least hoped—that PCTF drafting efforts include consideration of foreign “open banking” laws. Open banking refers to the porting and transfer of customer banking data, inclusive of transactional information, for customers to more easily compare financial services and switch providers. So far, this new business model has been mandated by legislation in Europe, U.K., and Australia, each on grounds of privacy and big data competition (the latter of which is discussed in Chapter 11).

[See European Directive 2015/2366 re PSD2 (landing page); CME, “The Retail Banking Market Investigation Order 2017” (UK, Feb 2, 2017); CMA, “Explanatory Note: The Retail Banking Market Investigation Order 2017” (UK, Feb 28, 2017); Treasury Laws Amendment (Consumer Data Right) Act 2019, No. 63, 2019 (Australia).]

Further to its open banking mandate, the E.U. Parliament and Council passed the eIDAS Regulation in 2014. This regulation “establishes a legal framework for electronic signatures, electronic seals, electronic time stamps, electronic documents, electronic registered delivery services and certificate services for website authentication.”

[See eIDAS Regulation, Art. 1(c); European Commission, “eIDAS for SMEs” (last updated Nov 29, 2018).]

The following year, the E.U. Parliament and Council passed the PSD2 Directive (“PSD2”). The PSD2 stipulates that “strong customer authentication” requirements must be legislated by all Member States. The term “strong customer authentication” (“SCA”) is defined as a standard for multi-factor authentication. The PSD2 also requires development of “common and secure … communication” (“CSC”), for various purposes including identification and authentication.

[See European Directive 2015/2366 re PSD2, Arts. 4(30), 97, 98(1)(d).]

In 2017, the U.K.’s Competition & Markets Authority (“CMA”) supported open banking by means of an order against the U.K.’s largest banks. That order required the development of banking standards covering various topics, including an open application program interface (“API”), data formats, and security. Authorization and authentication standards were part of the mandate for security standards. In the order, the definitions for SCA and CSC were deferred to the European definitions, to be provided by the European Banking Authority (“EBA”).

[See CME, “The Retail Banking Market Investigation Order 2017” (UK, Feb 2, 2017); CMA, “Explanatory Note: The Retail Banking Market Investigation Order 2017” (UK, Feb 28, 2017).]

In 2018, the two European standards—SCA and CSC—were clarified by the EBA. As required under the PSD2, the EBA also issued Regulatory Technical Standards (“RTS”) for SCA and CSC. The RTS discusses multi-factor authentication in detail. Efforts to develop authentication standards under the open banking mandate continue in full force within Europe and the U.K.

[See EBA press release re SCA and CSC (June 13, 2018); FCA, “FCA statement on EBA’s draft PSD2 Guidelines and Opinion for banks and others involved in open banking” (UK, June 22, 2018); CMA, “Notice of approval of changes to the Agreed Timetable and Project Plan” (UK, July 26, 2018); EBA’s opinion re elements of CSC under PSD2 (June 21, 2019).]

In the U.S. context, President Obama proposed an Identity Ecosystem Framework (“IEF”) in 2011. The IEF proposed the establishment of standards based on defined risk models. It further proposed to: “establish the accountability and remediation process when an identity credential is fraudulently issued or used or when other breakdowns in the Identity Ecosystem occur.” However, other than for e-signatures, no federal U.S. law appears to have been legislated for authenticated login mechanisms for online portals.

[See President Barak Obama, “National Strategy For Trusted Identities In Cyberspace” (April 2011, US); Electronic Signatures in Global and National Commerce Act, 15 U.SC. 96, §§ 7001-7006 (“ESIGN”).]

U.S. rules for digital authentication were subsequently issued in the form of guidelines applicable to the federal public sector. These rules, called the NIST “Digital Identity Guidelines” (“NIST Guidelines”), were issued and updated in 2017. In concert with the standards mentioned above, the NIST Guidelines also discuss multi-factor authentication principles. With its three companion volumes, it comprehensively also covers technical authentication standards for enrollment and identity proofing requirements, authentication and lifecycle management, and federation and assertions.

[See NIST, “Digital Identity Guidelines”, SP 800-63-3, SP 800-63A, SP 800-63B, SP 800-63C (Dec 1, 2017).]

At the level of international law beyond the E.U., development of global digital ID standards is underway but still in its infancy. The most headway to date has been made by the Financial Action Task Force (“FATF”), an inter-governmental body tasked with setting international anti-money laundering standards. The FATF released draft guidance on digital ID (“FATF Draft Guidance”) in mid-2019, and a consultation period on the Draft Guidance ended in November 2019. Further amendments to the Draft Guidance are expected in February 2020.

[See FATF, “Public consultation on FATF draft guidance on digital identity” (Nov 2019), incl. “Appendix E: Overview of US and EU digital ID assurance frameworks and technical standards” at 70-73.]

As the foregoing discussion indicates, there are many sources of actual and persuasive law relating to digital authentication. It is an area in rapid and ongoing development. Until Canada’s PCTF is finalized by DIACC, or a sector-agnostic standard for digital ID is legislated, legal counsel should consider digital ID standards with respect to all the authorities mentioned above.

II. Future Considerations Affecting Authentication Law

With regard to Canada’s position on open banking, an Advisory Committee on Open Banking was launched in September 2018, and a Senate committee’s report on open banking was issued as of June 2019. So far, however, the only significant mention of Canada’s digital authentication requirements for open banking, are in that Senate committee’s report. In that report, a bank simply expressed the need for “better authentication, password and security controls.”

[See Department of Finance, “Minister Morneau Launches Advisory Committee on Open Banking” (Sep 26, 2018); BANC Committee Report, “Open Banking: What It Means For You” (June 2019) at 6, 26.]

With regard to ongoing development of the PCTF, the DIACC and CBA have each proposed looking to Estonia and India, as examples for how to implement digital ID legislative and policy frameworks. Canada subsequently entered into a Memorandum of Understanding with Estonia as of May 2018, “to define a common agenda and encourage closer ties … in the fields of digital government, the digital economy and related policy issues.” It is understood that digital authentication falls into this mandate.

[See DIACC, “The Economic Impact of Digital Identity in Canada” (2018); CBA, “Canada’s Digital ID Future - A Federated Approach” (Spring 2018); Memorandum of Understanding between Canada and Estonia re Digital Government and Economy (May 28, 2018).]

Moreover, legal developments are likely to shift with new technological means for authentication. Consider, for example, the recommendation by the Canadian Bankers Association (“CBA”) for a blockchain-type solution to digital identity, which was independently also acknowledged by FATF. The CBA proposed:

[A] federated identity system leverages multiple systems, eliminating reliance on a single service provider. In other words, there is no single point of control or failure that can compromise the entire system. … The decentralized network also reduces the risk of fraud by eliminating any “honeypots” of data that can be compromised.

[See CBA, “Canada’s Digital ID Future - A Federated Approach” (Spring 2018); FATF, “Public consultation on FATF draft guidance on digital identity” (Nov 2019) at 8, 12 re the use of distributed ledger technology for digital authentication; Daniel Therrien’s “Appearance before the Standing Committee on Access to Information, Privacy and Ethics (ETHI) on Privacy of Digital Government Services” re Estonia’s blockchain model (Jan 31, 2019).]

A blockchain solution for digital identity would involve more robust legal controls specific to the blockchain context. As noted in subsection III of Chapter 2, such controls should consider nodes as third-party data processors, data storage protocols, ledger integrity controls, etc.

In addition, as of June 2018, fintech legislative reform has permitted various types of financial entities to “provide identification, authentication or verification services.” As the Canadian digital authentication legal framework matures, it should be expected that digital ID verification will become a commonly outsourced service to Canadian financial institutions, and foreign affiliates. It is plausible that the government may also run a registry of accredited third-party authentication vendors, further to a Senate committee’s recommendation.

[See Trust and Loan Companies Act, s.410(1)(h); Bank Act, ss.410(1)(h) and 539(1)(g); Insurance Companies Act, s.441(1)(i); and Budget Implementation Act, 2018, No. 1, S.C. 2018, c. 12; “17. Reliance on Third Parties” and “Interpretive Notice to Recommendation 17” in FATF Recommendations [Updated June 2019] at 16, 78; FATF’s “Public consultation on FATF draft guidance on digital identity” at 20-22; BANC Committee Report, “Open Banking: What It Means For You” (June 2019) at 6.]

One subsector where outsourcing of digital ID services will increase, is digital asset services. This industry was recently legitimized under domestic virtual currency legislation, which was mandated internationally by FATF and is scheduled to come into force in June 2020. Moreover, in recent years, the crypto space has been deeply troubled by a lack of digital authentication guideposts. This has resulted in inadequate KYC during account setup, fraudulent online access to user accounts, and poor verification of investment instructions. Hence, in the crypto space, user authentication has presented exposure that service providers will now, most certainly, attempt to offload by hiring third-party authentication agents.

[See Regulations Amending Certain Regulations Made Under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act, 2018, “Description” within the “Regulatory Impact Analysis Statement”; FINA Committee Report, “Confronting Money Laundering and Terrorist Financing: Moving Canada Forward” (Nov 2018) at 64, Recommendation 26; CSA/IIROC Consultation Paper 21-402 (Mar 14, 2019) at 12 (5.2.4 “Systems and business continuity planning”), and at 25 (“Appendix C” under “7. KYC and suitability”); Michael Terpin v. AT and T Inc et al, No. 2:2018cv06975, Doc 29 (C.D. Cal. 2019) re $24 million crypto theft through SIM-swap attack; Sean Coonce, “The Most Expensive Lesson Of My Life: Details of SIM port hack” (Medium, May 20,2019).]

III. Conclusion

The digital economy is becoming increasingly important to daily life. Participation in the digital economy necessarily involves secure access to online portals. While the legal framework for digital authentication presently has patchwork application, the framework is undeniably on a fast course of development. Legal counsel in the Canadian digital ID industry should consider current laws in the public sector, unofficial laws in the private sector, draft documents for the developing Canadian framework, as well as foreign laws and guidance on digital ID. These materials will certainly feed into more broadly applicable legal authority, and should be considered by counsel now for early risk mitigation.