Authentication vs Authorisation

Authentication and authorisation, while related, are two different problems in security. I fully support our government’s suggestion to pay for a voter authentication system, this only solves the problem of authentication, not authorisation.

The issue of a phantom voter is not merely an authentication problem. It is also an authorisation problem. We need to be sure that the person is who they claim to be (authentication), and we need to ensure that they are allowed to vote (authorisation) only once and only in that constituency.

A person could feasibly be issued multiple cards with different identities. Let’s assume that this person maliciously cloned the cards, substituting the bio-metric data. This person can still authenticate themselves and vote in multiple places under assumed identities.

If indelible ink is used, that person would have ink marks and can only vote once, even with multiple cards. Of course today, that person would also need multiple cards but they would not need to substitute the bio-metric data, which is much easier to cheat with.

So, while bio-metric identification is used to fix the authentication problem, it still needs to be coupled with additional steps e.g. indelible ink, which would help fix the authorisation problem.

That said, I hope that they don’t give the contract to Tricubes. That would just raise a whole PR problem.

Update @ 2011-07-24: The EC has admitted just as much, that there are clones on the electoral roll.

Published by

Shawn Tan

Chip Doctor, Chartered/Professional Engineer, Entrepreneur, Law Graduate.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s