OFFICE OF
ENVIRONMENTAL
INFORMATION
February 2009
CROMERR
Successful Approaches:
Challenge-Question "Second Factor" Approach
CROMERR Authentication Standards
Under CROMERR, systems that accept electronic signatures (e-signatures) must be able to
provide proof that the e-signatures they accept are valid and were created with an e-signature
device that was not compromised at the time of signature (see rule's pertinent language in
3.2000(b)(5)(i), in the context of 3.2000(b) and 3.2000(b)(5), together with definitions of "valid
electronic signature" and "electronic signature device"). This requirement poses a special
challenge where the e-signature device is a PIN/password because PIN/passwords are easy to
compromise since they are easy to share - either intentionally or by accident - and a
PIN/password, once shared, is forever compromised. Specifically, CROMERR requires that a
system receiving electronically-signed documents "submitted in lieu of paper documents to
satisfy requirements under an authorized program...must be able...to generate data...as needed,
and in a timely manner...sufficient to prove..." that the e-signature was valid at the time of
signing, that is that the PIN/password was not compromised. Due to the inherent vulnerability
to compromise, a PIN/password on its own used to create an e-signature does not provide the
receiving system with "...data...sufficient to prove..." that the PIN/password was not compromised
at the time of signing. Therefore, EPA has determined that to meet the CROMERR requirement,
a system using PIN/password must be accompanied by some other identifier that together with
the PIN/password will be sufficient to prove that the e-signature has not been compromised.
One approach is to use the PIN/password in conjunction with a 'second factor' to create an e-
signature, so that the PIN/password + second factor combination can be shown to be
uncompromised even if there are questions about whether the PIN/password itself has been
shared. Under this approach, the second factor must be an item, other than the PIN/password,
or some event whose demonstrated presence or occurrence at the time of signature provides
independent evidence of the signer's identity. The CROMERR preamble provided examples of
second factors in the form of items that would be within the exclusive control of the signer -
such as a smart card or other physical token, or a piece of private information - and would
remain within the signer's exclusive control even if the PIN/password in itself were compromised
(see page 59870, October 13, 2005, Federal Register notice).
Challenge-Question Approach
One successful technology-based approach is having the system present the user with a
challenge -question each time a user enters their PIN/password to execute a signature. The
system randomly selects the challenge-question from a set of questions for which the user has
provided pre-arranged answers. Where an e-signature is executed with a PIN/ password, a
challenge-question approach provides a "second factor" to strengthen the PIN/password-based
-------�
OfFiCEOF
ENVIRONMENTAL
INFORMATION
e-signature, helping to ensure that the PIN/password has not been compromised. Systems with
PIN/password-based e-signatures that use the challenge-question approach as a "second factor"
provide significant added protection against signature repudiation and help meet the CROMERR
performance standard that systems use an approach that demonstrates that e-signatures are
valid as defined by the rule. States are welcome to propose other options that demonstrate that
the PIN/password has not been compromised.
CROMERR-Compliant Solution
EPA has approved several systems that implement the use of challenge questions as a second
factor for PIN/passwords. The minimum number of candidate questions, pre-arranged question-
answer pairs, and questions asked used in those systems was:
10-5-1 - that is, at the time a user registers to use an electronic reporting system, the user
selects from 10 challenge questions 5 that they will answer as part of registration. At the time
of signature 1 of these five challenge questions is then chosen at random and posed to the
signatory. Only a correct answer to this challenge question will allow the user's PIN and
password to be applied to the electronic document.*
*While the list of question choices can be as small as 10, a longer list of at least 20 is
recommended to give the registrant a better chance of finding 5 questions s/he can answer from
memory.
Rationale: 10-5-1 Approach
• Used as an authentication factor, challenge-questions represent a compromise. They are
not as strong as solutions based on hardware-tokens or biometrics, but they are much
easier and cheaper to implement.
• The number of pre-answered questions should be at least 5, because a lower number
would not allow meaningful randomization of questions to be posed at signing. Also, the
lower the number of pre-answered questions, the easier it would be for a defendant in a
judicial proceeding to make a claim undermining the utility of the challenge-question as
evidence of the signer's identity
• No EPA system that receives enforcement-sensitive e-reports implements anything that
has fewer questions than 10-5-1. EPA's Central Data Exchange (CDX), which supports
most EPA e-reporting, implements 20-5-1.
Other Recommendations
Careful Selection of Challenge Questions: We recommend that systems carefully select
the pool of challenge questions from which users may select at the time of registration.
o Questions should generally elicit information that cannot be easily researched on
the internet and which would not normally be known by anyone other than the
registrant.
-------�
OfFiCEOF
ENVIRONMENTAL
INFORMATION
o Questions should, whenever possible, elicit a simple, single-word (or numeric)
answer.
Another Important System Feature:
o The system should check the answers provided at registration for expected
variation to ensure that the same answer cannot be provided to all of the challenge
questions.
Challenge Questions Should Be Posed as Part of the Signature Event:
o The challenge question should generally be posed as part of the signature event,
not sign-in. If the challenge question is only posed as part of sign-in, then the
system should contain a time-out feature that automatically logs users off after 15
minutes (or sooner).
-------� |