OFFICE OF ENVIRONMENTAL INFORMATION February 2009 CROMERR Successful Approaches: Challenge-Question "Second Factor" Approach CROMERR Authentication Standards Under CROMERR, systems that accept electronic signatures (e-signatures) must be able to provide proof that the e-signatures they accept are valid and were created with an e-signature device that was not compromised at the time of signature (see rule's pertinent language in 3.2000(b)(5)(i), in the context of 3.2000(b) and 3.2000(b)(5), together with definitions of "valid electronic signature" and "electronic signature device"). This requirement poses a special challenge where the e-signature device is a PIN/password because PIN/passwords are easy to compromise since they are easy to share - either intentionally or by accident - and a PIN/password, once shared, is forever compromised. Specifically, CROMERR requires that a system receiving electronically-signed documents "submitted in lieu of paper documents to satisfy requirements under an authorized program...must be able...to generate data...as needed, and in a timely manner...sufficient to prove..." that the e-signature was valid at the time of signing, that is that the PIN/password was not compromised. Due to the inherent vulnerability to compromise, a PIN/password on its own used to create an e-signature does not provide the receiving system with "...data...sufficient to prove..." that the PIN/password was not compromised at the time of signing. Therefore, EPA has determined that to meet the CROMERR requirement, a system using PIN/password must be accompanied by some other identifier that together with the PIN/password will be sufficient to prove that the e-signature has not been compromised. One approach is to use the PIN/password in conjunction with a 'second factor' to create an e- signature, so that the PIN/password + second factor combination can be shown to be uncompromised even if there are questions about whether the PIN/password itself has been shared. Under this approach, the second factor must be an item, other than the PIN/password, or some event whose demonstrated presence or occurrence at the time of signature provides independent evidence of the signer's identity. The CROMERR preamble provided examples of second factors in the form of items that would be within the exclusive control of the signer - such as a smart card or other physical token, or a piece of private information - and would remain within the signer's exclusive control even if the PIN/password in itself were compromised (see page 59870, October 13, 2005, Federal Register notice). Challenge-Question Approach One successful technology-based approach is having the system present the user with a challenge -question each time a user enters their PIN/password to execute a signature. The system randomly selects the challenge-question from a set of questions for which the user has provided pre-arranged answers. Where an e-signature is executed with a PIN/ password, a challenge-question approach provides a "second factor" to strengthen the PIN/password-based ------- OfFiCEOF ENVIRONMENTAL INFORMATION e-signature, helping to ensure that the PIN/password has not been compromised. Systems with PIN/password-based e-signatures that use the challenge-question approach as a "second factor" provide significant added protection against signature repudiation and help meet the CROMERR performance standard that systems use an approach that demonstrates that e-signatures are valid as defined by the rule. States are welcome to propose other options that demonstrate that the PIN/password has not been compromised. CROMERR-Compliant Solution EPA has approved several systems that implement the use of challenge questions as a second factor for PIN/passwords. The minimum number of candidate questions, pre-arranged question- answer pairs, and questions asked used in those systems was: 10-5-1 - that is, at the time a user registers to use an electronic reporting system, the user selects from 10 challenge questions 5 that they will answer as part of registration. At the time of signature 1 of these five challenge questions is then chosen at random and posed to the signatory. Only a correct answer to this challenge question will allow the user's PIN and password to be applied to the electronic document.* *While the list of question choices can be as small as 10, a longer list of at least 20 is recommended to give the registrant a better chance of finding 5 questions s/he can answer from memory. Rationale: 10-5-1 Approach • Used as an authentication factor, challenge-questions represent a compromise. They are not as strong as solutions based on hardware-tokens or biometrics, but they are much easier and cheaper to implement. • The number of pre-answered questions should be at least 5, because a lower number would not allow meaningful randomization of questions to be posed at signing. Also, the lower the number of pre-answered questions, the easier it would be for a defendant in a judicial proceeding to make a claim undermining the utility of the challenge-question as evidence of the signer's identity • No EPA system that receives enforcement-sensitive e-reports implements anything that has fewer questions than 10-5-1. EPA's Central Data Exchange (CDX), which supports most EPA e-reporting, implements 20-5-1. Other Recommendations Careful Selection of Challenge Questions: We recommend that systems carefully select the pool of challenge questions from which users may select at the time of registration. o Questions should generally elicit information that cannot be easily researched on the internet and which would not normally be known by anyone other than the registrant. ------- OfFiCEOF ENVIRONMENTAL INFORMATION o Questions should, whenever possible, elicit a simple, single-word (or numeric) answer. Another Important System Feature: o The system should check the answers provided at registration for expected variation to ensure that the same answer cannot be provided to all of the challenge questions. Challenge Questions Should Be Posed as Part of the Signature Event: o The challenge question should generally be posed as part of the signature event, not sign-in. If the challenge question is only posed as part of sign-in, then the system should contain a time-out feature that automatically logs users off after 15 minutes (or sooner). ------- |