Last week the Gaurdian in the UK published an article "Al-Qaida gets fake papers as Home Office issues 10,000 passports to fraudsters". The story outlines how an estimated 10,000 passports have been issued last year to fraudsters.
As Bruce Schneier commented on his blog:
"This is the kind of thing that demonstrates why attempts to make passports harder to forge are not the right way to spend security dollars. These aren't fake passports; they're real ones mis-issued. They have RFID chips and any other anti-counterfeiting measure the British government includes.
The weak link in identity documents is the issuance procedures, not the documents themselves."
I agree but the challenges in doing effective user registration are only getting more complicated. Let's say that instead of writing in for a passport, I am now required to physically show up. I provide them with a driver's license and birth certificate and undergo a criminal record check. Sounds good doesn't it? Maybe not.
The birth certificate and driver's license may be forged. Okay, too counter this, the government then does an electronic check of the records. This should stop forges right? Maybe not.
In the case of terrorists, they can produce a legitimate birth certificate from another country where the records are poorly kept and/or the officials easily bribable. Armed with this, they can legitimately apply for a driver's license. Thus the security check will approve them, assuming of course they don't have a criminal record.
Then there's else to consider that may sound outlandish at first glance...human clones. We are already cloning other mammals. It is to be expected that human clones will appear on the planet in the near future (i.e. 5-10 years). How then does the registration process deal with this?
I wrote a paper two years ago proposing that a national DNA database be established to register citizens against. Further, the database would include digital fingerprints for genetic twins (since DNA doesn't help in this instance).
I got criticism from people for creating a national database that could be susceptible to abuse. My point is that we already have national databases for births and names. This is merely an update extension of this. My proposal puts the comparison of DNA samples to the national database in the hands of the individual except for court approved cases. This is far more security than the individual has today.
There's a lot to consider when talking about user registration. The existing tokens to verify who you are don't scientifically match to the individual. It's time to reconsider the options. Otherwise, we will continue to issue valid authentication documents (digitally and paper) to people who are not whom they claim to be.