Who Goes There? Authentication Through the Lens of Privacy

Abstract

This report explores authentication technologies (including passwords, PKI, biometrics, etc.) and their implications for the privacy of the individuals being authenticated. As authentication becomes ever more ubiquitous, understanding its interplay with privacy is vital. The report examines numerous concepts, including authentication, authorization, identification, privacy, and security. It provides a framework to guide thinking about these issues when deciding whether and how to use authentication in a particular context. The report explains how privacy is affected by system design decisions. It presents steps one can take to mitigate adverse privacy effects of authentication systems. The report also describes government's unique role in authentication and what this means for how government can use authentication with minimal invasions of privacy. In addition, the report outlines usability and security considerations, and it provides a primer on privacy law and policy.