A shared secret is information known only to a business (such as a bank) and a customer. Such shared secrets include passwords, PINs, or questions and answers (for instance, mother’s maiden name or first primary school).
In a protocol sense, all shared secrets are similar, and can be used in similar authentication protocols; however, passwords, since they are often committed to memory, are something the claimant knows, rather than something he has.
The customer’s selection of a shared secret normally occurs during the initial enrollment process or via an offline ancillary process. Passwords or PIN values can be chosen, questions can be chosen and responses provided, and images may be uploaded or selected.
The security of shared secret processes can be enhanced with the requirement for periodic change. Shared secrets that never change are described as “static” and the risk of compromise increases over time. The use of multiple shared secrets also provides increased security because more than one secret must be known to authenticate.
In the case of electronic signatures based on the use of shared secrets like PINs or passwords, the integrity of the transaction depends on the user not disclosing the shared secret, so an organization should have procedures for encouraging the maintenance of the PIN's integrity. If a defendant is later charged with a crime based on an electronically signed document, he or she would have every incentive to show a lack of control over (or loss of) the private key or PIN, or in the case of a PIN, that the organization failed to protect the PIN on its computer system.
Indeed, if that defendant planned to commit fraud, he or she may intentionally compromise the secrecy of the key or PIN, so that the organization would later have a more difficult time uniquely linking him or her to the electronic transaction. Promulgating policies and procedures that ensure the integrity of security tools helps counter such fraudulent attempts.
- FFIEC, Authentication in an Internet Banking Environment, App. at 8.
- Office of Management and Budget, Procedures and Guidance; Implementation of the Government Paperwork Elimination Act, 65 Fed. Reg. 25508-21 (May 2, 2000) (full-text).