Network and security managers are always having to deal with identification and authentication. In today's column, I'm looking at a dust-up between Europe and the U.S. over how to enforce strong authentication of travelers' identity.  Although the topic is not directly related to our daily work, I think we have contributions to make to the popular and political debates about such issues based on our applicable technical expertise.

Passports in their modern form were introduced in the early 20th century. Until that time, travel documents were issued by national governments for specific voyages through specific regions. "In this way, early passports are more similar to modern visas than to modern passports, whose primary function is to prove the identity and nationality of the holder." ["Passport," from Wikipedia http://en.wikipedia.org/wiki/Passport#History.] Passports have space for visas but are much longer-term documents, usually valid for five years or more.

Today, passports have assumed a central role in preventing the entry of politically undesirable or dangerous people (they are not necessarily the same category) into the U.S. For example, the British activist Yusuf Islam, once widely known as the singer Cat Stevens, was refused entry into the U.S. in September 2004 on nebulous grounds that sparked ridicule and outrage worldwide, as well as among his fans in the U.S.  http://news.bbc.co.uk/2/hi/americas/3678694.stm. 

The most important issue to remember about passports as a security measure is that they bind a real-world identifier to a picture and a document; they tell us nothing in themselves about the bearer of the passport. All the terrorists who flew planes into the World Trade Center towers had passports that got them into the U.S.

Being made of paper and bearing simple photographs, passports have been relatively easy to counterfeit. For example, an article by Philip Shishkin in the Wall Street Journal (Oct. 8, 2001) reported that fake passports were a big business, with prices for forged U.S. passports ranging from $2,000 to $12,000.

To help make forgery more difficult and identification of fraudulent holders of passports easier, the U.S. Department of State has mandated that passports used to enter the U.S. be equipped with machine-readable biometric information. U.S. passports issued after October 2005 will also be so equipped.

M. E. Kabay, PhD, CISSP-ISSMP, is Program Director of the Master of Science in Information Assurance program at Norwich University.