The death of passwords as a means by which to authenticate an identity and access a computer system has been predicted for years. Those predictions have not proven prophetic though given that the most popular method by which to prove one’s identity is still by coupling an identity with a password. Today however, Skypunch announces moving a little closer to a world without passwords by implementing a passwordless authentication model for voters accessing the ballot.
Why the change?
Simple, it’s more secure. By not storing and delivering passwords, a lot of concerns around them simply vanish. When they don’t exist, there’s no chance they could fall into the wrong hands; no concern around distributing them to voters as unhashed strings; no need to set up a model by which passwords are stored as hashed strings in the unlikely event they become exposed.
Secondly, the model by which a voter now accesses the ballot imitates that which is specified by the Open Web Application Security Project as the recommended best practice for resetting a password. We are of course not resetting passwords so there is some modification to this model to allow an identity to access a ballot rather than to reset a password, but the matter of verifying an identity is what we’re most interested in here.
How does it work?
- Either Skypunch or the client may email voters at the start of an election as has always been the case. That email contains a link directing voters to the ballot access page.
- At this page the voter submits their email address to request a ballot access link delivered by email. This link is essentially a magic link which you may learn more about at The beginner’s guide to magic links.
- Once that email is received, the voter clicks the link and is logged into the ballot. The link expires ten minutes after it is issued so should it expire before the voter accesses the ballot, the voter may initiate a request for a new link and try again.
For private sector elections, that’s all there is to it. For public sector elections, after clicking the ballot access link, there is a second authentication factor that must be presented in order to fully verify an identity and be granted access to the ballot.
For security reasons, and protecting trade secrets, not a lot will be disclosed here about how this works, but from a high-level cybersecurity perspective it satisfies some important criteria:
- It utilizes time-based authentication tokens.
- When using MFA for public sector elections, it relies on an identity being verified with the combination of something you know and something you have and possibly even something you are.
- The something-you-have factor is delivered through an out-of-band channel. Again, this is only in effect when using MFA on a public sector election.
In summary, this is a very sound model and even surpasses what is in use now for early voting by paper in many parts of the United States all without imposing any undue burden on voters.