The Met's idea of Authentication
Let me first just show you the tweet from the Met Police about their solution to plain clothed officer authentication following the killing of Sarah Everard by a Met police officer.
Any lone, plain clothed police officer who engages with a woman on her own will now verify their identity through a new process.
— Metropolitan Police (@metpoliceuk) October 20, 2021
We know we need to regain women’s trust.
We fully accept the onus is on us to verify we are who we say we are & that we are acting appropriately.
Let's not take anything away from the reason this is needed in the first place, a horrific crime by someone in a position of power, within one of the world's most well known Police forces against a lone female. But the presented solution from the Met seems just a little odd. Let's take a look at what they are proposing...
Allowing women who are stopped by a plain clothes police officer to ask for verification that the person standing in-front of them is indeed a serving police officer, who is lawfully allowed to stop them. They would do this authentication using the police officer's mobile phone, video calling into the control room for a uniformed officer to confirm things.
But what are the issues with that?
a) why is this option only open to women? There are many other people who could benefit from such an authentication solution, and not just for protecting against kidnapping - it should be open to anyone wishing to authenticate the plain clothed officer.
b) the officer in question uses their phone, to video call the "control room" with a uniformed officer able to corroborate that the officer is acting lawfully.
b1) why should the person involved trust this uniformed officer? It could literally be someone dressed up as a police officer.
b2) how are these video calls going to take place? WhatsApp? MS Teams?
b3) How are these video calls going to get prioritised so they don't go unanswered?
c) The officer is in control on this situation; not the person who wants to check authenticity.
d) 2FA requires us to prove multiple things with known entities and a video call over an unknown medium, to an unknown user on the other end leads to lack of trust in the "solution"
So what can we do instead?
Ultimately I believe this to be a simple problem to solve using existing technology available to all of the Police forces across the UK - standard 2FA practices.
It all starts with the person who's been stopped being able to call a number outside of the control of the police officer standing in-front of them - maybe a new 3 digit code like we have for 999, 101, 111 and 119. This would be done from the person's phone - they're in control of the call which removes any suspicion around whether the call is legitimate or not. This would be answered by an automated system asking for the Officer's warrant card number - these are unique, every officer has one. If the phone system didn't understand or couldn't find the warrant card number then the call would get redirected over to the police 999 centre automatically.
If the warrant card number was found then this automated phone system would go and interrogate the relevant systems to find out if the Officer was on duty or not - could there be other checks done here? I don't know... but this would be a good starting point. If they were on duty an automated phone call would get initiated to their registered phone number (the Met are using phones for their solution so officers must all have one?).
The Officer would then answer their phone and be asked for an auth code - having a static auth code would be a bad idea - everyone can be socially engineered and private details stolen along with their mobile phone in order to impersonate a police officer. Instead why not make use of TOTP auth codes from authenticator apps - the Police must already be using some form of this for accessing internal systems.
So the Police Officer has an active call from the automated system, and puts in their auth code from a TOTP app and a message is played back to the person making the original call - the officer is indeed an active on duty police officer. If the wrong code was entered, again the call would be transferred over to the police 999 centre.
What if the officer is off duty?
This is the scenario Sarah Everard found herself in. The officer involved was off duty - although she didn't know that. What would happen here?
If the system came back and said the officer was off duty then the call would again immediately be transferred to the police 999 centre to be dealt with. If a call disconnected from this line without getting to the end with a successful auth then this would get reported to the police also and of course the whole call would be recorded to be used later if necessary.
The process is a simple one and ultimately could be implemented extremely quickly - there would be setup in terms of having a TOTP code available on Officer's phones as well as linking every Officer with a phone number. And what would happen if the officer had zero phone signal - well then the Met's idea wouldn't work either.
Ultimately relying on video calls to an unknown entity using goodness knows what service is a terrible terrible idea.
Trusted 2FA is a mixture of:
- Something you know -- such as a password or pin number
- Something you have -- such as a phone, token or other digital device
- Something you are -- something unique to your physical being -- biometrics-- like a fingerprint, palm print, retina scan, or your GPS location (to verify you are logging in from the correct area)
We probably can't do the last one... but the mixture of the warrant card number and an auth code either from an app or hardware token seems like a sensible route to take. Using Open Source VoIP projects such as Asterisk or Drachtio would make implementing this something that could be done very quickly - I imagine the "is the officer on duty" check would actually take longer to implement.
Side note: I thought calls to 999 automatically shared your GPS data with operators but it seems that's only the case on Android and not on iOS and so GPS data couldn't be used in being able to send a response team in those failure scenarios. Maybe part of the initial call setup would ask for a street name etc. If the officer involved was indeed not acting lawfully then would they even allow the person to get this far into the authentication process anyway? Unlikely?
Is something better than nothing?
I get that the police are trying to build back confidence and so need to present a solution in order to be able to do that. But is something better than nothing in this case? I'm really not sure. There is just too little control given to the person being stopped by the police and all of the control given to the officer involved - no change to the scenario Sarah Everard found herself in unfortunately.