In the sometimes confusing world of identity in the digital age, should it really be that confusing?
Identity is a popular topic these days. We hear about identity theft, breaches, stolen credentials, self -sovereign identity, the end of privacy and on and on. Hardly a day goes by that we do not see the latest security debacle. The world has gone from billions and billions served to billions and billions of personal records stolen.
Yet identity is variously described as the root of trust, the key to security, the cornerstone of internet transactions etc. Why then is everything such a mess? While I am sure there will be many tomes written over the next several years describing all the ways things have gone wrong, I would also propose that at least some of the confusion and the subsequent headlines have resulted from a small number of missteps and misunderstandings. Two areas are the simple definition of identity and the mishandling of identity information.
Start with the definition of identity. In a legal sense identity is the condition of being a certain person. It is implied that identity is unique in the sense that there are no two individuals that have the same identity. We characterize individual identity by the set of characteristics by which a person is definitively recognizable or known. Seems simple, just check a person’s DNA and we’re done, everyone can be definitively identified, except of course in the case of identical twins. So in a legal sense, there is also the addition of assigned identity, one that is generally assigned at birth and that is unique even for identical twins.
So a concise definition might be identity is characterized by the set of characteristics by which a person is definitively recognizable or known, combined with a government assigned unique identifier. In fact this government defined unique identifier becomes the thread of identity that follows all throughout their life. It is captured in government documents like drivers’ licenses and passports. People also receive other uniquely identifying characteristics like social security numbers or national IDs.
This all seems pretty logical and could be used exclusively to identify individuals. This assumes of course that identifying documents can be verified and correlated. Simply create an internet equivalent and it should all work pretty well. Yet it does not.
The reality is that when the creators of the Internet were setting things up, the ability to verify documents and other correlating information was not really feasible. So they took shortcuts, they decided (at least temporarily or so they told themselves) that they would use a proxy for identity, the much abused and abuse-able user ID and password. For many years and to this day identity is most often equated to a user ID and password. This is hardly a set of characteristics by which a person is definitively recognizable or known. In fact this is not identity, but credentials which are used to prove someone has a certain identity. The unfortunate implication is that anyone who has those credentials (often stolen or even just hacked) can then pose as the person to whom they are assigned. From here it just gets messier and messier.
It is time to take a step back and create a system of identity that is both tailored to the Internet and rooted in the real world. This inherently requires an understanding that Identity is not a user ID and a password, it is not an authentication or an authorization, it is a system that comprises al of these to create an identity system, in fact an identity network. This requires a minimum of 4 operational elements:
- A system of verified and verifiable identity
- A set of immutable credentials (for authentication)
- A trustworthy authorization system
- A secure and privacy preserving network
Verified and verifiable identity go back to the unique characteristics and the unique identifier that a person gets at birth (or soon thereafter). It requires a trusted single source of truth. This has existed for many decades in the hands of the government. It has been used for passports, driver’s licenses and work credentials. Our entire legal framework is built on it. It is transitive in the sense that it passes from one document to another, from a birth certificate to a driver’s license to a passport. Any credentials or value assigned on the Internet must be rooted in this verified identity. For example an online bank account cannot legally be given access without this verified identity.
Immutable credentials are anything but a user ID and password that can be easily copied or hacked and they cannot be assigned without verifying an identity in the first place. Biometrics are certainly something that is difficult to steal or hack. As security requirements or transaction value goes up some combination of biometrics is even better. Imagine in the extreme case combining voice, facial, fingerprint and behavioral biometrics as necessary. Assigned to a verified identity, the chain of security is unbroken.
Once authenticated, a well-managed and secure authorization system can then be driven by the uses afforded that particular identity. Imagine in an enterprise the different levels and systems an employee or customer is entitled to use, the ability to add or remove scope and even the ability to shut off access completely. Fortunately, these particular systems are well developed and deployed today. The concepts of single sign on and fine grained authorization are widely utilized. Immutable credentials are still lacking though.
Finally we need to put the mish mash of security paradigms and questionable transport and storage of sensitive information behind us. It is time for a need to know approach to dealing with sensitive data. The growth of data lakes is astounding. Enterprises are more likely to duplicate data than protect it in one place. Data is the new oil is a popular refrain. Enterprises collect data for “marketing” advantage. We have all heard it said that if you are not paying for a product it is because you are the product. The results speak for themselves and the rebellion has begun. Governments around the world are introducing new privacy laws and heavily fining those who abuse this information. We have a long way to go but the road is clear.
On the enterprise side, compliance is becoming a real issue in terms of cost and certification. Alternatives to gathering sensitive data are becoming attractive. The simplest example is PCI compliance focused on protecting customer credit card information. In a real sense credit card information has become toxic. It does not have to be that way. An enterprise does not need credit card data to collect a credit card payment, only the payment processor does. The enterprise needs only a transaction number/payment authorization.
A different network paradigm is possible, one built on Zero Knowledge proofs. The handling of identity and other sensitive information is inherently protected. Information is shared only on a need to know basis. The credit card information above is just one example. Proof of identity can be shared without the source data itself. Proving I am over 21 does not require sharing a birthdate for example.
The time for understating identity and the secure and proper management of identity information has come. Advanced technology has made biometrics feasible. Verification of identity documents and trustworthy assignment of credentials is now a practical reality.