Identity has a problem!
Not just that we are unable to make digital identity work properly without loads of compromise; no, it’s the fact that IT Architects, Security professionals and (dare I say it) even many claimed identity specialists, do not understand what identity is, misusing the term and even getting the wider aspects of identity fundamentally wrong.
Without properly understanding identity, its facets and nuances, it will be impossible to develop a frictionless global identity ecosystem, or leverage identity for cloud, zero-trust, collaboration, encryption and proof of age, or other essential attributes.
Warning: this is intended to be a nine-part blog looking and expanding on what identity is, starting with this blog!
Part One - Identity fundamentals, or “what is identity?”
Strictly, Entities have Identity, (but that’s going to be part 2!) so first, let's start with people, as that’s what you and I best relate to:
“I am me” - I am a unique entity, we call this Sameness; I am the same entity yesterday, am today and will be tomorrow.
As a unique person I have multiple “facets” of my overall identity, some of which I care to share and some I may never share with anyone, all maintained personally by myself; some attributes we just know (for example family relationships) and some we maintain “pointers” to; references to the authoritative source, such as the assertion that I’m a British Citizen because my passport says so (and is authoritative for this assertion). We refer to this as the “core identity”, all the attributes that make up me as a person.
Those “facets” of my overall identity consist of attributes; some like my height, the colour of my eyes, and a rough approximation of my age which I am unable to keep private if you meet me in real life, but others such as sexual-pursuasion, the football team I support, my favourite colour, my family etc. I may choose to share with you depending on my perceived sensitivity of the attribute, how much I trust you, and your need for that information to process our relationship; in reality I perform a risk-assessment, based on my personal risk-appetite.
In reality; we have sets of attributes that pertain to a particular aspect of our lives, and we call these personas - a group of related attributes that define us in a particular context. Examples would be:
My citizen persona: (in my case as a UK citizen, what is on my state-issued birth certificate) date of birth, place of birth, both of which are immutable, name at birth, sex-at-birth and right to British citizenship - all of which could change.
My family persona; parents, partner, children, aunts, uncles etc.
You get the idea; and in reality each of us as humans operate with hundreds, if not thousands, of personas, and we assert attributes from multiple disparate personas as required for our day-to-day lives and our interactions with other entities.
What normal humans glibly call “Identity” actually consists of three distinct components.
“Authentication”; the “how do I uniquely prove that I am the same person that you previously met”
“Sameness”; the “I am me, and always will be” part that contains personas, and attributes
“Personas & Attributes”; The parts of my core identity that I decide to share
Authentication is key to interacting with other entities; in real life humans, due to millions of years of evolution, do authentication using faces - in fact we are so good at it that if you meet someone you have not met for ten years there is a good chance you will remember who they are.
Faces are so key to human life that phrases pertaining to this interaction are embedded in our language; “it’s nice to finally see you”, “they are two-faced”, “put on a brave face” or even “put your cards face up”.
When we see someone, we assign the attributes they share (consciously or unconsciously) against an (internalised) unique identifier of their face. In other words, Authentication (by whatever method, and however tenuous) is the key to Sameness.
This is why your driving licence or passport has your face on it; to link the person to the attributes contained on that document with a degree of confidence.
This level to which a person is bound to the authentication is known as the level of Immutable Linkage (or Immutable Binding), and it's important to understand the level as part of your risk-calculation; with what degree of certainty the actual person is linked to the identifier. - I look enough like my brother that if you have not seen us for ten years it’s not unusual for friends of my parents to get us wrong when they meet just one of us (but not I suspect if they met both of us together).
However, the problems start when we cannot interact “face-to-face”, and for many thousands of years civilization has grappled with this problem, accepting a set of compromises, usually based on the bearer holding a set of documents to which some degree of provenance can be given - read the history of the passport!
So, in summary; we as people can derive a model for how identity works in real life. But, as people ourselves, we are fixated on how to extrapolate this to the wider, non-face-to-face, world; which is why we are in the current mess with digital identity.
So in Part 2, we will examine why the identity of people is just a small part of the overall identity picture.