Yesterday I wrote a short introduction article on Identity Management in order to make an important point. Most IT security consultants like myself come from an ‘offline’ world and the ‘online’ world is the disruptive factor in our lives that make us think about things like identity theft. Therefore, the online world is something to put under a microscope to check whether it somehow threatens our identity.
A different look at this altogether is to treat the online world as a mere extension of the world and our electronic sharing of information about ourselves, our photographs, our opinions as identity attributes instead of considering it as leaking information that could facilitate identity theft. As the saying goes:
You get what you ask for.And from life experience I have come to believe that this saying holds a lot of truth. If we treat the online sharing of our personal data as threats, chances are it will indeed start to behave as threats; something which, as a security consultant, I would like to prevent from happening. Sadly, the theft of online assets such as bandwidth, CPU power but also more tangible things like hardware, bank account numbers and credit card numbers and complete identities is already a reality larger than life and it’s growing very rapidly.
So should we try to teach people with increasing intensity that they need to be more careful with leaking of their personal information? Should we try to enforce even more rigid defenses, firewalls and bastions to defend the perimeters?
I believe it’s time to use an entirely different paradigm, that of embracing the online attributes of our identity and make them part of our identity. As we saw in the article yesterday from the definition on Merriam Webster, and from my own rewritten definition, the uniqueness of our identity depends on the unique combination of all our character attributes. More attributes means more possible combinations and therefore a bigger differentiation to prevent identity confusion. While mathematically this statement contains a fallacy, it should intuitively make sense to most people.
Authentication by Identity
Without always being aware of it, we frequently use our identity to authenticate ourselves. When we forget our electronic access badge to get into the office, frequently we can simply go to the entrance, identify ourselves using our passport or drivers license, and gain authorization to enter and move through the office. In this particular case the passport or drivers license serves as a credential to validate our identity but it is also an attribute of our identity so here we also see a dual use of proving who you are or simply being who you are.
A fundamental way in security to authenticate yourself to get authorization to some resource is to combine:
- Something that you know and
- Something that you have
An example of this is an ATM machine; You have an ATM card, which you prove by inserting it into the ATM machine, andĀ you know your pin code. The process of inserting the card into the ATM machine and entering the code is an authentication method which gains you authorization to take a certain amount of money out of the machine. Frequently you can still simply walk inside the bank office, show your passport, or in case you live in a small village where you visit the bank frequently simply show your face, to use your identity (parts thereof) to get money out of the bank. In the case you use a passport, the bank employee will do several checks, for example:
- Check whether your picture ID looks likeĀ you
- Ask you for your date of birth while holding your passport in their hand
- Verify whether the passport has some attributes that make it look ‘real enough’
- Simply accept the fact that you have a passport as it’s still often considered to be an unalienable document.
Ofcourse many more practical tests could be thought of but in their essence they also combine to ‘things you know’ (eg. your birthday) and ‘things you have’ (the passport itself).
So what we see here is that certain attributes of our identity can be used as an alternative to authentication the way the IT industry most frequently authenticates people to resources. We use attributes of our identity as a ‘key’ to open different locks in the ‘offline’ world just like we use our username and password to login on facebook.
Identity as a Vault
While we frequently do not even think twice about showing our passport to a bank employee in order to authenticate ourselves, most people get slightly suspicious (and rightfully so) when a copy of the passport needs to be made by the bank employee. We first rely on the visual memory of the bank employee, the small chance the bank employee will remember every detail of the passport at one glance, and the limited ways of reproducing exactly what’s in the bank employee’s head into a new passport to limit the bank employee’s ability to steal this attribute of our personality.
Likewise, we probably also would not tolerate a full DNA scan every time we wish to enter Youtube, not even if ‘it’s easy and quick’ or ‘somebody promised in their disclaimer to throw the information away after authenticating us’. Our DNA by most is considered to be more valuable than our passport, which in turn is more valuable than our hair color or our eye color.
So while some of our identity attributes are very visible in a specific context while others remain hidden, and while some of our identity attributes are considered more valuable than others, all of these identity attributes together form our unique identity which gets served out of our own identity vault as needed to form a temporary key to authenticate ourselves.
An interesting possibility to authenticate ourselves would be to prove our identity in the offline world using aspects of our online identity to do so.
Here are other articles in the Identity Management series:
