Identity management - Essential Guide

Ian Grant

Monday 18 August 2008 10:59

Aspects of identity management

On 5 July 1993 The New Yorker published a cartoon that summed up the problem of identity management in the networked world. It showed a dog, seated at a computer terminal, saying to another dog, "on the internet, nobody knows you're a dog."

Technology advances have enabled about a quarter of the world's population to connect to the global telecommunications system from a variety of devices. These include fixed and mobile telephones, laptop PCs and even mainframe computers, provided they can get a line. In the not-too-distant future, millions, even billions, of machines will talk directly to other machines over the global networks. This makes it increasingly important to understand who (or what) one is addressing in an online communication.

This is important to ensure the content of messages is mutually intelligible. However, the value of the communication varies according to the content, the sender and the receiver. That is why identity management - in other words, knowing precisely who you are dealing with - is high on the agenda for governments, businesses and individuals.

Late last year the UK Information Commissioner published a study of the latest thinking on identity management and privacy.

Here's what the European Commission is doing about giving citizens an electronic identity.

1. Tension between authorities and individuals

It used to be easy to know who someone is. You knew their parents, they went to the same school, or lived in the same town or worked for the same employer as you. In fact, until 1800 most Britons lived and died within 10 kilometres of where they were born. Authentication was easy - everyone knew you, and you knew everyone. Cheap travel and the internet changed that. Your FaceBook entry probably includes friends on a number of continents. Although you know more people, you probably socialise with a lot fewer, and trust a mere handful. Even then, the trusted friends are more than likely blood relations.

Authorities such as governments, the receiver of revenue, employers, schools, the NHS and even your local shop have the same problem. Each has a slightly different relationship with an individual. That relationship is defined by what they need to know about you for them to do the job you need from them. They risk not meeting your expectations of service if they know too little about you, or of wasting their resources on others who don't have your rights.

Authorities generally believe the more they know about you, the better they can serve you. This sentiment has often been perverted: think of the Gestapo or the Stasi or the FBI's project to watch musician John Lennon, for example. More recently, authorities in the UK have used powers meant to catch terrorists to hunt minor law-breakers such as fly-tippers and benefit cheats.

Because of this, many civil liberties activists and some politicians believe there is a limit to what the authorities need to know about you, and for how long they should keep that information.

This is not the right forum for a full debate, but it is mentioned it purely to raise awareness because defining who knows what and when about an individual is crucial to proper identity management.

2. Privacy versus security

Privacy is a social and cultural construct. In the west, it is most simply defined as the right to be let alone, to conduct one's affairs without the rest of the world knowing about them, provided they are lawful.

But as societies grow more heterogeneous in race, in religious belief, in cultural mix, the authorities worry that not everyone shares the same values, or behaves the same. Their trust in their citizens, which may never have been high, diminishes. They believe they should know more about everyone and how they live so that they can head off potential conflicts or unacceptable behaviour. Obviously, this may be at odds with the right to be let alone.

3. Credentials

Credentials are documents or other things that will convince a third party you are who you say you are, and entitled to the privileges associated with that identity. Common credentials are uniforms, letters of introduction, passports, drivers' licences, and identity cards.

Because many of these are easy to fake, most organisations ask for at least two different credentials. This makes it harder and more expensive for someone to impersonate you and use your privileges.

Increasingly in the real and online worlds organisations are asking for three credentials. This is known as three-factor authentication. Typically this means they ask for something you know, something you have, and something you are. Respective examples would be a password, an identity card and a fingerprint or retinal scan.

However, for credentials to work, both the individual and the authority to which the individual presents the credentials must trust the process that links the individual to the credential. It is impractical for everyone to audit the processes by which an individual acquires a credential. Therefore it is more desirable for an impartial body to accept liability for issuing the credential, and hence to receive payment for taking on that responsibility.

4. Authentication

Authentication is the process whereby the authority decides whether the presented credentials are genuine. This generally means the credentials must match a pattern the authority expects to see. Obviously, when the system uses multifactor authentication, all the factors must correspond to the expected pattern.

This may be a problem when, for example, a person's fingerprints are blurred from usage or delicacy of skin, or when a voice changes due to a cold or inebriation, or a person forgets their password. This may require the authority to decide, on a balance of probabilities, whether the person is genuine, or whether to ask for more credentials - which must still match the expected pattern.

5. Provisioning

Provisioning is the process whereby (usually) an authority links privileges to a credential. For example, having satisfied itself the passport and utility and mobile telephone bill you showed them are genuine and that they belong to you, a bank will open an account in your name. Or, the human resources department receives your signed contract to accept their offer of work and notifies the IT department of your starting date, role and desk.

The IT department then makes sure your personal computer, laptop, telephone, mobile and USB dongle are all working properly and ready to use. They also set up your username, password, and other credentials that identify you to the company's information systems, and link them to the data that you are entitled to see and use, subject to company policies.

Of course, things don't stay the same. Thus it is vital to have a process to reflect those changes in the credentials and privileges to which an individual is entitled. For example, it is crucial to maintain security to revoke the crednetials and privileges of people who leave the company. This process is called the Identity Management Lifecycle.

6. National ID cards and Real ID

Many if not most countries issue national identity cards that citizens use as a credential to access government and commercial services. The UK and the US are among the few exceptions. Instead they have relied on alternative credentials such as drivers' licences, letters of introduction or authentication from trusted members of the community, social security numbers and passports.

However, governments in both countries are now keen to introduce a national ID card. This has been a controversial decision in both countries. Civil rights groups have argued that the costs and the threats to privacy and the traditional way of life are not matched by the claimed benefits from a lower risk of crime or improved national security. Those responsible for law enforcement and national security argue the opposite.

In the UK, the Home Office's Identity & Passport Service is responsible for the National Identity Register. The US Department of Homeland Security is responsbile for Real ID. Germany has an ID management lifecycle model, which touches on a number of areas of public life including healthcare, immigration and the police.

7. IDN research

Because trust is so important to the proper functioning of society, governments and the computer security industry are spending millions to find ways that provide all parties, individuals, authorities and machines, with a reliable way to authenticate themselves, but without infringing accepted bounds of privacy and autonomy, and without the individual having to acquire a different credential for every authority and privilege.

As a result, a main research interest is to find a so-called "federated identity". This is a (very limited, ideally one) set of credentials that identify an individual uniquely, but which can be used widely to use the authorised privileges from many different authorities, even in different countries.

8. Where we are now

Advances in information and communications technology have changed the way we live, and most authorities (and their policies and laws) are battling to keep up. Some believe they are silly to try. Far better, they say, to protect the privileges they dispense by setting a bar and letting individuals self-select their means of matching the criteria of the bar. Thus access to secret or risky material would have a high bar associated with it. Those who want or need such access voluntarily submit to whatever authentication procedures the authority deems appropriate, and acquire the appropriate credentials.

It is possible to set up one or more authenticating agents separate from the authority, provided they can convince the authority they are trustworthy. This would enable them to give an individual as many credentials he or she needs for different authorities. Any one authority need not necessarily know the individual deals with any other authority.

9. Industry associations involved with identity management