Identity management has become a key issue in information security. Governments and businesses are using identity management systems to provide and control access to places and services such as bank accounts, buildings and computer applications.
Identity theft is increasing. With it, the risk intensifies that not only data but an individual's privacy and reputation might be compromised. This growing need for data security is one of the driving forces behind the Data Protection Act.
An individual's identity arises in two ways: biologically and socially. Biometric identity relates to things we inherit from our parents, such as DNA, fingerprints and retina patterns. The chances of duplicate patterns occuring are tiny. So, individually or in combination, these patterns determine our identity with a very high degree of certainty.
This makes digitised biometric identity management interesting to state agencies such as immigration, the police, the National Health Service, and others that need to determine an individual's identity accurately and quickly.
We also have a wide range of social identities. These arise from our interaction with others.
Identity management - liability
Creating a social identity requires an authority to accept liability for certifying that the person concerned is in fact the individual they say they are. That requires a verifiable audit trail.
For instance, parents register the birth of a child and medical records should confirm the mother's pregnancy and the child's birth. But only a match of the baby's DNA with that of both its parents will prove to a court a child's identity and who his or her parents are.
Developments in identity management have led governments to seek to join together an individual's social and biometric identities. The aim is to provide greater certainty about the authenticity of an identity. This lies behind the UK government's controversial intention to introduce biometric-based identity cards for all UK citizens.
Identity management - limiting access
In the workplace, companies are increasingly using a person's role plus their identity to provide access to a firm's information system, but to limit that access to only those systems to which the individual needs access.
In the past, information depended on a physical device, such as a magnetic card, or a logical key, such as a password. This is known as single factor authentication. Increasingly, firms are using two, three or even four factors, or credentials, to authenticate the user's identity and allow access.
There is a vibrant industry devoted to identity authentication and access technologies, such as fingerprint readers, retina scanners, palm readers and the like. There is an equally vibrant criminal fraternity devoted to finding ways around such systems.
Identity management - user behaviour
An increasingly common method to defraud an individual of their identity is to mimic expected behaviour. This requires method of fraud uses psychological tricks to get people to part with their access codes and identification devices.
Identity management - protecting individual identity
The only sure way to protect individuals and firms is to educate users. Research has found that many people are willing to supply their individual security data for a chocolate bar.
Identity management - identity access and removal
It is crucially important to provide a new staff member with a company identity for them to gain access to the information they need to do their jobs. Equally important, but often overlooked, is the need to retract staff access when they leave the company.
The US National Electronic Commerce Coordinating Council's White Paper on Identity Management