To a great extent, many of the challenges in information security boil down to human factors engineering. We tend to have got the security-convenience trade-off in infosec badly wrong. The computer password is a relic of the 1960s, devised by technicians, for technicians. If we look at traditional security, we see that people are universally habituated to good practices with keys and locks.
The terrible experience of Wired writer Mat Honan being hacked created one of those classic overnight infosec sensations. He's become the poster boy for the movement to 'kill the password'. His follow up post of that name was tweeted over two thousand times in two days.
Why are we so late to this realisation? Why haven't we had proper belts-and-braces access security for our computers ever since the dawn of e-commerce? We all saw this coming -- the digital economy would become the economy; the information superhighway would become more important than the asphalt one; our computing devices would become absolutely central to all we do.
It's conspicuous to me that we have always secured our serious real world assets with proper keys. Our cars, houses, offices and sheds all have keys. Many of us would have been issued with special high security keys in the workplace. Cars these days have very serious keys indeed, with mechanical and electronic anti-copying design features. It's all bog standard.
But for well over a decade now, cyber security advocates speak earnestly about Two Factor Authentication as if it's something new and profound. And what's worse, IT people have let the term Two Factor Authentication (which in my view necessarily entails a physical hardware device - something you will be aware of when you've lost it) become bastardised in various ways. People can talk of "Multi Factor Authentication" including Knowledge Based Authentication as if they're equivalent to 2FA.
For a few extra bucks we could build proper physically keyed security into all our computers and networked devices. The ubiquity of contactless interfaces by Wi-Fi or NFC opens the way for a variety of radio frequency keys in different form factors for log on.
There's something weird about the computing UX that has long created different standards for looking at the cyber world and the real world. A personal story illustrates the point. About nine years ago, I met with a big e-commerce platform provider that was experiencing a boom in fraud against the online merchants it was hosting. They wanted to offer their merchant tenants better security against hijackers. I suggested including a USB key for mutual authentication and strong digital signatures, but the notion of any physical token was rejected out of hand. They could not stomach the idea that the merchant might be inconvenienced in the event they misplaced their key. What an astonishing double standard! I asked them to imagine being a small business owner, who one day drives to the office to find they've left door key behind. What do you want to do? Have some magic protocol that opens the door for you, or do you put up with the reality of having to turn around and get your keys? Could they not see that softening the pain of losing one's keys by creating magic remedies was going to compromise security?
We are universally habituated to physical keys and key rings. They offer a brilliant combination of usability and security. If we had comparably easy-to-use physical keys for accessing virtual assets, we could easily manage a suite of 10 or 15 or more distinct digital identities, just as we manage that many real world keys. Serious access security for our computers would be simple, if we just had the will to engineer our hardware properly.
I was recently editing my long "ecological identity" paper from last year and I was reminded how we tend to complicate identity when we speak about it. Here's a passage from that paper, which argues that the language we use is important. I contend we don't need to introduce new technical definitions around identity. Furthermore, I think if we returned to plain language, we might actually see federated identity differently.
Why for instance do orthodox identity engineers insist that authentication and authorization are fundamentally different things? The idea that roles are secondary to identity dates back to 1960's era Logical Access Control. It's an arbitrary distinction not usually seen in the the real world. Authorization is what really matters in most business, not identity. For instance, no pharmacist identifies a doctor before relying on a prescription; the prescription itself, written on an official watermarked form confers the necessary authority. Context is vital; in fact it's often the case that "the medium is the authentication" (with apologies to Marshall McLuhan).
What follows is extracted from Identities Evolve: Why federated identity is easier said than done, AusCERT Security Conference, 2011.
The word "identity" means different things to different people. I believe it is futile quoting dictionary definitions in an attempt to disambiguate something like identity (in fact, when a perfectly ordinary word attracts technical definition, it's a sure sign that misunderstanding is around the corner). Instead of forcing precision on the term, we should actually respect its ambiguity! Consider that in life we are completely at ease with the complexity and nuance of identity. We understand the different flavours of personal identity, national identity and corporate identity. We talk intuitively about identifying with friends, family, communities, companies, sports teams, suburbs, cities, countries, flags, causes, fashions and styles. In multiculturalism, whether or not we agree on the politics of this challenging topic, we understand what is meant by the mingling or the co-existence or the adoption of cultural identities. The idea of "multiple personality syndrome" makes perfect sense to lay people (regardless of its clinical controversies). Identity is not absolute, but instead dilates in time and space. Most of us know how it feels at a high school re-union to no longer identify with the young person we once were, and to have to edit ourselves in real time to better fit how we and others remember us. And it seems clear that we switch identities unconsciously, when for example we change from work garb to casual clothes, or when we wear our team's colours to a football match.
Yet when it comes to digital identity -- that is, knowing and showing who we are online -- we have made an embarrassing mess of it. Information technologists have taken it upon themselves to redefine the meaning of the word, while philosophically they don't even agree if we should possess one identity or more.
We don't need to make identity any more complicated than this: Identity is how someone is known. In life, people move in different circles and they often adopt different guises or identities in each of them. We have circles of colleagues, customers, fellow users, members, professionals, friends and so on -- and we often have distinct identities in each of them. The old saw "don't mix business and pleasure" plainly shows we instinctively keep some of our circles apart. The more formal circles -- which happen to be the ones of greatest interest in e-business -- have procedures that govern how people join them. To be known in a circle of a bank's customers or a company's employees or a profession means that you've met some prescribed criteria, thus establishing a relationship with the circle.[To build on my idea of impressed vs expressed identities, let's acknowledge that the way you know yourself one thing, but the way others know you is something quite different.]
Kim Cameron's seminal Laws of Identity define a Digital Identity as "a set of claims made by one digital subject about itself or another digital subject". This is a relativistic definition; it stresses that context helps to grant meaning to any given identity. Cameron also recognised that this angle "does not jive with some widely held beliefs", especially the common presumption that all identities must be unique in any one setting. He stressed instead that uniqueness in a context might have featured in many early systems but it was not necessarily so in all contexts.
So a Digital Identity is essentially a proxy for how one is known in a given circle; it represents someone in that context. Digital Identity is a powerful abstraction that hides a host of formalities, like the identification protocol, and the terms & conditions for operating in a particular circle, fine-tuned to the business environment. All modern identity thinking stresses that identity is context dependent; what this means in practical terms is that an identifier is usually meaningless outside its circle. For example, if we know that someone's "account number" is 56236741, it's probably meaningless without giving the bank/branch number as well (and that's assuming the number is a bank account and not something from a different context altogether).
I contend that plain everyday language illuminates some of the problems that have hampered progress in federated identity. One of these is "interoperability", a term that has self-evidently good connotations but which passes without a lot of examination. What can it mean for identities to "interoperate" across contexts? People obviously belong to many circles at once, but the simple fact of membership of any one circle (say the set of chartered accountants in Australia) doesn't necessarily say anything about membership of another. That is to say, relationships don't "interoperate", and neither in general do identities.
Here's a radical thought: why don't we Internet engineers forget about identity?
Businesses and individuals identify each other in various ways and to different ends, but always basically in order to manage the risk of dealing with the wrong entity. By and large, we actually do identification pretty well. There are many mature analytical methods and standards by which identification can be analysed and designed, as just one element of risk management.
One of the difficulties in Federated Identity is that it too often pressures participants to change the way they do identification. Now there's nothing wrong with change, and I'm not saying that identity management practices are perfect by any means. But they're changing already. They always have and they always will. What I am saying is that global identification is never going to happen, and neither will global identification benchmarks, like Levels of Assurance. We can think globally all we like but risk management requires fundamentally that businesses will always act locally.
Identification practices undergo continuous improvement under circumstances peculiar to different businesses, industries and jurisdictions. Most industries at some level constantly monitor the adequacy of identification in the face of fraud trends, and make steady adjustments. Some identification protocols are legislated, as in the 100 point check of the Australian Financial Transaction Reports Act and anti-money laundering laws. Some protocols are set by industry overseers; for instance, doctor credentialing is regulated by local and state health agencies with a degree of national coordination. Ad hoc standards (more like habits really) emerge all the time, such as the way so many hotels have taken to photocopying driver licenses at check in. For the most part, identification rules are made up by industry bodies and by businesses themselves to suit their local risk profiles. In general there are no laws that prescribe how employers identify their staff, nor universities their students, nor professional bodies their members -- just as there is no national identity card here.
In going online, several widespread problems in identification have arisen. We all know what the problems are: the inconvenience and cost of repeated registrations; the overhead of managing multiple accounts and often inconsistent authentication mechanisms (multiple passwords, and separately, the "token necklace"); the privacy risks that go with redundant registration information flows and records; identity fraud and "identity theft". These problems are mostly separable and are amenable to improvement without imposing global identity management practices, let alone re-engineering identity itself.
The process of identification boils down to presenting certain pieces of claimed information about the person or entity, and validating those claims. In improving identification in the digital environment, we must focus with more precision on the real problems needing to be solved. And we must avoid wherever possible imposing changes from outside on the way that businesses choose to know their customers, members, staff, partners and users.
Around the world, governments and public-private partnerships continue to strive for big over-arching "Identity Frameworks". I think we need to heed the lesson that Federated Identity is easier said than done. Really worthwhile efforts have repeatedly failed, none more significantly than Microsoft's flagship identity solution Cardspace. I'm positive the underlying problem is simply that identity is not what it seems. Digital Identity is metaphorical; it's not a real thing at all but instead is a proxy for a relationship. And we know that relationships are difficult to carry over across different contexts.
So what's to be done? In my view, a subtle but significant course correction is due. Why don't we drop down a level, forget about "identities", and put our energies into making reliable information about claims more widely available? Fortunately, all the orthodox identity frameworks include Attribute Provision, and let's remember that the Laws of Identity themselves teach that Digital Identities are "sets of claims made by one digital subject about itself or another digital subject". I've discussed elsewhere that the interoperability of IdPs and RPs is more complicated than simply matching Assurance Levels, because it's the details of the elemental claims that really matter. So why don't we stop trying to centrally govern how identities are defined by Subjects and by Relying Parties, and focus instead on improving the mechanisms for conveying the more atomic claims that power those identities?
The diagram shows how a marketplace of verification services could grow around a set of commonplace claims.
NB: "DVS" stands for Document Verification Service, currently operated by the Australian Attorney Generals Department, which allows state & federal government agencies here to inquire as to the validity and currency of a range of identity documents.
The approach includes many of the standard privacy and security features of higher order Federated Identity systems, such as information hiding APIs delivering only 'yes'/'no' answers to claims queries. But the approach stops short of describing any "identities" per se or characterising "assurance levels" and the like, leaving Relying Parties to continue to set their own identification rules, and to realise those rules by shopping around for claims verifiers that suit their purposes.
The suggested system has the following qualities:
- It does not impose any identification protocols on businesses, who remain free to select which claims and combinations of claims they want Subjects to exhibit.
- It does not change the context in which businesses deal with their customers/members/staff/partners/users.
- It is contestable. While there will be natural authorities (or 'sources of truth') for many claims like driver license numbers or date of birth, the proposal allows for other organisations to offer claims validation. Secondary data sets can be just as reliable (or even more so) for claims such as street address, alternate names etc. Information brokers can be expected to value-add certain claims, attest to baskets of claims, and/or bundle claims validation with other business services.
- It is much easier to ascribe liability around the validation of precise claims than the validation of "identity"; this approach should be more palatable to banks, government agencies and so on than other Federated Identity concepts where IdPs are asked to underwrite 'who someone is'.
- It is pragmatic; it avoids semantic technicalities like the difference between "authentication" and "authorization"; the proposal simply provides uniform market-based mechanisms for parties to assert and test elemental claims as a precursor to doing business.
In closing, I'd like to quote Dazza Greenwood on identity:
"Former Speaker of the House Tip O’Neil used to say that all politics is local. Similarly, it can be said that all identity is local as well. Not necessarily geographically local. A parent can have children across the country and a bank for example can have account holders all over the globe. But they are "logically local" in the sense that they are all "home grown" and make sense largely only in their internal context. The account number by which each banking user is primarily known and the attributes surrounding that number are not similar to the naming and identity scheme required by medical clinical systems, for example. One size does not fit all because the subtle contours and content of identity is not monolithic." Ref: Authentication and Identity Management: Information Age Policy Considerations, Greenwood, 2003.
Indeed: identity is not monolithic. We might make much better progress on the digital identity challenges if we dropped down a level and tried dealing with identity's common parts instead.