Mobile: +61 (0) 414 488 851
Email: swilson@lockstep.com.au

Identity is dead

Identity is dead. All that matters now is data.
There are no Identity Providers, just data brokers.
Data supply and provenance are critical infrastructure for the digital economy.

For at least five years there has been a distinct push within the identity management industry towards attributes: a steady shift from who to what. It might have started at the Cloud Identity Summit in Napa Valley in 2013, where Google/PayPal/RSA veteran Andrew Nash, speaking on a panel of "iconoclasts" announced that 'attributes are more interesting than identity'. A few months earlier, the FIDO Alliance had been born. On a mission to streamline authentication, FIDO protocols modestly operate low down the technology stack and leave identification as a policy matter to be sorted out by implementers at the application level. Since 2013, we've also seen the Vectors of Trust initiative which breaks out different dimensions of authentication decision making, and a revamp of the US Federal Government Authentication Guide NIST SP 800-63, with a refinement of the coarse old Levels of Assurance. And Lockstep is developing new attribute certificate techniques.

Across cyberspace, provenance is the hottest topic. How do we know what's real online? How can we pick fake accounts, fake news, even fake videos?

Provenance in identity management is breaking out all over, with intense interest in Zero Knowledge Proofs of attributes in many Self Sovereign Identity projects, and verified claims being standardised in a W3C standards working group.

These efforts promise to reverse our long slide into complication. Identity has been over-analysed and authentication over-engineered. The more strongly we identify, the more we disclose, and the unintended consequences just keep getting worse.

Yet it doesn't have to be so. Here's what really matters:

  • What do you need to know about someone or something in order to deal with them?
  • Where will you get that knowledge?
  • How will you know it's true?

    These should be the concerns of authentication.
    It's not identity per se that matters; it's not even attributes or claims. Attributes are just data, and provenance lies in metadata.

    It has become conventional wisdom in IDAM that few transactions really need your identity. So why don't we just kill it off? Let's focus instead on what users really need to know when they transact, and work out how to deliver that knowledge as we design transaction systems.

    IDAM has been framed for years around a number of misnomers. "Digital identity" for instance is nothing like identity in real life, and "digital signatures" are very strange signatures. Despite the persistent cliché, there are no online "passports".

    But the worst idea of all is the Identity Provider, invented over a decade ago to try and create a new order in cybersecurity. It's an understandable abstraction to regard bank accounts for example as "identities" and it follows that banks can be regarded as "identity providers". But these theoretical models have proved sterile. How many banks in fact see themselves as Identity Providers? No IdPs actually emerged from well-funded programs like Identrus or the Australian Trust Centre; just one bank set up as an IdP in the GOV.UK Verify program. If Identity Providers are such a good idea, they should be widespread by now in all advanced digitizing economies.

    The truth is that Identity Providers as imagined can't deliver. Identity is in the eye of the Relying Party. The state of being identified is determined by a Relying Party once they are satisfied they know enough about a data subject to manage the risk of transacting with them. Identity is a metaphor for being in a particular relationship, defined by the Relying Party (for it is the RP that carries most of the risk if an identification is flawed). Identity is not the sort of good or service that can be provided but only conferred by Relying Parties. The metaphor is all wrong.

    Digital identity has failed to materialise, because it's a false idol.

    In the late 1990s, when critics said Quality is Dead! they didn’t mean quality doesn’t matter, but that the formalities, conventions and patterns of the Quality Movement had become counterproductive. That's what I mean about digital identity. The movement has failed us.

    We don't need to know who people are online; we need to know certain specifics about them, case by case. So let's get over "identity", and devote our energies to the critical infostructure needed to supply the reliable data and metadata essential for an orderly digital economy.

    Posted in Identity

  • What if genes aren't entirely digital?

    An unpublished letter to Nature magazine.

    Sheila Jasanoff and J. Benjamin Hurlbut, in their call for a gene editing laboratory (Nature 555, 435; 2018) stress the "tendency to fall back on the framings that those at the frontiers of research find most straightforward and digestible". My concern is that the most digestible framing of all – that genes are editable in the first place – is gravely misleading.

    The telling metaphor of genes-are-code arose in the 1950s at the coincidental dawns of genetics and computer science. Codons (combinations of DNA base pairs) map precisely onto different amino acids according to the so-called genetic code, which is nearly universal for all life on Earth. And thus, sequences of base pairs form genes, which "code" for proteins and enzymes, in what look beguilingly like programs specifying organisms. But while the low level genetic code is neat and digital, what happens further up the biochemical stack is much more analogue. Proteins and enzymes are never single purpose, and never play their roles within a body in isolation. Genes unlike computer instructions are not compartmentalised; genomes unlike computer programs are not designed one at a time, but have evolved as intricate ensembles, with selection pressures operating between bodies, and between species.

    The genes-are-code metaphor should have been re-examined as genetics evolved. The decidedly non-computer-like reality has been betrayed over time by discoveries like interactive gene expression, epigenetics, and the sobering fact that non-coding "junk DNA" is not junk after all. One wonders if applied biology was held up for decades by the simplistic presumption that DNA had to code for something in order to be functional.

    If the genome is not really digital, then "hacking" it like code will inevitably have unintended consequences. It's not just the public which needs a better understanding of genetic engineering but the mislabelled "engineers" themselves.

    April 14, 2018.

    Posted in Software engineering, Science

    Latest Card Fraud Statistics for Australia FY2017

    The Australian Payments Network (formerly the Australian Payments Clearing Association, APCA) releases http://auspaynet.com.au/resources/fraud-statistics/"card fraud statistics every six months for the preceding 12m period. For well over a decade now, Lockstep has been monitoring these figures, plotting the trend data and analysing what the industry is doing (and not doing) about Card Not Present fraud. Here is our summary for the most recent financial year 2017 stats.

    CNP trends pic to FY 2017 b

    Total card fraud went up only 3% from FY16 to FY17; Card Not Present (CNP) fraud was up 10% to $443 million, representing 86% of all fraud perpetrated on Australian payment cards.

    CNP fraud is enabled by the difficulty merchants (and merchant servers) have telling the difference between original cardholder details and stolen data. Criminals procure stolen details in enormous volumes and replay them against vulnerable shopping sites.

    A proper foundational fix to replay attack is easily within reach, which would re-use the same cryptography that solves skimming and carding, and would restore a seamless payment experience for card holders. Apple for one has grasped the nettle, and is using its Secure Element-based Apple Pay method (established now for card present NFC payments) for Card Not Present transactions, in the app.

    See also my 2012 paper Calling for a Uniform Approach to Card Fraud Offline and On" (PDF).


    The credit card payments system is a paragon of standardisation. No other industry has such a strong history of driving and adopting uniform technologies, infrastructure and business processes. No matter where you keep a bank account, you can use a globally branded credit card to go shopping in almost every corner of the world. The universal Four Party settlement model, and a long-standing card standard that works the same with ATMs and merchant terminals everywhere underpin seamless convenience. So with this determination to facilitate trustworthy and supremely convenient spending in every corner of the earth, it’s astonishing that the industry is still yet to standardise Internet payments. We settled on the EMV standard for in-store transactions, but online we use a wide range of confusing and largely ineffective security measures. As a result, Card Not Present (CNP) fraud is growing unchecked.

    This article argues that all card payments should be properly secured using standardised hardware. In particular, CNP transactions should use the very same EMV chip and cryptography as do card present payments.

    Posted in Payments