Lockstep

Mobile: +61 (0) 414 488 851
Email: swilson@lockstep.com.au

Identity is dead

Identity is dead. All that matters now is data.
There are no Identity Providers, just data brokers.
Data supply and provenance are critical infrastructure for the digital economy.

For at least five years there has been a distinct push within the identity management industry towards attributes: a steady shift from who to what. It might have started at the Cloud Identity Summit in Napa Valley in 2013, where Google/PayPal/RSA veteran Andrew Nash, speaking on a panel of "iconoclasts" announced that 'attributes are more interesting than identity'. A few months earlier, the FIDO Alliance had been born. On a mission to streamline authentication, FIDO protocols modestly operate low down the technology stack and leave identification as a policy matter to be sorted out by implementers at the application level. Since 2013, we've also seen the Vectors of Trust initiative which breaks out different dimensions of authentication decision making, and a revamp of the US Federal Government Authentication Guide NIST SP 800-63, with a refinement of the coarse old Levels of Assurance. And Lockstep is developing new attribute certificate techniques.

Across cyberspace, provenance is the hottest topic. How do we know what's real online? How can we pick fake accounts, fake news, even fake videos?

Provenance in identity management is breaking out all over, with intense interest in Zero Knowledge Proofs of attributes in many Self Sovereign Identity projects, and verified claims being standardised in a W3C standards working group.

These efforts promise to reverse our long slide into complication. Identity has been over-analysed and authentication over-engineered. The more strongly we identify, the more we disclose, and the unintended consequences just keep getting worse.

Yet it doesn't have to be so. Here's what really matters:

  • What do you need to know about someone or something in order to deal with them?
  • Where will you get that knowledge?
  • How will you know it's true?

    These should be the concerns of authentication.
    It's not identity per se that matters; it's not even attributes or claims. Attributes are just data, and provenance lies in metadata.

    It has become conventional wisdom in IDAM that few transactions really need your identity. So why don't we just kill it off? Let's focus instead on what users really need to know when they transact, and work out how to deliver that knowledge as we design transaction systems.

    IDAM has been framed for years around a number of misnomers. "Digital identity" for instance is nothing like identity in real life, and "digital signatures" are very strange signatures. Despite the persistent cliché, there are no online "passports".

    But the worst idea of all is the Identity Provider, invented over a decade ago to try and create a new order in cybersecurity. It's an understandable abstraction to regard bank accounts for example as "identities" and it follows that banks can be regarded as "identity providers". But these theoretical models have proved sterile. How many banks in fact see themselves as Identity Providers? No IdPs actually emerged from well-funded programs like Identrus or the Australian Trust Centre; just one bank set up as an IdP in the GOV.UK Verify program. If Identity Providers are such a good idea, they should be widespread by now in all advanced digitizing economies.

    The truth is that Identity Providers as imagined can't deliver. Identity is in the eye of the Relying Party. The state of being identified is determined by a Relying Party once they are satisfied they know enough about a data subject to manage the risk of transacting with them. Identity is a metaphor for being in a particular relationship, defined by the Relying Party (for it is the RP that carries most of the risk if an identification is flawed). Identity is not the sort of good or service that can be provided but only conferred by Relying Parties. The metaphor is all wrong.

    Digital identity has failed to materialise, because it's a false idol.

    We don't need to know who people are online; we need to know certain specifics about them, case by case. So let's get over identity, and devote our energies to the critical infostructure needed to supply the reliable data and metadata essential for an orderly digital economy.

    Posted in Identity

  • Post a comment

    If you are a registered user, Please click here to Sign In

    Your Name*

    Your Email Address* required, but won't be displayed on this site

    To help prevent spam in our blog comments, please type in "dead" (without the quotation marks) below*