I closed my Identiverse 2022 keynote speech with an observation and a plea: “If zero trust is a thing, then so is Zero Identity”.
What did I mean? Let’s go as far as we can without identity. Let’s see if we can design systems without thinking about identity.
It seems to me we’ve become obsessed with identity. We seem to start the thought process for each new system design with identity.
It’s proven to be controversial in the past when I have called on the cognoscenti to “forget identity”, yet surely we would all agree there is way too much identity sloshing around. We undertake too much identification, leading to too much identity data leaking, and too many opportunities for identity abuse. It’s crazy how much crime is enabled by simply assuming another person’s identity.
The way to stop the race-to-the-bottom is to try something different. Let’s try to secure people’s transactions with less reliance on their identity.
“Zero Trust” is one of the hot topics in cybersecurity. Remember that it does not literally mean there is no trust. Rather, Zero Trust is an appeal to be more disciplined in security design. Zero Trust (aka trustlessness) describes a secure system where the security promises are made with less reliance on trusted roles and trusted processes.
Similarly, “Zero Identity” is my call to do more with less identification.
“Identity” is such a loaded and contested term. It is frankly embarrassing that we spend so much time arguing what it means. It’s just not working. And so, on simply pragmatic grounds, we might have better discussions if we tried to specify and design without using the word “identity”.
I think it’s quite a moderate suggestion that digital transaction design should start with the question: What do I really need to know to know about the other party?
At the same time, we should critically examine what you do not need to know, applying the data minimisation principle.
We should then proceed to ask: Where will I get the data? From the other party directly, or from a third party, or perhaps a real time analytical process? And how will I know that it’s true enough for my purposes, with regards to provenance, accuracy, tamper resistance, permissions, and consent?
I know it’s uncomfortable for identity professionals, but for the sake of security, privacy and trust, let’s stop putting identity first.
I am grateful to Steve Tout from Nonconformist Innovation Media for discussions following Identiverse 2022 and his help with this blog.