If you would like to read the other parts in this article series please go to:Introduction
Identity theft, identity management, identity protection – identity is a crucial element in most computer security mechanisms. Access controls depend on identifying the users or devices that are allowed to view or use resources and keeping others out. We’re asked to “prove” our identities every time we board a plane, check into a hotel, make a purchase via check or credit card, or log onto a computer...
or secure web site. But the standard of proof is often very low, and in the IT world, we seem to have a misconception about what identity really is – and isn’t.
In this three part article, I’ll first take a look at how the concept of identity has evolved – particularly in the legal and technological realms. In part 2, we’ll show you why everything you think you know about identity is wrong. Then in part 3, we’ll look at common IT identity management solutions, where they fall short, and how they could be improved.Identity: What does that really mean?
“Identity” has different meanings, depending on the context in which it’s used. It’s a philosophical concept, a psychological concept, a legal concept, even a religious concept – and then there’s the way we use it in IT. In philosophical terms, it simply refers to whatever makes an entity recognizable and distinguishable from other entities. In psychology, it’s about a person’s self image, social roles and personality characteristics, and there are a myriad of theories and models ranging from the Freudian breakdown of the psyche into id, ego and superego to the Eriksonian framework separating personal and social or cultural identity. In theology, it’s about the soul.
That’s all very interesting but I’ll leave those discussions to folks who are schooled in those disciplines. More pertinent to those of us concerned with cybercrime is what identity means in a legal sense, and how the IT world sees and attempts to “manage” identity. However, a brief look at the history and evolution of society’s definitions of identity is useful in understanding the law and current IT practices.History and evolution of identity
When you enter into a relationship with someone – business or personal – it’s important to know with whom you’re dealing. Humans are differentiated in many ways. Before language developed, we can assume people identified other people by the way they looked, behaved, sounded (low pitched grunts vs. high pitched ones?), even by their smell. We know that many animals today, such as dogs, rely on their noses to interpret the world and this includes recognition of people and other animals by how they smell.
With the spoken and written word came the practice of giving names to objects and people. In a small population, names could be unique so that when you spoke of “John Smith,” everyone knew who you were talking about. Early populations were also generally less mobile, so everyone in the village not only knew who John was – they had known him from birth and were familiar with all the characteristics that defined “John,” such as his voice, his gait, the funny gestures he made with his hands and his general behaviors. People were often identified not just by their names and characteristics, but also by their ancestry: e.g., John Smith, son of Robert and Mary Smith.
As populations grew larger and more mobile, names were duplicated and people moved in and out and through town. They were sometimes identified by their places of origin: i.e., Joe Jones from Riverside. But as more and more strangers came to town, we had no history with them and no way of identifying them except by the names and other information they provided, which might or might not be their “real” names. Thus we developed a need for identity credentials.
Once upon a time, credentials could be anything from a letter of introduction from someone who had known you for a substantial time to a notation in a family bible. But governments grew into bureaucracies, and bureaucrats like to keep records, so identity documents became commonplace and then mandatory. Birth certificates provided a written record of one’s name, place/date/time of birth, an ancestry. When most babies were born at home, many people didn’t have birth certificates, but as the birthing process moved to institutions (hospitals), it became easier for governments to keep tabs on births.
The advent of the automobile had the unforeseen consequence of creating a standard, official identity document, the driver’s license. That document morphed from a piece of paper with your name, birthdate, address and signature on it to a plastic card with a photo, and now in many jurisdictions includes a fingerprint, magnetic strip with encoded information, holographic imprints and/or RFID transmitters.
Today we have a myriad of identity credentials. In addition to the ubiquitous driver’s license (or state ID card for those who don’t drive), we must obtain a social security card for our children long before they’re eligible to get a job, and even though the law originally specifically prohibited its use as identification, it has become a de facto identity credential that we must provide not just to obtain government benefits and pay our taxes but to take a class, apply for credit or even (in some cases) sign up for cable TV or telephone service. Those who work for large companies have employee ID cards. If we belong to any organizations, we have membership cards. To travel outside the country, we need passports.
We’re drowning in a sea of identity credentials.The credibility of credentials
Not all identity credentials are created equal. Government-issued IDs are usually considered to be the best verification of identity, but are they really? States have tightened up on their procedures, but just a few years ago (pre-September 11), in many jurisdictions it wasn’t that hard to get a driver’s license in whatever name you wanted. I remember when I got married in the 1990s and went to the DMV to change my name. I wasn’t asked for my marriage license or any other documentation of the name change; I simply told them the new name and they dutifully entered it into the system and issued me a new license in it. Of course, back then it was perfectly legal to change your name in Texas via common law – that is, simply by adopting and using the new name. No court order was required (unless you were a minor).
Today you have to jump through a few more hoops to get a license or change your name, but it’s not as if they do a thorough background check. The addition of a thumbprint to the driver’s license database does make it a bit more difficult for you to fake your identity at the DMV – if you’ve ever been fingerprinted and that print is on file. Still, many people haven’t, unless they’ve been in the military, been arrested, worked as a law enforcement officer or in a position with security clearance, obtained a license to carry a concealed weapon, etc. One day it’s likely everyone will be fingerprinted as children; at the moment that’s still optional but is encouraged by many school child safety programs.
We think of today’s high tech methods of identifying people as being superior to those of years gone by, but are they really? As we’ve mentioned, the basis of verifying identity prior to all these fancy cards and scientific methods was attestation – someone who knew you vouched for you. Interestingly, we’re coming back around to seeing the value of that in a world where paper, plastic and electronic credentials can be easily faked.The IT approach to identity
If you came of age when the IBM PC was king and cut your computing teeth on some variety of DOS, you probably remember booting up your operating system and getting to work. You didn’t have to identify yourself to the system (unless special software was loaded to require that). The first home computers were usually shared by everyone in the family, and no one had separate user accounts.
But in the business environment, it was important to identify who was using a computer, if only so you would know who was accountable if the system was misused. Setting up separate user accounts accomplished that, but if users didn’t have to prove their identities when they fired up their accounts, anyone could use anyone else’s account (and often did). Thus the requirement to provide credentials to prove you’re really the user who owns that account.
The use of passwords (or “secret codes”) to verify identity has been around much longer than computers. Thus it was logical (and easy) to use the password system for authenticating computer users. PINs are just the numerical equivalent of alphabetic passwords. However, the problems with passwords and PINs as an authentication mechanism are legend. If the passwords are short and simple, they’re easy to crack with a brute force attack. If they’re long and complex, users forget them and/or write them down. Passphrases provide more complexity while still being relatively easy to remember, but don’t entirely solve the problem.
The need for a better authentication mechanism led to the concept of multi-factor authentication. In addition to “something you know” (a PIN, password or passphrase), users can be required to provide something they have: a smart card or token, or a cell phone that identifies itself by a unique serial number or software-generated signal. The card/token system has its own drawbacks, though; the physical credential can be left at home, lost or stolen.
Biometric information has been considered the Holy Grail of authentication, because it’s said to be based on “something you are” – physiological or behavioral characteristics that are thought to be unique to a particular person and unchanging. However, even biometrics don’t offer a fool-proof way to verify identity. Fingerprints can be reproduced via molds (or in the more dramatic, Hollywood fashion, a bad guy could just cut off the finger and use it to gain access). Illness and injury can cause changes to physiological characteristics – fingerprints, retinal patterns, voice, gait, etc. There is minute but real possibility of duplication, at least to the extent used to declare a match in the database. For example, a fingerprint sensor, like any piece of electronic equipment, could fail. The software used to process the print and compare it to others in the database could have errors. False positives are possible. The same is true for other biometric methods.Summary advertisement
There is no perfect, infallible means of authenticating the identity of a user. And that’s complicated by factors that we’ll discuss in Part 2: Everything You (Think You) Know about Identity is Wrong.
If you would like to read the other parts in this article series please go to: