Who owns your identity?

The Future of Identity and Access Management Part 2

Suntec Singapore Convention & Exhibition Centre

Who owns your identity — you, your national/local government, a third-party provider? The answer may seem pretty straightforward to you, but identity management professionals are still avidly debating this question, and by the looks of it, it seems we are nowhere near to reaching a consensus.

I’ve been heavily involved in identity management the last few years, pushing the limits of system integrations and fine-tuning access control policies for numerous service providers. Just when I thought I’ve heard it all when it comes to identity management, I attended the first-ever Identity Week Asia. The experience opened my eyes to some very different points of view. Fellow speakers and panelists had very different perspectives on identity management than mine; perspectives that I believe I would have never been exposed to had I attended the same conference somewhere in Europe or the US.

Perhaps the chasm in the schools of thought is a direct result of the way governments operate in different countries. Maybe it’s a consequence of focus — European countries and the US seem to be trying to nail down identity to better protect the individual citizen while Asian countries appear more focused on identity as an additional tool to enhance governmental impact on its citizens. The individual citizen seems more of a secondary thought, judging by the case studies presented by different Asian government representatives throughout the conference.

Different countries with very different histories will obviously have unique ways of dealing with the same identity problem. And I don’t think there is one single right answer to it. Both points of view are valid. I am merely pointing them out to highlight the varying schools of thought.

Identity Leasing & Security

It seems one of the biggest unknowns that most colleagues can agree on is what appears to be a simple question — who owns the identity? At Identity Week Asia, this question wasn’t much discussed, only passively mentioned when the topic demanded it, with a “let’s not go there” attitude. Whether this was intentional because the question was viewed as unanswerable or otherwise, the future of identity and access management cannot be complete without clarifying the identity ownership question. I believe that identity ownership is actually very straightforward — that is, only if you introduce the concept of identity leasing.

So what do I mean and, above all, who owns the identity? To answer this question, I would like to use an analogy that everyone is familiar with — leasing out an apartment. A large number of apartments get leased out all over the world. It’s a well-defined business practice with a clear set of rules.

1. An individual or business entity owns an apartment which they wish to lease.

2. The apartment is leased to a renter that needs to adhere to the lease conditions — i.e. no pets, property must be maintained well, no waterbed, etc.

3. The renter pays the monthly rent.

4. Lease must be renewed at a predefined time interval agreed upon by both landlord and renter of the apartment.

Identity leasing to me is exactly like renting out an apartment. The owner of the identity is the individual or entity, just like the owner of the apartment is the landlord. The owner of the identity can then turn around and lease his/her identity to a service provider (public or private) when he/she logs in to use a service. Logging in and providing identity information does not in any way transfer ownership to the service provider. The identity is simply on lease.

In addition, the moment the identity is leased to the provider, there is a contract between the individual and the provider that must be upheld. The individual is effectively entrusting the service provider with his/her identity, and the provider has to ensure that the identity is secure and not compromised as well as that it’s used only in an acceptable manner, i.e. not abused by selling it to third parties or using it for activities that the identity owner is not aware of. If the provider does not adhere to this contract, then the individual owners will most likely stop trusting and stop doing business with the service provider. It’s also possible for the service provider to sub-lease the identity if the owner has agreed to it at the moment of the original lease.

Identity leasing is already being implemented in the real world, although in a limited way. Every time you log in to a website using your Facebook, LinkedIn, or Google account, you’re officially leasing your identity from one of those services to a third party. The moment you log in with your Facebook account to a website, for example, the website alerts you that they will read your name, email, and other information. You have to agree to continue. This is effectively a lease. You, as the Facebook identity owner, are leasing your identity attributes to the third party website.

So what does the future of identity ownership entail? Well, I see the individual or entity remaining the identity owner, but I see this leasing being formalized as identity awareness strengthens. The initial steps of this process have already been introduced by some of the social networks. The increase in demand for interoperability of services will only continue to flesh-out this process.

Identity Decentralization & Interoperability

Is the future of identity and access management one in which the identity is decentralized? It cannot be. A decentralized identity is currently the norm, but I don’t see it continuing in the future. Every one of us has an identity we use to interact with our banks, governments, preferred airlines, Amazon account, Netflix, HBO, and so on. This, by definition, is a decentralized identity and, frankly, it’s a nightmare! How, then, can the future be the same? Why would anyone want that?

I refuse to believe that decentralization could be the future. The future must be one where it’s much easier for the individual to maintain all these accounts. A centralized identity works perfectly. One identity for all services you use. All services, therefore, need to be interoperable, so that they all work off of a single standardized identity rather than demanding a new account/identity to be created for specific use.

A centralized approach benefits both the user and the provider. The user gets to reuse the same identity everywhere. The provider gets everything s/he needs to know about the user and is able to serve the end-user better through more personalized services, as they have access to the full customer history.

Security could be a concern here as a compromised centralized identity could be disastrous. At the same time, however, the decentralized identities that currently exist are not secure either.

Biometrics

Biometrics was a very hot topic at the conference, with a whole industry having developed just around this notion. My opinion on the role of biometrics in identity management, however, has not changed from before attending the event. If you missed my views on the topic, check out the article below.

Biometrics, the way they are currently implemented, cannot be the future of identity. If the individual wants to be fully plugged in to the IoT and fully immersed into an integrated tech environment, s/he cannot do so with archaic biometric recognition systems. Identity needs to progress in such a way that it removes any physical dependency. No matter how easy it is to take a thumbprint or run facial recognition system, in the long run, these will eventually be viewed as archaic ways of authenticating.

Identity Management with Blockchain

After hearing at least three panelists talk about their work with identity and blockchain, I am now even more convinced that identity on blockchain is effectively dead on arrival. Anyone working on blockchain-based identity management should take a hard look at why they’re doing so. I wouldn’t want to base such a critical part of any system on a technology that will immediately stop working if you lose your private key, or your computer gets lost or stolen.

The Future of Access Management

Throughout the Identity Week panel sessions, it was clear that everyone is well aware of the three authentication methodologies.

1. Authentication by what you know (i.e. password).

2. Authentication by what you have (i.e. cell phone).

3. Authentication by who you are (i.e. biometrics).

Let’s take a closer look at these three.

What you know — this is the most prevalent but yet very inefficient way of authenticating. We constantly forget passwords. Even if we remember them, they’re easy to hack, as most of us use very easy passwords that can be guessed. This methodology will continue to be the dominant way we grant access but not because it’s a good one, but because there’s simply no better way.

What you have — this methodology is the worst out of the three, in my opinion. We constantly lose devices, or they could easily get stolen. This approach to identity access and management is also very prone to social engineering attacks.

Who you are — as described in the Biometrics section above, as is, this simply cannot be the future of access management.

I realize that this paints a very grim future for identity and access management. After all, one of these methodologies has to work, we’ve been taught so in Computer Science 101. What else could we use to grant access to services?

Well, just because we don’t have a good substitute yet, doesn’t mean that we won’t have one in the future. I am sure that as soon as a better methodology presents itself, we all will jump on it. There’s a number of research initiatives that are working on solving this problem and, eventually, we’ll find a better way. Most likely it will be a combination of existing methodologies, in conjunction with something brand-new, but only time will tell.