Key Concept: Identification

With identification, what we’re trying to do is to establish an identity. So this can be done relatively easily face-to-face on a small scale. If we think back to the example we gave right at the start of the course, at the introduction, we looked at you as an individual being the medium through which access to your house is granted. When somebody visits your home, you recognize that individual. That gives you a way of managing identity. Now this works on a very small scale, but if we scale this up into an enterprise or onto a government level, governments working with their citizens, enterprise with their employees or with their customers, this doesn’t work too well.

We won’t recognize, face-to-face, all of our customers or all of our citizens. So we need a way of managing this that scales to the enterprise level. The identity that’s being presented may represent a human being. But in the digital age, this may also represent a system, a process, or a device. It doesn’t have to be an individual. And bear in mind as well, for managing identity, we may not wanting to be identifying a unique identity. At a very basic level, on web forms, we see challenges trying to establish whether or not you’re a human being.

So your identity there is being tested, not against uniqueness, not against whether or not you are who you say you are, but really, just trying to establish whether you’re a bot, an automated set of scripts, or a human being – that kind of captcha approach. So there are different approaches, and the approach that we use depends very much on our requirements. So again, we’re looking at something that is tailored to meet your needs. An account is not the same thing as an identity. An identity may have multiple accounts linked to a single identity. It may correlate. It may be a one-to-one basis, where each account links to a single identity.

But more often than not, an identity will manage multiple accounts. Identities offer then an assurance of who we are dealing with. When we’re talking about who we’re dealing with and a level of assurance, what kind of assurance do we need? This is where our tailoring comes in. If we think about shared keys or tokens, or dongles that are attached to devices, these provide a very low level of uniqueness in terms of enforcing identity. And when we can’t manage the identity, it becomes very difficult to enforce accountability. How do we make somebody accountable for the actions that have been undertaken using that account linked to an identity, if the credentials managing that account are shared?

Identification proofing can help us with this. This can help us to tailor the level of assurance we need through the proofing service, through the enrollment in the proofing services. So the identification proofing is the process of establishing an identity. How do we know you are who you say you are? We want to consider the breadth of evidence that we’re going to require, the strength of the evidence that we’re going to require, and any validation or verification processes associated with that evidence. It may be that we want to consider the history of the user’s activity at some point in the future, in which case, the level of assurance around the identity may become increasingly important.

I’m guessing you guys have had similar experiences to me, in that people write passwords down for their endpoint computing device, for their laptop or their desktop computer. And then what happens is that the unique credential that has been issued becomes meaningless in terms of establishing any kind of accountability, any kind of assurance that that individual is who they say they are. And I’ve been involved in court cases where that has been fundamental in terms of undermining the strength of evidence against somebody.

So identity proofing services help us to verify people’s identities before the enterprise issues an account, and that the credentials can then be based on the life history or the transaction information aggregated from either public sources or proprietary data sources. If we think about establishing an employee record, we may want identity proofing documents, such as passports, so public documents. We may want more proprietary data sources, and we’ll look at some of those and how they work in a moment. So these services can be used as an additional interactive form of authentication. So this can help us with risky transactions, where we’re accessing sensitive data. Think about this when we look at adaptive authentication a little later on.