What is identity? It’s not what you think

When an expert like Stephen Wilson, the Managing Director of LockStep - a firm concerned with strategic research and analysis in digital identity and privacy - says that we’ve been “banging our heads against a brick wall” when it comes to identity, it’s probably time to look up and pay attention.

“One of the international trends is the attributes push,” he says. “We’ll probably make more progress if we can break down this problem. No one wants to know ‘Steve Wilson’ as an identity. What they really want to know is the name, address, date of birth or credentials or account numbers."

For example, the only thing a merchant actually needs to know about us is our credit card number. But as that number can be stolen and reused, they wind up using other attributes such as our mother’s maiden name and the CVV in order to prove ownership of the card.

Ironically, the CVV was originally used when credit cards were scanned mechanically using imprint devices. The CVV wasn't imprinted so it couldn't be stolen by dumpster divers who lifted credit card information from carbon paper.

So are biometrics the answer? Certainly, the Indian AADHAAR project’s heavy reliance on biometrics as a way of verifying identity points in that direction but Wilson is not so sure.

“I don't think we should pick it [biometrics] too slavishly. I say that for a couple of reasons. One, India is a really special case,. They were very candid that there was a huge unbanked population and no proof of identity documents. On top of that, I harbour a number of concerns about biometrics,” he commented.

In order to capture enough biometric data to reliably identify a person and to ensure that identifies can’t be stolen to need to capture a significant amount of data. AADHAAR captures all ten fingers, both irises and a photograph.

“That’s the sort of capture you need to get sufficient resolution to identify one in a billion people,” he said.

Biometrics are currently in common use. For example the SmartGate passport system uses facial recognition but is digged by inaccuracy. The iPhone 5s recently introduced fingerprint scanning but that was broken within days by the Chaos Computer Club. Retinal scanning is very promising but scanning a retina takes several seconds and the process is sensitive to movement in order to get a good scan.

Wilson suggests that other mechanisms such as one-time passcode generators are a better option as they offer a superior two-factor authentication mechanism.

“You need a physical factor, a physical token that you know when you’ve lost it. The phone itself is a fantastic second factor. Credit cards, key fobs - these are truly two-factor because you know when you’ve lost them.

"I hear people talking all the time about biometrics as multi-factor but I object to that use of the term. The problem with biometrics is that you have no idea when your biometric has been stolen - you don't feel it,” said Wilson.

This is critical. It’s important to know when one of the authentication factors is lost or stolen.

So, what does this mean about the very concept of identity? Wilson says that “identity is not what we think it is”.

“We talk as though identity is a thing but it’s not. Identity is a relationship that you’ve got. We talk about federating identities as if it’s easy but it’s not. You can’t federate a relationship."

For example, having a set of accounts with one bank does not mean that you can automatically establish a new relationship with a second bank by leveraging your relationship. You have to go through the 100-point check again and create a new relationship. Similarly, every company undertakes different procedures when employing new staff.

“The practical problem is how do you leverage as much as much as you can from another relationship? I think you have to sequence it. You’ve got to take what I call a digital identity. You’ve got to break it down into some useful chunks. Then say, if one company knows that package of information about you, then make that information available to third parties,” he suggests.

Australia has some elements of this with the Document Verification System that allows parties to check driver’s licenses, birth certificates and passport numbers. The government is opening parts of the DVS so that businesses can verify identities. For example, this is being piloted with the online purchase of prepaid SIM cards.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Anthony Caruana

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place