When an expert like Stephen Wilson, the Managing Director of LockStep - a firm concerned with strategic research and analysis in digital identity and privacy - says that we’ve been “banging our heads against a brick wall” when it comes to identity, it’s probably time to look up and pay attention.
“One of the international trends is the attributes push,” he says. “We’ll probably make more progress if we can break down this problem. No one wants to know ‘Steve Wilson’ as an identity. What they really want to know is the name, address, date of birth or credentials or account numbers."
For example, the only thing a merchant actually needs to know about us is our credit card number. But as that number can be stolen and reused, they wind up using other attributes such as our mother’s maiden name and the CVV in order to prove ownership of the card.
Ironically, the CVV was originally used when credit cards were scanned mechanically using imprint devices. The CVV wasn't imprinted so it couldn't be stolen by dumpster divers who lifted credit card information from carbon paper.
So are biometrics the answer? Certainly, the Indian AADHAAR project’s heavy reliance on biometrics as a way of verifying identity points in that direction but Wilson is not so sure.
“I don't think we should pick it [biometrics] too slavishly. I say that for a couple of reasons. One, India is a really special case,. They were very candid that there was a huge unbanked population and no proof of identity documents. On top of that, I harbour a number of concerns about biometrics,” he commented.
In order to capture enough biometric data to reliably identify a person and to ensure that identifies can’t be stolen to need to capture a significant amount of data. AADHAAR captures all ten fingers, both irises and a photograph.
“That’s the sort of capture you need to get sufficient resolution to identify one in a billion people,” he said.
Biometrics are currently in common use. For example the SmartGate passport system uses facial recognition but is digged by inaccuracy. The iPhone 5s recently introduced fingerprint scanning but that was broken within days by the Chaos Computer Club. Retinal scanning is very promising but scanning a retina takes several seconds and the process is sensitive to movement in order to get a good scan.
Wilson suggests that other mechanisms such as one-time passcode generators are a better option as they offer a superior two-factor authentication mechanism.
“You need a physical factor, a physical token that you know when you’ve lost it. The phone itself is a fantastic second factor. Credit cards, key fobs - these are truly two-factor because you know when you’ve lost them.
"I hear people talking all the time about biometrics as multi-factor but I object to that use of the term. The problem with biometrics is that you have no idea when your biometric has been stolen - you don't feel it,” said Wilson.
This is critical. It’s important to know when one of the authentication factors is lost or stolen.
So, what does this mean about the very concept of identity? Wilson says that “identity is not what we think it is”.
“We talk as though identity is a thing but it’s not. Identity is a relationship that you’ve got. We talk about federating identities as if it’s easy but it’s not. You can’t federate a relationship."
For example, having a set of accounts with one bank does not mean that you can automatically establish a new relationship with a second bank by leveraging your relationship. You have to go through the 100-point check again and create a new relationship. Similarly, every company undertakes different procedures when employing new staff.
“The practical problem is how do you leverage as much as much as you can from another relationship? I think you have to sequence it. You’ve got to take what I call a digital identity. You’ve got to break it down into some useful chunks. Then say, if one company knows that package of information about you, then make that information available to third parties,” he suggests.
Australia has some elements of this with the Document Verification System that allows parties to check driver’s licenses, birth certificates and passport numbers. The government is opening parts of the DVS so that businesses can verify identities. For example, this is being piloted with the online purchase of prepaid SIM cards.