Digital Identity: easier said than done
Digital progress is famous for its incredible speed. No other technology compares to information technology, where disruption is the norm. If Moore’s law could have applied from the early 1970s to automobiles as well as computers, then it is reckoned that a VW Beetle today could go 300,000 miles per hour, get two million miles per gallon, and would cost four cents to buy outright.
Yet the same cannot be said of Digital Identity. Eminent financial services commentator Dave Birch says “we are getting nowhere on digital identity, while identity fraud continues to spiral out of control and we are drowning in fake news”. The program for the TechVision Research “Chrysalis” conference this month stated that “[if digital identity] problems were easy to solve, we wouldn’t be debating some of the same issues we were discussing 30 years ago”.
Something’s amiss with Digital Identity. It can’t be that hard to solve.
There is broad agreement that, as a rule, we should avoid identifying users when it’s not strictly necessary. Surely therefore “identity” is not the right word for what we’re trying to solve online. Consider that Self Sovereign Identity (SSI) is one of the dominant themes in the field today, yet the Sovrin Foundation chair Phil Windley has said that “in SSI, there’s no artefact called an identity”.
Authentication doesn’t necessarily mean identification. If we can at least agree on that, then allow me to set out a more elegant and yet more powerful way of framing how we decide to deal with people and things online. No radical change is suggested; in fact I will draw on concepts that are as old as e-commerce itself.
What is Digital Identity about?
Attitudes to Digital Identity vary, from Kim Cameron’s pragmatic idea of “claims made about digital subjects” through to Windley’s vision of a “life-like identity [for our] digital lives”.
No matter how we define them, digital identities are representations of people or other entities (including inanimate objects) which are relied upon by others online. There are many ways to convey identity information, including account names and numbers, shared secret or static passwords, one-time dynamic passwords, authorization tokens, biometrics, digital certificates and “verifiable credentials”.
So when Alice wants to make sure it’s truly “Bob” she’s dealing with in the digital domain, there’s a great many signals at her disposal.
Where’s the real Bob in all this? He’s sitting somewhere “IRL” at one end of a chain of electronic processes leading to the signals received by Alice. The signals comprise text and numbers, possibly images, cryptograms, hashes, certificates or other data structures which are processed and interpreted by Alice (actually by her hardware and software) so she can satisfy herself she’s really dealing with Bob.
So, when it comes to authenticating Bob in any electronic channel, all Alice has to go on is data. Bob is not directly visible; he is revealed only by data.
It’s the data, stupid
If the reality is data is all we got, then digital identity can be made more elegant.
At the dawn of e-commerce in the late 1990s, the APEC Business Facilitation Steering Group developed comprehensive guidance on electronic authentication with the aim of expediting digital transactions across 20-odd member economies. Technology neutrality was essential, for e-business rules and laws were yet to emerge, and it wasn’t clear which technical protocols would be dominant. Furthermore, APEC members spanned a great range of cultural and political approaches to real world identity, from libertarian to authoritarian.
To pave the way to international harmonisation, it was vital to frame authentication without dependence on national or “legal” identity. So APEC came up with a dry functional definition of authentication which didn’t make reference to identity at all:
The means by which a receiver of an electronic transaction or message makes a decision to accept or reject that transaction or message.
In plain language, authentication boils down to three questions, the first of which is:
1. What does Alice need to know about Bob to allow her to deal with him in a particular context?
The things that matter vary of course from one type of transaction to another. For instance, if Alice is a merchant and Bob is her customer, then she might need to know his credit card number.
The validity of information about people generally comes from the source. So the next question is:
2. Where will Alice get the information she needs about Bob?
Continuing the credit card example, the preferred source of the account number is the card-issuing bank. For Card Present transactions, the PAN is obtained directly from an official plastic card.
Generally speaking the acceptable (sometimes compulsory) sources are known in advance and can be codified in the transaction software. So at design time, decisions are made about what information the Relying Party (Alice) will need to know about her Subject (Bob) in order to accept him at transaction time. Which brings us to a third plain language question:
3. How will Alice know if the information about Bob is fit for purpose?
The veracity of data retrieved from a credit card in Card Present transactions is substantiated by physical security features or cryptographic measures in chip cards. (On the other hand, the security of Card Not Present CNP internet payments lags the Card Present mode by at least a decade, with no proper integrity protection for online customer data yet to be deployed at scale; CNP fraud is now running at many tens of billions of dollars annually and is growing at around 20 percent year-on-year).
The evolution of data carriers
I’ve used credit cards to illustrate important facets of authentication; let’s look more closely now at the patterns and lessons that the cards industry provides for data quality.
A credit card is fundamentally a data carrier used to present an account holder’s bona fides to a merchant. At the time a purchase is transacted, the merchant only needs to know that the customer’s account details are genuine and correct, and then the account details are pushed into the card scheme network for settlement. Modern card technology and infrastructure, universally familiar and trusted by customers, provide a model for personal data protection at scale. The key lies in how data carriers have become more active over the decades.
The payment card industry has progressively adopted more robust forms of data carrier:
- the original paper charge cards in the 1950s were transcribed by shopkeepers by hand
- embossed plastic cards were copied onto carbon paper by “Click-Clack Machines”
- magnetic stripe cards allowed automatic reading by electronic terminals
- chip cards are also read automatically but with crucial differences under the covers to improve the reliability of the data
- today’s smart phones with embedded cryptographic secure elements can mimic chip cards (and bring added functionality such as in-app payments, mobile wallets for multiple accounts, and extra security).
The plastic card spread beyond banking to become a near-universal form factor for holding and presenting account information. The transition from mag stripe to chip has occurred within the UX envelope of the plastic card. Some non-payments cards -- such as driver licences and student cards -- are also transitioning to chip, where the need to protect increasingly valuable and vulnerable account data warrants the marginal cost increase.
Mag stripe fraud is enabled because a card terminal cannot tell the difference between an original stripe and a copy; data encoded on a magnetic medium has no provenance.
The point of a chip or “smart” payment card is to protect the presentation of cardholder data. While the cardholder data in a chip card is basically the same as that coded on a magnetic stripe, the way it is transferred from card to terminal is special, and mitigates tampering, counterfeiting or interception and replay of data in illicit transactions.
A mag stripe reader transfers a plaintext copy of the account number and other details from the card to the merchant terminal, which then passes them into the scheme network along with the transaction price that is owing. The read process is passive; cardholder data is simply extracted from the data carrier. A fake or cloned card presented to the reader cannot be distinguished from the genuine article.
With a chip card, the terminal first sends the purchase details into the card’s embedded microcontroller, which joins the purchase with the account holder data and digitally signs the combination before reverting to the terminal. The digital signature renders each transaction payload unique to the card, unique also to the purchase, and prevents substitution of stolen customer data or tampering with the transaction. As mag stripe technology is phased out, raw customer data will become less and less useful to criminals.
The more things change, the more they stay the same
A critical point about the introduction of smarter data carriers into the credit card schemes was the minimal impact on customer experience, scheme rules, cardholder contracts, billing, and merchant service agreements. The backend infrastructure for settling transactions among banks and merchants remained completely unchanged. The transition to chip centred on the card reading equipment where it addressed just one problem: the provenance of the cardholder data presented to the terminal.
A thoroughly standardised CX is a special achievement of the payment card industry. Bank customers enjoy an array of competitive card brands, payment products and offers, yet all cards work exactly the same, and all provide the same high levels of security and privacy.
Smart data carriers and data quality
To summarise, chip cards and functionally equivalent smart payment phones fundamentally protect the quality of critical data, as follows:
- Consent: each fresh transaction is digitally signed automatically and seamlessly for the customer, using a private key, unique to them, held in the chip.
- Provenance: customer details are certified by the issuing bank through a digital certificate bound the customer-specific private key.
- Possession: the fact that a card or phone was unlocked by a PIN or biometric proves to a reasonable degree of confidence that the device was in the possession of the rightful customer when the transaction was generated.
- Privacy: the accuracy and provenance of customer data presented by chip makes the transactions reliable without further identification and exposure of personal data.
- Originality: provenance and proof of possession allow a relying party to tell the difference between original customer data and data that has been counterfeited or stolen and replayed.
So what?
Why does it matter if we reframe Digital Identity in these more objective terms? Elegance for starters: taking subjective loaded terms like “identity” and “trust” out of everyday cybersecurity considerations would help streamline analysis and design.
We should also save time expended in philosophical arguments. While the sociology and other isms of identity are important and inexhaustible, a more cut-and-dried demarcation between the digital and the organic could improve authentication practice.
Authentication data is a special case of personal data. We could now take the lessons of the IDAM industry and leverage personal cryptographic data carriers as universal infostructure to protect personal data across the Digital Economy.