Business, Technology, Culture, & Ideas That Matter

Do I Know You? Identity Authentication in the Real and Digital Worlds

I had occasion recently to sit down to talk with Reliable Identities Wes Kussmaul, accomplished entrepreneur, author, and prolific Internet tinkerer.  Wes experienced early success founding the Delphi Internet service.  (Some of the more seasoned among you may remember Delphi as being one of the early online services, along with CompuServe, Prodigy,  and AOL.)

These days, Wes is talking about another frontier – identity authentication.  It is interesting to think that we are as inattentive to establishing and authenticating everyone ‘s digital identity as we are focused on proving and authenticating people’s identities in the real world.

Think about this.  Think of the number of real-world transactions you engage in during the course of each day, each week, each year, and how many times you are asked to provide proof of your identity using your birth certificate, driver’s license, social security number, or passport. Each of these pieces of documentation is based on one or another form of face-to-face authentication.  In this way, isn’t nearly every significant real-world interaction based upon some form of face-to-face authentication?

To operate a motor vehicle you need both a driver’s license (which includes a face-to-face authentication) and an automobile registration (and, often, insurance, as well).  To operate on the Internet, you need only a username and password, and the nearest internet cafe.

The “wild, wild west” metaphor may be over-used, but it remains relevant, and many times we never really know with whom we are interacting.  Yes, our access credentials get authenticated every time we log onto a specific website, and OpenID is making this easier for us every day.  However, who are we really interacting with on the internet, and how do we know who we are interacting with?  In the worst case scenarios, there have obviously been too many well-publicized stories of people taking advantage of the veil of secrecy and deception afforded them by the Internet to tragic ends.

Wes Kussmaul has given no little thought to the lack of identity authentication in the digital world, proposing his ideas – among other places – to the International Telecommunications Union, and in at least a couple of books, the most notable of which is Quiet Enjoyment.  (Wes and PKI Press have provided copies of Quiet Enjoyment and another Wes Kussmaul book, Own Your Privacy to me.)

Quiet Enjoyment (PKI Press, 2004)

One of Wes’ more compelling ideas for me is around the concept of identity quality.  It is possible, Wes believes, to construct quantitative ways to measure the quality of an identity authentication.

Conceivably, then, this provides a range of identity authenticity which could then be applied to the type and  level of access that a person wanted.  Just as we have seen differentiated levels of service at the airport provided to people who choose to pay for to have their identities authenticated, there could possibly be differentiated levels of access to websites on the Internet based on the quality of an identity authentication.  So, for example, perhaps not everyone gets equal access to a teen chat site where there is the danger of someone impersonating a teenager for malicious purposes.

Some aspects of these ideas are likely to be more challenging, in practice if not in acceptance.  The idea seems to be that people would be issued a certificate of authenticity, attesting to the authenticity of your identity, much as a notary public attests to the authentic correspondence between your identity and your written signature today.  There are, however, qualitative differences between the kind of identity authentication that Wes seems to be proposing and the function of notary public, which raises some questions about scalability, privacy, and the balance between security and convenience.

On the issue of anonymity, Wes is quick to point out that identity authentication and anonymity are not mutually exclusive, and that the intent of identity authentication is not to render anonymity obsolete.

There are, I find, at least a couple of difficulties in this discussion:

  1. Inevitably, the discussion gets down to a technical level that some may find challenging – two-factor vs. three-factor vs. x-factor level authentication; Private/Public key infrastructures, and things like SAML; and
  2. Definitions (trust, authenticity, access, authorization…): these are words that (a) have both real-world and digital-world meanings, and (b) in either world, have widely varying usage and meaning according to the context.
  3. The question about identity authentication too often gets buried or lost, it seems to me, under the weight of focus given to identity theft, a related, but separate issue, and authorization and access – how identity is applied at the application layer.

The type of identity authentication that Wes is talking about, however, is not system- or application-level access authorization, and so is separate and distinct from the sort of credentials authentication that is embodied most often in what is called identity access and management (IAM) solutions.

Quiet Enjoyment is not a book for the timid – its table of contents runs 10 pages.  But it will make you think more deeply about trust, identity, identity authenticity, and many of the issues involved with how we trust the identity in the digital world.  Wes seems to argue that we are at, or nearing, an inflection point, and I am not so sure that he is wrong about that.  Former Secretary of Homeland Security Michael Chertoff was quite compelling, I thought, when he spoke – on more than one occasion, I believe – about identity being a critical asset, and becoming even more so with every passing day.  Wes Kussmaul’s ideas and efforts to address the issue are worthy of greater discussion.

Recommended Reads:


November 11, 2009 - Posted by | Technology | ,

1 Comment »

  1. Bob:

    I enjoyed your post. You get right to the heart of a key issue that we must deal with in Identity Management – is the person who presents identity credentials really the person he or she claims to be? That process of matching “real life” identity with corresponding “digital identity” must be sufficiently rigorous to match the risk profile of the data or systems we are trying to protect.

    Some additional thoughts are included as a comment on my blog post:



    Comment by Mark Dixon | November 12, 2009 | Reply

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


Get every new post delivered to your Inbox.

Join 1,544 other followers

%d bloggers like this: