Sorting out the identity crisis
Sorting out the identity crisis

Our lives are full of identity credentials and devices – ID cards, credit cards, keys, travel passes, drivers' licences, insurance cards, passwords, PINs, and National Insurance numbers.   In today's connected and automated world, these identity tokens give us ever more access to services and privileges.  However, there are three critical flaws with all of these forms of identity that threaten to undermine their use.

Firstly, they are distinct “things", which means that they can be stolen and counterfeited.  Secondly, they are not intrinsically tied to the owner, so that any thief can use them once stolen.  And thirdly, they are openly and directly proffered by the owner to the validating party, which means they can be intercepted during the transaction and false identities can be injected in the same channel.  

These inherent flaws make it virtually impossible to prevent theft and fraudulent use.   The only solution to these problems is to switch the paradigm – from identity tokens (cards, passwords and PINs) to mobile identity.  With mobile identity, your identity is only ever stored in an ‘identity bank' and a user's smart phone is used to authorise the identity bank to share your identity with another of its member organisations.  This is not a huge leap of faith and parallels already exist: cheques and credit cards, for example, have eliminated the need to physically exchange cash to pay for goods or services, or initiate an exchange of funds electronically between financial institutions.

The truth is that the technology exists to empty our pockets of everything except the smartphone and loose change – with the arrival of wearable technology even the days of the pocket might be numbered!

Mobile identity eliminates the need to carry and exchange identity credentials.  If the mobile phone is intrinsically tied to its owner through biometrics, then only the owner can authorise his or her credentials to be shared.  And if both parties belong to the same identity exchange, then cryptographic technology can ensure that the identity exchange cannot take place with thieves, giving them access to an individual's identity.  Mobile identity will allow users to complete transactions online, face-to-face, and over the phone, as well as open physical doorways, login to applications and ultimately unify their lives into a single secure identity.

For some security professionals the idea of one device being responsible for every aspect of your security credentials and identity is one that will set alarm bells ringing.  But let's be realistic, what we have now is not secure and is making life complicated for us as consumers and enterprise users.  The solution described above requires three-factor authentication through something you have, something you are, and something you know – biometrics is a critical part of this new paradigm, ensuring that identities cannot be compromised or stolen.

We have lived with physical tokens of identity for thousands of years and with passwords for over sixty years.  Nothing that we haven't tried already, can make them truly secure and, by any measure, we are in a very poor state.  The world is becoming a cyber-mobile dominated world where more services, more money, more privileges are going to be conveyed to people through cyber space …and all of it depends on proof of identity.   We need something new, or the cost of fraud will become overwhelming on a personal and business level.

Contributed by Nick Barth, UK sales engineering manager at MicroStrategy


If you were interested in this article, you may also wish to participate in our free eConference webinar:

16/09/14: ID Management - Keeping Track of User Access

Intruders breach networks every day, often gaining access by pretending to be someone they're not. How can they be stopped when more staff than ever before are using a range of devices that often don't even come under the control of the IT department? Register now!