The Implications of Bring Your Own Identity
When I was seventeen, I played one of the greatest roles of my like: 'Mark Jannell'. A younger student who we’ll call 'Tim' (not his name, of course) had just started at my high school, and after knowing me for several weeks, asked my name. Amused that he had forgotten it, I vowed not to tell him. I stepped away from the lunch table for a few minutes, and as I headed back, a different friend intercepted me.
By Mike Kiser, Senior Identity Strategist at SailPoint
“I’ve told him that your name is Mark Jannell”. I case you missed the byline, that not my name. But for the next year and half, whenever Tim talked to me, he called me Mark. To be honest it was a struggle, answering to 'Mark' or 'Jannell' for eighteen months. And in the end, even after I told him my real name, he just opted to call me 'man' because he didn’t trust me any longer.
While I’m not proud of this deception (okay, maybe just a little), it surfaces the issues that allowing individuals to 'bring their own identity' might present.
It’s coming: the blending of identities
And make no mistake, a bring your own identity model is coming. In the past few years, our lives have shifted to a digital, online model. Whether we are interacting with our government, being production in our day job, or interacting socially, it’s increasingly online. The ubiquity of mobile devices and the recent pandemic have combined to accelerate the coalescence of the various arenas of our lives onto a single screen. And as the distinctions between these different spheres fade, so does the need to maintain disparate identities.
It rapidly becomes cumbersome to maintain separate identities for each activity, and the privacy implications of handling our entire lives over to a single enterprise or entity have already proven problematic at best. Allowing users to bring their own identity with them - controlling what portion of it is shared in each realm of interaction is emerging as a preferred model.
But like my interaction with 'Tim' portrays, there are concerns around trust and ease-of-use that identity practitioners must contemplate.
Who do you trust?
Establishing trust is the obvious backbone of any secure identity interaction. Allowing users to bring their own identity does not mean abandoning authoritative sources of information. Just as my friend acted as a source of truth about my name, trusted sources still need to exist to establish the original connection.
Trust, then, in each of these relationships between individuals and organisations must be established, but that trust cannot rely on a central service. To centralise this trust would be to revert back to a central identity provider model, something we’ve already noted we want to avoid for privacy and scale reasons. When individuals bring their own identity, components of that identity will come from variegated source: government might contribute a taxation number, a local entity might verify local residency, social organisations might verify affiliation with relevant organisations. The building up of these relationships will take time and effort; federation has been helpful on this front, but it is more focused on real time assertions about authentication and access than contributing bricks that can be used to construct identity.
This is what 'decentralised identity' (also known as Self Sovereign Identity) seeks to facilitate: the establishment of trust with numerous organisations without the creation of scores of separate identities for each relationship. Rather than 'decentralised identity', the concept (as Gartner rightly points out) should be called 'reusable identity'. Note that many analysts term this facility for establishing trust an 'identity fabric' (KuppingerCole) or an 'identity trust fabric' (Gartner).
Individuals can then initiate their interaction with another person, an organisation, or an enterprise by presenting something that the other party trusts. In reality, this is not that different than federation as it exists today, but as a wider, distributed model. It’s important to keep these overarching concepts agnostic in reference to the underlying implementation layer. Many current models use relatively standard blockchain and distributed ledger technology, but others modify the network structure with concepts such as Directed Acyclic Graphs. Regardless of the architecture, the end goal of distributed trust remains.
As the relationship deepens, the other party trusts the individual and can then 'vouch' for them. This happened with my friend Tim, who started introducing me to others as 'Mark Jannell'. You can see quickly, however, that misplaced trust or bad claims present a threat to security in this model. Distributed trust means that there will need to be methods of revocation and correction, much like the revocation of certificates does today.
This kind of system takes time to develop and cannot be done without contemplating another key component: ease of use.
Is it easy?
While the adoption of a new name was easy, it was nearly impossible to listen for a name in crowded hallways or even in everyday conversations. This made my attempt at method acting sketchy at best - I was constantly in danger of making a mistake and revealing the ruse.
Allowing users to bring their own identity must be intuitive for end users; if it is difficult to use or understand, they will introduce risk into the organisation by taking alternative paths. Steering users into a common path reduces the potential attack surface and protects the fabric of trust that was already established.
The ubiquity of mobile devices is key for future security models and solutions. A generational shift is underway in which the default interface shifts from a keyboard and a wide screen monitor to a small, touch-operated screen. The computational power of phone has increased rapidly, increasing their potential to meet the demands of advanced cryptography - which will greatly facilitate verification of assertions about identity.
Future users will not be signing up in a browser, but rather bringing their own identity, stored on their device, via mobile applications or phone-based personal assistants. Identity assertion and verification will be notification driven, last a few seconds at most. This kind of design-centred thinking inculcates best security practices in individuals without them actively thinking about it.
Think before you act
My shout stint as 'Mark Jannell' taught me a lot about trust and ease of use in a bring your own identity model. Trust, as always in security, is essential to this new class of relationships and must be established and then protected from abuse. Ease of use, it turns out, is a key factor in protecting that trust and promoting the adoption of good identity patterns. I’m sure that I could have learned these lessons in some other way, but I’ll never forget my half year answering to a pseudonym.
But if we meet at an identity gathering in the future, please just call me 'Mike'.