What is Identity Management
I’m co-organizing the Thoughtful Biometrics Workshop March 8, 10, 12.
We are bringing together many different types of people who all have an interest/stake in biometric technology. These are technologies that measure the human body and my colleagues have written great introductory posts about different modalities.
There are a ton of questions: What are good uses of biometrics? What are bad uses? How do systems that leverage biometric measurements actually work? How do they fit into bigger systems? What are the implications of different uses? These are all critical topics that we will cover in the conference.
This post is a complement to their excellent posts and to help lay the groundwork for the above conversations at the conference. I’m going to walk through some of the core terms related to Identity Management. This post is complementary to the next post that covers the Domains of Identity — my Masters report published last year.
Who am I? Who are you? What does it mean to be human? These are all the questions that are at the heart of human cultures for millennia. We aren’t seeking to deal with them in identity management processes.
Identity management processes emerge when people in contemporary society engage with institutions. These institutions, governments, schools, hospitals, stores, all need to keep track of people who they interact with over time. To do this they do a few things that we call Identity Management. This article works through several of the key terms and explains them.
Enrollment or Registration
When a person first starts off there is no relationship between the person and the institution.
So this step to go from not having an account to having an account or record in a system is called enrollment or registration. Different systems do this differently and have different needs.
When you create a new account on a digital service typically you are asked for a few pieces of information like your name, a user-name you would like for the site, an e-mail address or a phone number — a communication channel that works for the service to talk to. The system might before finalizing the account ping you on one of those channels to confirm that indeed you are in control of that e-mail address or phone number. So these are the registrations requirements for this system. But different systems might be different.
For registering for a bank account they will require for that registration process documents that are proof of identity issued to the person by the state. These are known as know-your-customer (KYC) requirements.
When you register as a new patient at a medical practice they will ask you to fill out a questionnaire about your health history. Different organizations have different enrollment processes based on their needs and their regulatory requirements.
Authentication
This is often abbreviated AuthN.
Before we get to an actual authentication event, we need to enroll via an established process that uses a different means to do authentication — that is to support a person proving they are indeed the same person who created the account in the first place when they are returning to the institution/organization to do a transaction.
So for the digital account at some service they will likely also ask for a password — this is known as a shared secret. Knowing this “secret” word — typing it into a form after you share your user-name gives the site a way to authenticate that it is you returning to interact with them again.
For a higher security account (i.e., a bank account) they will likely mail you a bank card and also send you a PIN number (password) associated with the card. This type of authentication is known as something-you-have — possession the bank card. So when I get to the ATM or present myself to the teller. When I present the card and also enter the PIN on a pad, the system checks that the card is associated with my account and that the PIN matches.
Some systems also collect a biometric reading like a face or fingerprint. When I went to get enrolled as an employee of the community college that I work at they took a photo of me and put it on my employee badge. Later, someone can match — or authenticate the person they see walking down the hallway at school with the picture on the employee badge and know that indeed I am a teacher there in the school. This happens with student ID cards too. The photo of the student is placed on the card so when they present it — the person looking at the card can “biometrically match” the photo to the person.
An advanced system might also capture a physical biometric like a fingerprint. In this type of scenario a person can be asked when re-presenting themselves to the system to declare the identifier relevant to that system and can share their fingerprint. The system can then do a match between the template of the fingerprint being shared and the one on file.
Binding
This is a term that is very particular to documents for people. It is one thing to create a document it is another thing to create a document about a particular person and then on top of that to know that indeed the person who is presenting it is that person. The process of linking the information on a particular document or credential to a particular human body that is the person is known as binding.
There are several layers to this challenge. One is about the business processes behind how an entity like the State department that issues passports or Department of Motor Vehicles in a state that issues driver’s licences does its identity proofing and checking of people before issuing them a credential with their picture on it.
To consider a more prescient issue. There is the question of how a person who has had a vaccine or covid test is actually linked or bound to the certificate of vaccination or bound to the results of the test. Right now there is a whole sub group working on solving this problem or issue.
Authorization
This is often abbreviated AuthZ. Authorization is what happens in identity management systems after authentication. So once a system knows that it is indeed MickyMouse123 logging into the account the question is what can they do in the system. Are they authorized to post content? Maybe maybe not. This may not be something you think about to much when using consumer web tools because it seems like you are just a user there and it’s all fair game.
Authorization is a much bigger deal when it comes to how employers manage employee accounts. What systems they can access and what permissions they have in those systems really are critical. They have to manage very carefully who has the ability to write checks. Or who can get in and see certain business numbers.
I run lots of events and in the tool eventbrite I can add team members and give each of them different permissions or authorizations.
Summary
Identity systems can be very complex due to the interleaving use cases and jargon across enrollment/registration, authentication, binding and authorization. Developers get anxious about forgetting some edge-case because it might have an enormous impact on usability and security. Consider just a few of the following questions faced by identity system developers:
- What if a users loses their device and forgets their password?
- Can we trust a call center insider with super-admin privileges?
- Am I in compliance with local, regional, and national laws regarding biometric data protection?
Such anxiety is a major barrier to digital transformation projects [Gartner]. Biometric technologies can help but bring other risks: but you should not have to become a legal, civil liberties or biometric expert to use such tools. The Thoughtful Biometrics Workshop (TBW ’21) brings together developers, civil society experts and biometric experts to discuss these issues in a thoughtful, interdisciplinary forum we hope will help you on your journey.
This article is the last in an introductory series leading up to the Thoughtful Biometrics Workshop 8,10,12 March 2021. Additional articles can be found as follows:
- A gentle introduction to Thoughtful Biometrics — Part 1
- Thoughtful Biometrics for Facial Recognition — Part 2
- Thoughtful Biometrics for Fingerprints — Part 3
- Thoughtful Biometrics for Iris — Part 4
- Thoughtful Biometrics for Voice — Part 5
- Thoughtful Biometrics for DNA — Part 6
- Thoughtful Biometrics Overview — Part 7
- What is Identity Management — Part 8 (this article)
