Identity (Management) Crisis (Part 2): Everything you (think you) know is wrong

If you would like to read the other parts in this article series please go to:

• Identity (Management) Crisis  (Part 1): The evolution of identity concepts
• Identity (Management) Crisis  (Part 3): Solving the Identity Problem
• Identity (Management) Crisis (Part 4): Selecting a Comprehensive Identity Management solution

Introduction

Last month, in Part 1 of this series, we delved into the meaning of “identity” – both in the overall scheme of human interactions and in the computer networking world – and how the meanings have evolved over the years. Unfortunately, much of what we think we know about identity proves, upon closer examination, to be either only partially true or completely false. Perhaps the biggest hurdle for IT personnel to get over is the idea that identity is just about account names and passwords (or other authentication credentials).

Names don’t equal identity

Names are the primary means by which most of us identify people (and objects, too). In the English language, names that identify specific individuals or entities are called “proper names.” Research has shown that even some non-human species (such as dolphins) appear to use names, of a sort, to differentiate between one another. In some societies, names are closely guarded and revealed only to trusted others.

In IT, names are often required to gain access to a resource. User account names are one part of the set of information required to log onto a computer or to access a protected resource on the system or across the network. Server names may be required to locate a network resource. The combination of server name, domain name and file name are required to access a web page – although  sometimes we aren’t required to provide all of the information; for example, if we point a web browser to www.mydomain.com, we have provided the server name (www) and the domain names (mydomain and .com) but we didn’t have to type in the file name (e.g., default.htm or index.html) because it is assumed if we don’t enter another file name.

In the “real world,” many different people can have the exact same name, spelled the same way. All those John Smiths out there can easily be confused with someone else. In an IT system, user account names are generally required to be unique within that system. Thus we see user names such as jsmith392. 

As important as names are, it’s important to remember that a name is really only a descriptor. Whether you refer to me as “Debra Shinder,” as “the author of Identity (Crisis) Management,” or as “the 5’4″ redheaded female in the green sweater,” you’re talking about the same person. However, only two of those three descriptions are specific (there are likely to be many 5’4″ females wearing green sweaters in the world on any given day). Only one of them is permanent – I could dye my hair or even legally change my name, but once I’ve written this article, I will always be the author. Only one is “official,” in that it’s on my government-issued documents. Names can be changed – via a court order, through marriage, or in some jurisdictions under common just by adopting and using a new one. The point is that your name is not you.

In IT, user names can be changed, too. In most systems, this can be done fairly easily, precisely because although the name is the information we humans use to identify the account, it’s not what the system uses. The system generally uses an underlying alphanumeric character string, which in Windows systems is called the SID or Security Identifier. The name associated with that SID is just one of its properties and can be changed.

Authentication credentials don’t equal identity

What we commonly refer to as “identity theft” is usually really the theft of credentials that are associated with a particular identity. Stealing your password doesn’t really constitute theft of your identity – but it does allow the thief to impersonate you. This works only with an unsophisticated/unaware system that relies solely on those credentials to identify you and makes the assumption that you are the only one who could possibly know that password.

Going back to the real world comparison, if someone uses your name and perhaps has one of your credit cards in his/her possession, a merchant who doesn’t know you may have no reason to think the card is stolen. A more sophisticated/conscientious merchant might ask for photo ID along with the credit card, to verify that it’s really you. A merchant who actually knows you will know immediately that it’s not you, even if the thief’s general physical appearance is similar to yours.

Even if a person had plastic surgery to make him/her look just like you, your close friends and family members would know it wasn’t you, at least after a bit of interaction, because that person could possibly have all of your memories or recall all of the shared experiences, little “inside” jokes and so forth that make up a relationship.

A sophisticated IT authentication system must require more than just the right name and password. You’ve probably noticed that recently, protected web sites have started using other, additional methods to verify your identity along with the usual credentials. They might ask you to provide the answer to a personal question such as the amount of your monthly mortgage payment. They might have you select a photo that you’ll have to pick out of a group of pictures each time you log on. There are many different ways to make the identity verification process more difficult for an imposter to “pass.” The trick is to make it very hard for an imposter but very easy for the “real you.”  In Part 3, we’ll be looking at different methods and how to determine which work best in a given situation.

The multiple identity dilemma

One thing that complicates identity management is the sheer number of identities that each of us may assume in the legitimate course of living our lives. In real life, although most of us use the same name for most of our interactions, we play many different roles depending on where we are and with whom we’re interacting.

Sometimes these differences are so extreme that descriptions of the same person in different situations would lead one to believe that “We must not be talking about the same Mary Smith.” You might be shy and reticent at home but outgoing and boisterous in public – or vice versa. You might be all business at work but playful and silly with old college buddies. You might be prim and proper in front of your parents but provocative or even offensive after a few drinks at a bar.

Some people even live real “double lives,” not just acting differently but establishing separate official identities. We’ve all seen it in the movies – usually involving a government spy or corporate espionage agent. We’ve read the newspaper stories about the mild-mannered salesman who has wives and families in different cities. And of course, there is the psychiatric condition, what was once called “split personality” or “multiple personality disorder” and is now termed “dissociative identity disorder,” in which a person displays “alters” – distinct separate personalities, each with its own perceptions of the world.

In IT, most of us have many different identities – which generally translates to many sets of user names and passwords (and/or other authentication credentials). We have a name and password for logging onto our home computers, another for logging onto work computers, another for online banking web sites, another for paying our electric bill, one for buying stuff from Amazon, one for sharing with friends on social networks, and on and on and on. It’s not at all unusual to have twenty or more different online accounts for managing different aspects of our digital lives.

Just managing all of your personal identities can be a challenge. IT departments have even more of a challenge, with the necessity of managing hundreds or thousands of users’ identities. Some individuals take the easy way out, and use the same name and password for all of their accounts. It simplifies things, but poses a big security threat: If that set of credentials is compromised, all of your accounts are at risk.

Others use a makeshift method of “tiered” credentials. You might have one username/password that you use for not-very-important accounts, such as logging onto a news site to read its stories or an IT forum to ask/answer tech questions. Then you have another account that you use for higher security sites, such as Facebook or Google (where you share personal information). That password might be longer and more complex. You could have yet another set of credentials, with a much more difficult password/passphrase, for banking sites or those where you enter credit card information or other financial data.

One identity to rule them all

Single Sign-on is considered by some to be the Holy Grail of identity management. This refers to the ability to log on once and gain access to multiple systems. This differs from using the same credentials for multiple accounts in that:

1. With identical credentials, you still have to log into each system separately; you just don’t have to remember multiple names and passwords.

2. With single sign-on, you still have different credentials for each of the systems, but all of these are stored by the SSO system and entered automatically in the appropriate system after you’ve logged on with your “master” SSO account.

We’ll look more closely at Single Sign-on solutions in Part 3.

Sometimes having only one identity, even within a single system, can be problematic. Some popular social networks, such as Facebook and Google+, have garnered user complaints about their policies prohibiting users from having multiple accounts and/or requiring users to use their “real” (legal) names on their accounts. Many people want to have one account for work associates and another for personal friends, for example. Some want to use a pseudonym as an account name because that’s the name by which the public knows them (authors who use pen names, actors who have stage names, etc.). In some cases, it may even be dangerous for a person to use his/her real name because of dictatorial laws or political issues in countries where any hint of dissent can be punishable by death.

Summary

Your identity is much more than a set of credentials, but protecting your credentials is an important part of operating securely online. In Part 3, we’ll look at some identity management solutions, and in Part 4, we’ll wrap up this series with some speculation about the future of identity in an increasingly networked world.