Forget About Identity & Authentication (Discuss New Aproaches

From IIW

Forget About Identity & Authentication (Discuss New Approaches)


Day/Session:Wednesday 3J

Convener:Andrew Hughes & Robert Mitwiki

Notes-taker(s): Alec Laws


Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:


IDEA: identity is pointless in technical sense -> it doesn't exist


Identity does exist in the world, but we're not talking about identity

- talking about: authentication, credentials ...

- identity is label for collection of all of these services


in real world, no one know what 'identity' mean (as we discuss)


two things we actually do

1. authorization -> what a subject can do

2. identify the identity -> enough to look up authorization


method to identity someone, doesn't rely on any specific technique/technology

- proof of presence


Is there a way to track someone based on their patterns within an environment?

- use technology to measure


brings up identity vs identification


identity -> typically based on credential presentation

identification -> don’t actually need the credentials


to escape tracking in digital world

ex mobile device tracking patterns

- patterns stay the same even if you change devices


identification without attributes, based on patterns


crowd Q. is this surveillance-based identity

-> coopt targeted marketing as identification system

- observables


creating an identity through measurement


assumption that someone documents identity, put in a registry -> everything flows from there

another entity accepts the issued 'identity'


assume there is no such 'issued credential'

- we identify without paper/plastic credentials -> how to translate into a technical system


observed vs assigned attributes

observation to build attributes vs presentation of assigned attributes


cQ. local checking vs remote checking? different use case?

- lofty goal -> it's universal

- what is the nature of identification, how can we make this electronic

- is this device fingerprinting? this is identification


verification and proofing techniques, gathering evidence (sometimes from id docs) 

- dyn and risk based authz services, and really identification services


idproofing: linking physical identity to a person


there is no common measurement framework to express id proofing and behavioral sensing’s are in the same domain

- allows supplementation of identity documents

- companies already do this to assess fraud


can we build this common framework to link behavioral and attribute-based identity?


Why is this the right direction? (shift from identity to identification)

- we have many different credentials -> can be lost/destroyed

- people would lose id docs


What is a good threat model for this? How can it be gamed? ie spoofing of location. Once people have motivation to attack... balance between effort and benefit


authentication is tied to 'time', in reality things are strongly ordered -> very hard to tamper


challenge w idproofing -> standard writing is b/w way. either identified or not. not really how it is. Is this continuous?

move from high -> low uncertainty


cQ. what we are calling identification would be called a risk score. identification to system vs many systems

supplement identity vs identification


cQ. for this to happen and connect risk scores, we need confidence in identity to relate to the behavior. 

- start with a static proof of id and supplement with other techniques


cQ. how are scores made, and how can they be combined?

- standardization? error bars? number of sources, quality of data


what is the definition of a working system? 


never a boolean, always a degree of confidence or assurance. probability based

risk model + threat analysis + other source to mitigate/change risk and make it measurable

acr shows what the 'person' did to authenticate



what can we standardize about these processes?

Take existing stuff and make into a patterns

key thing is time/timeline -> assume time always moves forward

registrar says 'I must identify you to issue a credential'

-> you show previous evidence with correlated data

-> shared events in the past, ie reregistration of license. vehicle permits

-> artifact memorializes the interaction


ie 'when you get murdered, make sure you sync your Fitbit' Fitbit tracks liveness, timelines didn't match and threw out an alibi


can we collapse the timelines between interactions with different entities?


score and assertion measurements mechanizes so that the can be compared


how to prove you climbed a mountain? take a photo? gps? you leave an artifact at the top, the next person can verify that it's there.

-> impractically of faking

-> the artifacts that you drop on the timeline show provenance of your 'identity'


website. I encounter website for first time, no access controls (anon access). they have identified you at protocol layer (at least). They don't care about authenticity of claim (ip addr), they never authenticate but they identify. 

bank site. attempt to get $1. they both identify (username) and authenticate (with a proof)


how does this sync with privacy? access to data you need to perform this process

- private authentication assertions (zero knowledge proof) to address correlation

- ML model uncertainty vs proofs based on mathematics

- (non)independent data points -> especially when combining models

- secret algorithms 'black boxes'

27we3J.jpg

Retrieved from "https://iiw.idcommons.net/index.php?title=Forget_About_Identity_%26_Authentication_(Discuss_New_Aproaches&oldid=21959"