The Mobile Identity Management Paradigm

What is Identity Management & Why do we need it?

Life in the online world is complicated. We have many ways in which we communicate with others through many different channels. We create persona for each of these channels Facebook, Twitter, Instagram etc. and a Username & Password is the method by which we secure them. A persona is defined here as my Core Identity with a few additional, or a few less attributes. Each persona may know more or less about me than another persona.

Each of these channels or systems are unique and unconnected and managing an ever growing list of login credentials is becoming impossible.

Before we go on lets define a few concepts:

Core Identity:  A Core Identity is who we are at the root level. The Core Identity declares primacy over all personas. Our digital Core Identity must be created via a trusted process that is immutable, enduring and unchangeable.

Identity Attributes:  Identity Attributes are the extra bits of information we share specific to a persona or personas.

Personas:  Personas are separate identities for different environments. They contain differing attributes that are specific to the environment for which the persona was created.

Trust:  Trust occurs when we share attributes from within a persona. The trust in a persona comes from three sources:

  1. The immutable linking of Me to my Core Identifier
  2. The endorsement of the persona by the issuing organization
  3. The binding and validation of the attributes to the persona by the authoritative source

Privacy: Distributed personas have privacy enhancing properties.  For instance by limiting attribute exposure and by being under the sole control of the Core Identity.  We also have the ability to create anonymous personas – useful in voting.  We can prove who we are and that we voted but our vote remains a secret.

Entity: Any person, organisation, computing device, code, data, or physical possession; also any self-managed collection or organisation of entities.

So we need multiple identities because we don’t want to share all things with all people. For instance my Online Banking Persona contains attributes, like Credit Card details, that I don’t want to visible from within my Facebook persona.  The way to create and manage all these disparate personas is to ensure we have a trusted immutable Core Identity.

We already have Federated Identity Management solutions where ID repositories such as Microsoft’s Active Directory and LDAP look after our Core Identities (in the corporation) and personas.  In the corporate world these systems enable us to use a Single Sign-On (SSO) to all the applications that we need to perform our jobs.  In the larger Internet world we’re starting to see similar functionality from the likes of Facebook and Google.  Most people with smartphones have used their Facebook identity to login to other applications.  This is Federated Identity Management.

What makes a good Identity Management System?

The following rules, or commandments, have been put together by the OpenGroup.org “Jericho” think tank (link below):

Identity & Core Identity

  1. All core identities must be protected to ensure their secrecy and integrity.
  2. Identifiers must be able to be trusted.
  3. The authoritative source of identity will be the unique identifier or credentials offered by the persona representing that entity.

Multiple Identities (Persona)

  1. An entity can have multiple, separate Persona (Identities) and related unique identifiers.
  2. Persona must, in specific use cases, be able to be seen as the same.

Persona (Identity) Attributes

  1. The attribute owner is responsible for the protection and appropriate disclosure of the attribute.
  2. Connecting attributes to persona must be simple and verifiable.
  3. The source of the attribute should be as close to the authoritative source as possible.

Entitlement management and resource access

  1. A resource owner must define Entitlement (Resource Access Rules).
  2. Access decisions must be relevant, valid and bi-directional.

Usage and Deletion

  1. Users of an entity’s attributes are accountable for protecting the attributes.
  2. Principles can delegate authority to another to act on behalf of a persona.
  3. Authorized Principles may acquire access to (seize) another entity’s persona.
  4. A persona may represent, or be represented by, more than one entity.

The New Paradigm: Usher by MicroStrategy

In their conclusion the Jericho Forum state:

“The shift from Enterprise and Application, or System Centric, Identity & Access Management to User and Resource Centric Identity, Entitlement and Access Management (IdEA) holds the triple promises of Lower Cost, Higher Security/Trust and Increased Flexibility”

The key point here is that we need to move to a “User and Resource Centric” solution.  This is where we need to have a shift in thinking as to who our users are.  No longer is a user just someone sat at their office desk.  A user is an entity no matter who or where they are.  Two years ago this wouldn’t have been possible but, now the smartphone has become ubiquitous, we can.

By making IdEA mobile and placing it in the hands of our users we can more simply, securely and efficiently revalidate their identities.  We can dematerialize the Corporate Identity card,  the driving licence, the printed bank statement.  With the power of a mobile app users can unlock doors, access elevators, authorize bank transfers, authenticate themselves and others in a myriad of situations.

The Usher Identity Platform’s unique three-layer architecture ensures both that identities are always accurate and valid, and that identity exchanges always occur through secure out-of-band channels I.E. when one Usher user validates another using the mobile app all communications is done via the Usher server.  Communications are never directly mobile app-to-mobile app.

Learn more about Usher from MicroStrategy here: www.usher.com

Sources

The Open Group YouTube Series: Identity Management

The Jericho Forum: Identity Commandments

related articles



Comments are closed.