Another dive into digital identity, following on from two other pieces that aimed to define digital identity itself, and shed light on the importance surrounding the enrolment process. What I want to cover in this short article is the necessity for the individual attached to the digital identity to be the one in control, and to have physical ownership of what gives them that control.

It’s always good to compare traditional methods with digital methods when it comes to identification. We often take for granted the vast amount of research and development that has gone into the identity documents we carry with us every day, but the same, if not more, must go into the digital equivalents. For this article, I want to call out one particular foundational aspect of the ID documents that we use in our everyday lives; the fact that we physical own them. They are effectively useless when not in our possession, and this is important, because if they weren’t, someone else could use them when we’re not. This might seem like an odd point to make, but in order for ID documents to confirm we are who we say we are, the person we show them to must have confidence that no one else could show us the same document and it appear valid. Usually this involves comparing the person’s face with the photo on the card.

So, when it comes to a digital identity, we must also look to fulfil this requirement. The platform most trusted to do this is Public Key Infrastructure, or PKI, and when it comes to digital identity, it often involves private keys held on smart cards, SIM cards, or USB sticks. Straight away, these are physical tokens we can hold in our hands and do our best to keep safe, like we do our driver’s licenses and passports. To fulfil the only-I-could-use-this aspect, PIN codes and passwords are needed in order to use the keys, replacing a biometric-based factor (our face) with a knowledge-based factor. And, like with our offline IDs, no one else could act on our behalf online, when the keys they need are sitting in our pocket or on our keyring.

Not only does this trait breed trust, it also breeds accountability. If our passport or our smart card was used to carry out illegal activity or as an ID when signing a contract, it’s very difficult to say, “it wasn’t me”. It’s when we move online that this particular issue has a lot more potential to cause trouble. Impersonation or identity theft online isn’t restricted by boarders, it’s not necessarily a one-by-one attack, and the risk of being caught and facing the consequences can be almost zero. But this becomes all but impossible when what’s needed to impersonate someone is a physical token that resides in their pocket. Boarders, one-by-one, and getting caught all come sharply back into focus.

The common physical tokens I’ve mentioned are dipping in and out of fashion, but there is a slow and steady move towards mobile based solutions. The difficult part here is that the standard mobile device doesn’t bring the required level of security that smart cards or USB keys do, no matter what the method of access is, so other tricks need to be employed. One such method is using cloud-based keys. This means the phone doesn’t need to protect the keys at all, it’s merely used as a vessel for accepting the password, PIN code, or biometric scan, before sending word to the remote server that the key can be used to authenticate or sign. Though it’s relatively secure, what it lacks is user possession. It reintroduces the potential for theft of the key from anywhere in the world, limits the risk of getting caught, and if a database is breached, many keys could be stolen at once.

In the 1970s, threshold cryptography was created. This is a whole other topic to cover later, but the reason it’s worth mentioning here is that it’s only recently that mobile devices have been powerful enough to make use of this kind of cryptography. What it let’s us do, is share the responsibility of protecting users’ keys across multiply entities by allowing a private key to be generated and used in pieces. Each piece signs a hash, and when all the signatures come together, they are equivalent to if one signature had been created by the original full key. So now, we can give most of the key to a central server HSM, and some of the key to the individual; not so much that it’s useful if it is stolen, but enough that the user can physically own a piece held on their phone. Now we don’t have to rely on the phone’s security, because the majority of the key is held in a Hardware Security Module somewhere else, but we also don’t have to worry about remote, en masse theft of individual’s keys, because a vital piece of the key is neatly tucked away in the individual’s pocket.

The main point to takeaway here, is that ownership leads to control and accountability, and this is vital for an identity document or digital identity authenticator. Though there is more to all this, without that particular piece, an identity is worthless.

@MaxCvdP