At last, in newsletter 7, we have arrived at technology. Most commentators start with technology because they hope it will be the answer - I started with defining the question in my early newsletters. Now, I am looking at the context of identity, which includes this newsletter’s technology building blocks for Identity. In the next newsletter I will look at possible futures, that is, at possible answers.
This newsletter’s title, Current & Developing Identity Technologies, states the obvious – we have both:
current technologies that enable Identity solutions (on the left in the diagram above)
developing technologies which promise to be ‘the answer’ to Identity (on the right in the diagram above)
In this newsletter I summarise each technology area and what it means for Identity. But to start with, I will discuss the one technology that is fundamental to so much Identity: cryptography.
Cryptography
Symmetric and asymmetric cryptography (also called private key and public key cryptography) are core to Identity. They are the basis of PINs on cards, secure communications, blockchain, decentralization, and many hardware solutions. Cryptography is how to keep things secret, and it is important, full of jargon, and complex. If you want to develop a deep understand of Identity, you need to understand cryptography! But beware, it is a deep rabbit hole.
Current Technologies
Physical Identity
This is where so much identity has started. Documents include passports and birth certificates. Clearly passports have evolved significantly to include a chip. Cards include driver’s licenses, student identity, club identity, and corporate identity. These all have evolved with different uses of watermarks and tamperproof coatings.
Customer Databases
CRMs and their predecessors, accounts receivable systems, are a fundamental part of the Identity solution - they are where Personal Identity Information is stored!
Hardware Tokens
There are a variety of devices such as dongles, challenge-response devices, and code-generating devices that operate in the on-line environment by connecting through a USB port. They can also generate codes for other environments. They have obvious security benefits but suffer from the need to both distribute and maintain the devices, and from the challenge of interfacing with multiple platforms.
SSL
SSL, or Secure Sockets Layer, is something we all use on a daily basis. And for good reason – it is the most important security protocol invented. Based upon asymmetric and symmetric cryptography, it enables secure point to point on-line communications. Without it, on-line Identity, and the internet itself, would be very compromised.
Messaging
The advent of multi-factor authentication (MFA) requires the customer to have something, often a smartphone. The confirmation that the customer owns the smartphone or device is achieved normally through the entry of a code delivered through some messaging service, such as SMS or email. Messaging is now an established technology used for Identity.
Biometrics
Biometrics has been with us for decades and is now becoming ubiquitous, due to face imaging and finger print readers on laptops/ PCs and smartphones. It is now hard to imagine a world without biometrics. But it is far from complete, with developing standards, and threats from such things as AI generated deep-fakes. This is a technology that will be very important in the future, especially if it can be securely implemented.
New Technologies
Behavioural Analytics
Behavioral analytics is a development from big data that uses AI like techniques of data analysis. It has utility for general analysis processes such as providing a credit rating for a future borrower, and for predicting if a payment is fraudulent. For Identity, measures of physical behaviour (e.g. the pattern of typing) through to more long-term contextual events can be analysed by behavioural analytics to add an extra dimension to an Identity Authentication process. The question is: ‘is it worth it?’ Perhaps if we cannot develop good authentication we need such a backup solution, but it seems like a lot of technology to solve a simple problem.
FIDO Passkey
FIDO has long been based upon a Hardware Token, but on 5 May 2023 it announced with Microsoft, Google, and Apple an initiative to create a passkey to replace passwords. This is based upon asymmetric cryptography and will potentially eradicate passwords, and thus password stuffing attacks. It may also make customers dependent on a centralized passkey register run by you know who: Microsoft, Google, and Apple. It all feels a bit centralized and big tech to me. This will be the subject of a newsletter quite soon (as will all of these new technologies).
Digital Wallets
Some pundits think Digital Wallets will answer all our problems. If they are secure, there is much potential to go beyond basic payment wallets such as Apple Pay and Google Pay, to a functional Identity Wallet. The EU’s approach is to legislate an EU Identity Wallet into existence. Such an approach is risky, as it does not consider technical feasibility and indeed, one of the initial proposals, now taken down, did recognize the possible need for ‘hardware security’. That little question of security on a consumer digital device is an important one and one that will come often.
Blockchain
Once the answer to all things digital, Blockchain still is a significant industry and cannot be counted out as at least part of an Identity solution. The biggest challenge is that blockchain is a open, distributed ledger and such an approach is the antithesis of what Identity is trying to do – keep things private. There are, of course, smart people who can find ways to make blockchain work differently, but why bother? If blockchain is not designed for privacy, why try to make it support privacy applications?
Decentralisation
Self-Sovereign Identity (SSI) was all the rage for a few years and the World Wide Web Consortium (W3C) has done a lot of work promoting decentralized standards. The initial push from W3C was to create Decentralized Identifiers (DIDs) and the push is now to utilize Verified Credentials (VCs). DIDs do not appear to have taken off, possibly due to that little problem of security on a consumer digital device. If one was sceptical, one might suggest that the decentralization guys have given up on DIDs, and are now pursing the 2nd prize of VCs. If so, fair enough, but while VCs are a proven technology, the practical use of them may cause more issues than the problems they solve.
Insights
There are multiple insights into technology:
There are many diverse technologies – this is not a simple or a consistent field. There are many diverse technologies that support Identity processes.
Current technologies are enablers of poorly performing Identity - current technologies enable current Identity solutions, but as previously discussed in newsletters 4 and 5, current solutions perform poorly.
Biometrics, a current technology, will develop further and will be important - intrinsically, because of its uniqueness-based authentication power, biometrics is a key part of the future of Identity.
Developing technologies are technology driven, not functionality driven - there is nothing inherently wrong in a new technology approach of seeking new applications for a technology. But at some point in time, the technology’s suitability and practicality need to be questioned. In many of these developing technologies, such questions have not yet been raised.
Many developing technologies are unproven - the inherent insecurity of a customer digital device has yet to be solved in a comprehensive manner.
So, there it is for current and developing technologies. Lots has happened and lots is happening, and some of it is good, and none of it is comprehensive, and some of it may not work at all.
Summary
This and the previous newsletter considered the broader context of Identity:
Together, Market Segments and Current & Developing Technologies show:
a muddle of a market and
technologies that under perform or are unproven.
I feel that we are in the uncomfortable stage of an evolution, a bit like the lyrics from a Stealers Wheel song: “Clowns to the left of me, Jokers to the right, here I am stuck in the middle with you”.
Regards
Alan