Technology shapes and controls all forms of ID, but in an era when most of us carry more ID than ever before, are our bona fides starting to define not only who we are but what we are?
Technology has influenced the definition of individual identity for millennia. Much of the earliest writing – hieroglyphs in Egypt and cuneiform in Mesopotamia – was used to confirm an individual's identity, a role increasingly fulfilled by the latest authentication tools and biometric technologies.
Wax seals and terracotta tablets may have been replaced by the silicon chips and laser scanners, but the underlying purpose remains largely unchanged: a method (and methodology) of authenticating and validating an individual's identity, of proving that they are who they say they are.
The identity of ID is about to evolve again. We're now at something of a crossroads where governments globally are considering how we take forward the concept of identity to cope with the challenges posed by evolving societal and other needs. Their focus is on what form it will take, and what technologies will be implemented in support of their objectives.
Who am I?
Discussing the concept of identity often raises more questions than answers. Specialists in the area are considering the thorny issue of how identity itself should be defined: i.e., what information is needed to prove one's identity, and what is the best way to ensure the integrity of that data.'Should it simply prove you are who you say you are – John Smith – or that you're also an engineer, an IET member, are 42 years of age – the supplementary attributes that tell more about you than just your name?
These criteria change depending on what the proof of identity is for, what persona we want to use in any given context. Many want government identity cards to hold only the basics – name and date of birth – but for work we might need to prove permissions to certain systems and physical areas. Then there is also the question of online identities that has become an issue of concern in the last two decades. Many believe these should be more anonymous as people do not always want to share their personal details online, but must allow whatever website you land on to know who you are, your age and if you're suitable for this site; such as those with adult content or children's chat rooms.
Specialist groups are discussing these issues, trying to agree on the direction ID will now take. For the majority of people, a password is the main way of proving identity, which is causing many problems of its own. With so many different IDs and passwords many of us now need to remember, we are faced with 'password fatigue' or 'identity overload' plus there's also the issue of security, protecting our identity against ID theft.
Pass the password
'Passwords are often the only method in place to protect a user's identity, and when simple passwords are used, the user account remains insecure. Even complex passwords are often fatally flawed – these passwords are less susceptible to brute-force attacks, but are difficult to remember causing user account lock-outs and resulting in loss of productivity,' says David Ting, CTO of access management firm Imprivata.
'This problem is further aggravated when multiple complex passwords are required in order to access a range of critical computer applications. To avoid this issue, users often resort to a 'Post-It note culture', whereby passwords are noted down.'
User account sharing is another common method to avoid the password lockout dilemma, Ting adds, and while this may allow users to remain productive, the fundamental data security that passwords aim to provide is invalidated.
Technological developments are providing us with some solutions, however. Single Sign-On technology provides a single point of user authentication, obviating the need for multiple complex passwords; it is often used alongside methods of strong authentication, such as smart cards and biometric devices, for further security.
Biometric measures are proving popular in the mass transit sector, with iris, palm, and fingerprint recognition primarily being used for logical access: securing data, mobile computer files, or physical access to rooms.
Ian Collard, identity management and biometrics manager at Siemens IT Solutions and Services, reckons that the deployment of biometric, facial recognition and encryption technologies within passports, driving licenses, healthcare and ID cards, will become common globally, obsolescing paper documents within ten years.
The mobile phone is also becoming a preferred implementation of defined ID, believes David Birch, director at IT consultancy Consult Hyperion: 'Your mobile phone becomes your remote control for identity, and that seems plausible to me,' he says.
Birch has worked with multiple governments on the development of national citizen identity cards, and feels that the phone 'should have been the UK identity card'. He explains how this model might work: 'I could log into your website for the first time, and up comes a message on my phone asking me to enter my password. I can see how that would work in practice. There is room for optimism, and the mobile phone is the reason for that.'
Mobile phone user accounts already have their own access security, of course, and usage patterns are an additional way of validating identity, recording numbers called and locations called from. The move towards a form of mobile phone personal ID is already happening most progressively in Turkey.
'If mobile operators got together, and tried to create an infrastructure together, and decide to create a stand in for the (non-existent UK) government infrastructure, it is plausible that something could happen in the mobile space,' Consult Hyperion director David Birch suggests.
'In Turkey, operator Turkcel is one of the most innovative mobile operators, and Garanti Bank is one of the most innovative banks. They have a system running where you log in, and a message pops up on your phone for you to authenticate. It's all done with digital signatures,' he says.
The future of 'psychic ID'
ID cards are becoming a popular form of authentication now, but in his 2009 paper 'Psychic ID: A Blueprint for a Modern National Identity Scheme', Birch proposes that a futuristic ID 'card' scheme should look like Dr Who's 'psychic paper'.
'Psychic paper shows the 'inspector' only whatever it is he needs to see,' Birch explains. 'If the border guard is looking for a UK passport, the psychic paper looks like a UK passport. 'Psychic ID' only shows the inspector what they want to see if the holder has the relevant credential.
The security assurance comes from the pure mathematics it works on, he adds: 'The way my phone works is that it sends back the appropriate digital signatures using maths, and I think the technology necessary to implement that already exists. You need a high level of tamper resistance, a certain richness of communications, and we broadly have that [in place].'
Value-added ID cards
Although the UK identity card scheme has been shelved, the evolution of the concept is happening elsewhere, as different countries implement it in different ways.
Some Scandinavian countries provide authenticators with the cards, which allow citizens to use this form of ID to log in to government websites and also banks. In Germany smart identity card owners were also given a USB card reader, plus many European countries are able to use their national identity cards as a replacement for a passport when travelling inside the European Union.
'Travelling on the Eurostar you see a number of French people using their carte d'identité rather than a passport,' observes Howard Berg, senior vice president Europe at digital security provider Gemalto. 'We see identity cards being used in the Nordics for banking exercises, filing your tax return, and other purposes.'
Such 'dedicated' forms if ID replace the 'proof of identity' collateral – such as printed utility bills and council tax demands – that institutions like banks and post offices require in support of many applications; however, evidence suggests that these 'proofs' are quite unreliable, as they can be so easily misappropriated and/or counterfeited.
Berg argues that the UK may be better-off following these countries rather than trying to be at the forefront, as there is a legacy of 'lessons learned', as well as the benefit of having the public understand the concept more, and be less sceptical.
Adrian Seccombe, research associate at the Leading Edge Forum, believes that something else will appear as identity evolves: organisations offering services as identity providers.
'There's no doubt it will occur,' he says, 'it is a question of when. There are a number of organisations that are very serious about seeing if this is something they can get money from. We've already got this infrastructure in place: it's called a credit card, the only problem is that it deals with one claim: you will get paid. It does not deal with how old I am, or whether I can drive.
'The problem is how we put an identity infrastructure into place. Some of the limitations of what you can store, and how you can use these things starts to become quite onerous to an identity provider. So a new set of regulations will have to be put in place to both protect the identity provider and also enable them to do their job.'
Many of these concepts deal with holding a lot of important data on one item, but how likely is it that we will end up with just one form and format of identification ID? Not everyone buys into the single ID proposition entirely.
'There is a security advantage to having multiple IDs with strong cryptographic partitions between them, which is if one is violated in some way, you wouldn't want all of your other identities to be violated so that creates 'firewalls',' warns David Birch at Consult Hyperion.
'I do not think that we'll end up with one [single system] unless government and industry makes a series of huge mistakes.'
Gemalto's Howard Berg believes a lot of the power behind this decision lies in the lap of the consumer. 'The potential to have all these forms of ID on one form-factor exists, however the consumer will decide it is something they value.'
'In the future you can see that you'll have the choice between a paper boarding pass or downloading the British Airways application on your iPhone and having a boarding pass in that form. It may be there are certain forms of ID – let's say a driving licence, where you would be happy to have a payment factor on there too, but when I am going away I'd also like my traditional passport in case I lost the digital one on my phone.'
This is one reason why many current forms of ID still cannot be considered as outdated: for all their technological shortcomings, humans retain faith in hard-copy documents. The next generation of ID is clearly leaning on technology more strongly, and this will bring more assurance, but as Berg highlights, it has to be implemented correctly in order for the public to accept it.