Construction principles for the information scientist: (6) Disconnect “who you are” from “what you are allowed”
Still-valid information engineering construction principles guarantee better information constructs. They are sometimes, in the pace of advancing technology, a bit forgotten, resulting in shaky or poorly maintainable and extensible information constructs. This time, the focus is on the need to decouple identification/authentication (who you are) and authorization (what you are allowed to do). How many login combinations do you have in use? Probably more than 30. Still every day, people struggle with login names and passwords for all those service providers visited online. In theory, the solution is simple but in practice it is still laborious.
Distinction between who am I, is it really me and what may I
In the physical world, people disclose who they are with body characteristics (they are recognized) or with a certified document (driver's license, passport, identity card). In the digital world, this is done with a digital attribute associated with the person (an email address, mobile number or device with digital certificate).
Another well-known example is the state pass. Passes are still re-issued and collected to give someone access to a building (authorization). This while a pass once issued as an identity is valid for several years. It would suffice to link an authorization to an existing proof of identity.
Identity fraud lurks and what about privacy?
The downside of this simplicity is that if a digital identity is lost or hacked, the person can no longer access anything or someone else can act on their behalf on the internet. Therefore, additional procedures have been set up such as being able to reset a password via an email address or an additional authentication via another means (2-factor authentication).
Finally, the risk of having one identity for all digital actions is that comings and goings in the digital world are technically trackable at one agency in principle. The identity issuer here will have to provide safeguards for privacy in the terms of use. They do not all do that. It seems incredibly convenient to log in everywhere with a Facebook account but in doing so Facebook collects a lot of data about behavior on the internet (for example, where purchases are made).
Smart authorization management and secure access
One measure to combat identity fraud is to ensure that authorizations have a limited duration. In the end, it is all about authorization or access. As a user, the goal is to be able to do something or exercise an authority. A passport and driver's license also have limited validity. By attaching a limited validity to an authorization instead of an identity, it is possible to force the user to re-identify after a certain period of time, possibly with additional safeguards. Only once it has been established that it really is the user will access be granted again. This reduces the chance of abuse. This is why Google or Microsoft or a password manager, for example, regularly asks for re-identification, with a second factor. But there are more factors to consider in preventing fraud such as making it impossible to log into two geographically distant places in a short period of time.
Decoupling enables multiple uses!
As a designer, it is important to consider the advantages and disadvantages of issuing a user's own identity or accepting an externally verified identity. The advantage of that multiple use should not lead to a higher risk of identity fraud or privacy violation. Here, it is necessary to assume a digi-incompetent user who is not always careful with a digital identity. So with reuse, two-factor authentication is actually a must.
By linking authorization management to the service (gaining access somewhere, processing email, making payments, ordering something) and having identity management handled by a separate service provider, it is possible to use a limited set of identities in the digital world while still dealing securely with a multitude of service providers. So then those 30 login combinations are no longer needed. This insight has finally provided ease of use in the secure procurement of government services (with DIGID and eRecognition) even in a European context (eIDAS). Now to get the private service providers to do it.
Read the other information science principles here:
1 Meaningless identity designation
2 Decoupling points for complexity reduction and flexibility, maximizing independence of components
4 Clear distribution of responsibilities and functional separation for administration
5 Delegating decision-making authority as low as possible
6 Detaching authorization from identification/authentication
7 Single registration of master data
8 Separating data and metadata in storage and processing
9 Applying standard patterns without deviations is
10 Separating application function from data storage
11 Device-independent development
Related Insights
