The following introduction was originally published in the BCS Information Security Now Magazine, Summer 2008 issue (Volume 2, Issue 4), which was on the topic of Identity Management:
“Is your identity simply based on your DNA, or is it more ephemeral and flexible? Is it limited to what is on a card or in a database? Can your identity be stolen, or merely assumed? There is no black and white with identity, merely shades of grey.
Someone may have multiple ‘identities’, to suit particular purposes – e.g. banking, dating, online (public / private), acting – with legitimate or criminal intentions. On the other hand, government and business often need to uniquely identify the people they interact with. This does not predicate a universal identity, but multiple John Smith’s have to be managed.
To authenticate someone’s (claimed) identity, there are four common methods:
- something you know – e.g. password, PIN, mother’s maiden name
- something you have – e.g. identification card, authentication token
- something you are assigned – e.g. name, NI/NHS number, IP address
- something you are – e.g. fingerprint, retina, DNA, voice, signature
The risk of misidentification is managed through the appropriate selection and application of these authentication methods and their associated data. Generally, the more factors that are used the stronger the authentication and greater the accountability, but this needs to be balanced against usability and failure rates.
If you’ve managed to get beyond (mis)identification then there needs to be a link to a level of authorisation for each user. These rights need to be properly maintained for each role or user, as this is the second step in identity and access management.”
A PDF version of the magazine is available online at: