“Who am I?” is a key philosophical problem around personal identity. In social relationships, this is a highly complex topic that requires really sophisticated systems to process, like the human brain. In formal relationships, the question is mainly answered via background checks and through presented documents and certificates issued by some kind of authority.
The same question is just as relevant in the digital world, for example on the Internet. However, here it is hard to include soft and subjective traits. Your traits must be possible to be expressed with data. The sum of all attributes you can digitally prove constitutes your Digital Identity.
In order to enter (and maintain) relationships, you need to prove some aspects of who you are. Within the IAM (Identity & Access Management) landscape, this problem area is represented in domains like Identity Resolution, Identity Aggregation and Identity Maintenance - here we will simply just refer to it as Identification. Let’s find out why today’s IAM landscape has failed to address Identification on the Internet.
Online services need to know certain aspects about their users in order to function, evolve their business and stay secure and compliant. People on the other hand need simple means to identify themselves and still maintain control of and transparency around where their data resides, and what it is used for (even stipulated by law in many countries).
In order to trustworthily collect, aggregate and present identification data, we cannot avoid performing Identity Proofing. If we cannot know for sure that a digital identity represents the person in question (or a person at all), we cannot really trust any statements about that identity. So, there must both be means to validate the identification data and to verify that the data attributes belong to the present person.
Ideally, Identification is fully carried out as part of Identity Proofing processes. Attributes that are presented directly by the user (while present) are easily verified and very convenient for services to integrate and assess. And even more importantly, it can give users control through explicitly granted consents. Authentication protocols like SAML and OIDC have rudimentary consent-driven identification built into their flows.
Today, most Identification matters are dealt with out-of-band, i.e. as proprietary processes - separated from identity proofing. This is often done through manual self-registration forms, sometimes through integrations with external authorities and not seldom through harvesting of cookie data. These are not only heavy and expensive (often manual) processes for service providers, resulting in high uncertainty and stale data. They are also very annoying and intrusive for users. Consents are typically collected through extensive, unreadable user terms - with close to zero insight into what the data actually will be used for.
Most of today’s services accept these challenges and most people do not like them but accept them as unavoidable. But, with a growing awareness of data privacy amongst people and as laws and regulations increase focus on data governance - Identification is the problem to solve. This is not only a matter of collecting data, it is also a matter of assessing the truthfulness and quality of the data and accepting that truth is not always binary. On top of this, it is the mission to housekeep the data and only collect the bare minimum needed for the target processes.
IAM has for a long time been driven as a discipline within cybersecurity - but focus must shift towards data management. Data can no longer be treated as a peripheral matter - it is the core of digital identity. When on the Internet, your data defines who you are.
At Truid, data management and privacy is the foundation - not just some sprinkle on top.