This means that the definition of the term 'identity' needs to be relaxed – I'll explain more about why this is in a moment, but first it needs to be made very clear that my ATM card is an identity, so is my login-name at work.

The general process of granting a person permission to perform some restricted task (let's say I wish to edit a document on the corporate LAN) involves three distinct (but loosely related) concepts: Identity, Authentication and Authorisation.

These three concepts are each linked to their own specific question:

Identity: Who are you?

Authentication: Can you prove it?

Authorisation: OK, what are you permitted to do?

To edit the corporate document, my identity is my login-name; my authentication is my password and my authorisation is either 'yes' I can edit or 'no' I cannot (amongst a range of other permissions, of course).

This process of Identity / Authentication relies on the user of the identity confirming their ability or permission to assert that identity. Nothing more, nothing less, and thus the 'strength' and 'value' of the transaction will therefore impose limits on how well-defined the identity should be.

Two important points arise here: Firstly, is my login-name me?  Of course not (but it is definitely an identity under my control).

Secondly, am I limited to a single identity (even within this office context)?  Definitely not.  In fact, if you think about it, many of us are encouraged to have more than one - for instance the LAN administrator will have identities for 'administrative' work and for 'normal' work.  This also suggests that identities may be shared or transferrable.