This means that the definition of the term 'identity' needs to be relaxed – I'll explain more about why this is in a moment, but first it needs to be made very clear that my ATM card is an identity, so is my login-name at work.
The general process of granting a person permission to perform some restricted task (let's say I wish to edit a document on the corporate LAN) involves three distinct (but loosely related) concepts: Identity, Authentication and Authorisation.
These three concepts are each linked to their own specific question:
Identity: Who are you?
Authentication: Can you prove it?
Authorisation: OK, what are you permitted to do?
To edit the corporate document, my identity is my login-name; my authentication is my password and my authorisation is either 'yes' I can edit or 'no' I cannot (amongst a range of other permissions, of course).
This process of Identity / Authentication relies on the user of the identity confirming their ability or permission to assert that identity. Nothing more, nothing less, and thus the 'strength' and 'value' of the transaction will therefore impose limits on how well-defined the identity should be.
Two important points arise here: Firstly, is my login-name me? Of course not (but it is definitely an identity under my control).
Secondly, am I limited to a single identity (even within this office context)? Definitely not. In fact, if you think about it, many of us are encouraged to have more than one - for instance the LAN administrator will have identities for 'administrative' work and for 'normal' work. This also suggests that identities may be shared or transferrable.
Identity management within a relatively closed environment is comparatively easy - a social club or an insurance office, for instance. We can (hopefully) confine ourselves to role-based identities and it's probably safe to assume that we're not dealing with terrorists, just hackers! The problem is that we assume the solutions that work here can be applied more widely.
Most identities are defined in terms of the perceptions of others: for instance, we might buy the newspaper every morning at a kiosk before boarding the train to work. After a few weeks, the vendor gets to know us by sight and says "hello" every morning. That is an identity; it is self-contained and complete within the bounds of the interaction. Similarly, our "family" identity is most strongly defined in terms of the perceptions of those around us. You might also consider the driver’s licence as a self-contained identity.
Interestingly, although both are valid descriptions of "you," there is minimal overlap between the kiosk "you" and the family "you," unless perhaps your spouse accompanies you to the city one day; and none at all between kiosk and drivers licence (apart from the photo on your licence).
The great thing about identity is that we have so many of them to choose from - not for any "nefarious" purpose, but we intentionally partition ourselves into multiple "people." The "David Heath" at work is quite distinct from the "David Heath" at home, for instance. At a simpler level, the identity we use when we visit some website that requires authentication has very little in common with anything truthful about us. But it is still an identity of ours.
From these examples, you can see that there are degrees of accountability, acceptability, reliance and strength in your varied identities.
Interestingly, supposedly self-securing documents (such as a passport) have no concept of authentication – they step directly from Identity to Authorisation.
The link between who we are and our identity is tenuous at best; just about the only formalised "identity" we have is nothing more than a paper trail. Although credit databases are powerful tools, they are still not who we are.
Mind you, even an excellent paper trail can prove nothing - Timothy McVeigh, for example, was generally perceived as a fine, upstanding citizen. Also, the opposite - the absence of a paper trail - is no more (or less) useful. Knowing nothing about an identity is not the same as rejecting it.
Some identity documents, driver's licences for instance, are easy to fake (or acquire), yet are treated like gold. There were numerous reports in the media that at least two of the 9/11 terrorists held valid (although in false names) Virginia licences. What does that tell us about the reliability of identity documents?
There is a huge effort expended on designing and implementing a self-protecting identity token (driver's licence, passport etc) and far too little effort on the validity of the actual identity, or on checking the legitimacy of the token. I recall reading press reports in 2004 showing just how seriously the Australian government takes passport control - in the previous year, over 3000 people complained of errors in the passport they were issued - including one Caucasian woman who found the photo of an Asian man in hers.
It might also seem amusing that we regard the passport as the ultimate identity document, yet we're permitted to submit our application by mail.
Given a strongly verified identity, biometrics is the only robust method available to authenticate that identity to the claimed owner. Biometrics gives us authoritative identity determination, it's the only technique that can.
So, despite all the "extras," nothing changes. An identity cannot be strengthened by wrapping processes around it, even if those processes are very strong.
As mentioned at the beginning, it's not identity management we're having trouble with - it's trust management. We can create and manage as many identities as we want, but can we trust them? All of them? Some of them? None of them? Try getting a newspaper from the kiosk guy when you have no money. I’ll bet you could do it once, but not the second day!
Stephen Covey, in his book "Principle Centred Leadership" tells us that the map is not the territory. He is referring, of course, to the difference between our representation of something (the map) and the truth of the same thing (the territory). In exactly the same way, an identity is not a person. Identity is a map of the trust landscape, it is not equivalent to trust. We must find a way to trust the person, not the identity.
So, drawing this back to the original theme, if we can sideline issues of trust and focus on identity, excellent solutions, both technical and procedural, are available.
Governments look at these solutions with a mixture of envy and total misunderstanding of the differences involved. If trust is established, identity is easy; unfortunately the reverse does not follow. It's easy to get caught up in the hype of identity so as to completely lose sight of the fact that you were really trying to manage trust. Not only are you no better off, but your fascination with identity will probably leave you worse off.
To close, I'll offer you a pop-quiz. Would you rather be managing identity in an insurance office or trust at the immigration desk at Sydney airport?
I'll leave you to contemplate your own answer.