Links

Ben Laurie blathering


Identification Is Not Security

Kim writes about minimal disclosure. Funnily enough my wife, Camilla, spontaneously explained minimal disclosure to me a couple of nights ago. She was incensed that she ended up having to “prove” who she was in order to pay a bill over the phone.

First of all, they asked her for her password. Of course, she has no idea what her password might be with this particular company, so their suggestion was she guess. Camilla surprised me by telling me that she had, of course, declined to guess, because by guessing she would be revealing all her passwords that she might use elsewhere. So, they then resorted to the usual stupidity: mother’s maiden name, postcode, phone number and so forth. Camilla said she was happy to provide that information because she didn’t feel it was in any way secret – which, of course, means it doesn’t really authenticate her, either.

Anyway, her point was that in order to pay a bill she really shouldn’t have to authenticate to the payee – what do they care who pays the money, so long as it gets paid? In fact, really, we want the authentication to be the other way round – the payee should prove to her that they are really the payee. It would also be nice if they provided some level of assurance that she is paying the right bill. But they really don’t need to have any clue who she is, so long as she can hand over money somehow (which might, of course, including authenticating somehow to some money-handling middleman).

But what seems to be happening now is that everyone is using identity as a proxy for security. If we know who you are, then everything else springs from that.

Now, if what you want to do is to determine whether someone is authorised to do something, then certainly this is an approach that works. I find out who you are, then I look you up in my Big Table of Everything Everyone Is Allowed To Do, and I’m done. However, and now I finally circle back to Kim’s post, for many, if not most, purposes, identification is far more than is really needed. For example, Equifax just launched the Over 18 I-Card. I hope Equifax got this right and issued a card that doesn’t reveal anything else about you – but even if they didn’t, clearly it could be done – and clearly there’s value in proving you’re over 18, and therefore authorised to do some things you might not otherwise be able to do. Though I’d note that I am not over 18 in Equifax’ view because I do not have an SSN!

Anyway, current deficiencies aside, this is a great example of where minimal disclosure works better than identification – rather than everyone having a lookup table containing everyone in the world and whether they are over 18, someone who has the information anyway does the lookup once and then signs the statement “yep, the bearer is over 18”.

But in many other cases identification doesn’t work at all – after all, the premise of the ID card is that it is supposed to improve our security against terrorists. But its pretty obvious that identifying people really isn’t going to help – you can work that out just by thinking about it, but even more importantly, in several recent terrorist attacks everyone has been very thoroughly identified but it hasn’t helped one bit.

And in the case of my wife trying to pay a bill, identification was completely without purpose. Yet everyone wants to do it. As Kim says, we really need to rethink the world in terms of minimal disclosure – and as I show above, sometimes this is actually the easiest way to think about it – my one area of disagreement is that we should not call this “identity” or even “contextual identity”. We need a term that makes it clear it has nothing to do with identification. I prefer to think in terms of “proof of entitlement” or “proof of authority” – but those don’t exactly roll off the tongue … ideas?

7 Comments

  1. How about the noun ‘permit’? It means ‘proof of entitlement’ and doesn’t sound too highfalutin.

    Comment by Chris R — 17 Nov 2008 @ 17:31

  2. Right on. I called to set up my gas service at a new apartment, and they asked for my social security number. They told me that they just want it so that they can prove my identity when I call later by having me give my social security number again. Just making up a number was fine with them — in fact, all they cared about was the last four digits. I’m glad I asked.

    Comment by Lex — 17 Nov 2008 @ 19:17

  3. “And in the case of my wife trying to pay a bill, identification was completely without purpose.”

    Any customer service organization would want this information to keep track of the people they interact with. This allows the organization to keep track of your wife’s preferences, e.g., “She would prefer that we stop asking about her first pet’s name.” By confirming her identity, they can track her consistent irritation over several calls.

    Comment by Larry Hosken — 18 Nov 2008 @ 1:53

  4. On the new equifax service, I find it odd that in order to get a i-card you need to provide your SSN, again. Doesn’t Equifax already have this information?

    Comment by versace — 21 Nov 2008 @ 17:01

  5. […] Identification Is Not Security: Ben Laurie has a nice piece that illustrates some of the distinctions between identification, authentication, authorization and security. Far too often one services focus on one aspect such as identifying the account holder when they would be much better of worrying about the authentication and authorization of the individual paying. […]

    Pingback by On Message with Ben Gross » Blog Archive » New and noteworthy in security 11/26/08 — 27 Nov 2008 @ 3:01

  6. I think of them as predicate benchmark proofs(functions).

    For something more friendly that I can hand to others, I call that a MiniME. Information Cards imply too much information for my liking. A MiniME or Mini Mums-the-word Entitlement implies: Minimum entitlement that is to be kept between parties unless otherwise stated. Helps me visualise the process.

    I’m of the believe that minimal disclosure by both parties should be explicit in the transaction for it to be considered minimal disclosure.

    Comment by Craig Overend — 27 Nov 2008 @ 17:19

  7. About that card…

    How could there be a card that proves you’re over 18 but not identify you?

    Wouldn’t it be a problem if you handed that card to someone who’s not yet 18?

    Comment by lowgic — 7 Feb 2009 @ 17:12

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.

Powered by WordPress