Three layers of identity in your digital life

Unless you are a web crawler scanning this page for some potentially nefarious Internet aggregation engine, you are probably a human being – and that means you have an identity.

Being a human, your identity expresses your personality traits, your circumstances, your integrity and your very selfdom and ipseity i.e. it’s what makes you “you”. This is identity layer one.

Next comes your digital identity. More accurately, it is your digital identities, plural.

For every login you make on a software application, social network or other web service, you create another ‘instance’ of your own personal identity.

That digital identity will, depending on the application and service being used, denote what functions and processes you are able to perform with the technology at hand. This is identity layer two.

Thirdly and lastly (for now at least) comes device identity. This is the collection of connected ‘things’ in the digital world that make you, you.

The laptop, tablet, smartphone or other screen you are reading this on (we’re still assuming you’re not a robot) has a serial number and an identity.

Deeper back, every server blade in the cloud datacenter serving this website has a specific identifier, as does every health-tracker wearable, every connected refrigerator, every autonomous car and every electronic front door camera.

Some of those devices may even have several identities if they exist to perform several functions. This is identity layer three.

Devices use digital identities to talk to their network, to each other and ultimately to us. Like we humans, each digital identity is a description of what makes each product unique, what functions it is capable of, and where it lives.

Authentication factor

What brings all these three layers of identity together (or breaks them down if it is absent) is authentication.

Software application developers have the choice to place authentication controls in our applications while they are building them (it’s always tough to ‘bolt it on’ afterwards), but it’s important to remember that it is a choice – they can leave authentication out.

This backdrop is much of the story that led to the creation of Okta, a firm that offers what it calls a ‘common identity core’ for developers to put identity controls into applications, websites and the embedded software running on devices.

“Protecting identities is hard and building a secure authentication, authorization and user management stack for your application is even harder. The vast number of breaches and massive extent of data loss suggests that [software] product and engineering teams do not typically excel at building identity and authentication,” said Okta CEO and co-founder, Todd McKinnon.

With Okta Multi-Factor Authentication (MFA) included as part of the newly announced Okta API Products for One App, developers can add authentication either at the initial login or through contextual step-up authentication for sensitive resources and actions throughout an application experience – and this provides security for end users.

Identity becomes a digital currency

Identity verification software company Acuant has partnered with Okta to extend its individual proofing functionality and clarify how these types of technologies actually work in the customers using them.

“Identity has become a currency. Acuant’s patented technology extracts biometric and alphanumeric data to authenticate user identity, applying 50+ forensic document-specific tests,” said Yossi Zekri, president and CEO, Acuant.

Acuant’s software relies on a large library of documents to help businesses verify employee and customer identities across the globe. The firm claims that this will eliminate manual screening errors and ultimately provide employees with a better user experience.

Taking stock of all issues discussed here, let’s remember that single-factor authentication is something a user knows (a password), two-factor authentication is something a user has (usually a key code ‘fob’) and that three-factor authentication is something a user is (a fingerprint or other biometric scan).

Perhaps it’s no coincidence that there are three layers of identity and three factors of authentication.

Do you feel safer now?

Now that you know your three R’s and your three layers of identity, do you feel safer? You should do, but you should also be aware that not every application has the same level of authentication controls applied to them.

Understanding that intelligent applications will be using algorithms like Okta’s to ‘learn’ authenticated users’ behavior over time, should give us confidence in a more automated locked down future for all of us.