Identity, trust, and their role in modern applications

By Lee Atchison · August 7, 2023 · Security

Identity, trust, and their role in modern applications

In the software world, identity is the mapping of a person, place, or thing in a verifiable manner to a software resource. Whenever you interact with nearly anything on the internet, you are dealing with identities:

Facebook identity
Email address
Login name and password for a website Everyone has multiple identities—multiple ways that people know who you are and interact with you in the virtual world. Here are a few of my identities:
Twitter: @leeatchison
LinkedIn: leeatchison
Email address: lee###@####.com
Phone number: (360) ###-#### Each of these is a different way of identifying me to my friends, family, co-workers, partners, and vendors. You deal with identities all the time. Identities can represent more than people. Everything you interact with in the real world that has a presence in the virtual world has to deal with identity and identity management:
The money in your savings account or stock you own
The Uber driver that just dropped you off
Your shipping address
Inventory levels for the products that you sell
The pizza that you ordered online Identity is everywhere. But when you need to correlate an item in the virtual world with an item in the real world, and you need to validate that they are one and the same—you require a way of identifying the item and validating the connection.

Bad actors are always trying to thwart this process. Whether they are trying to steal your login credentials to get access to your Instagram account, or trying to take ownership of your savings account to steal your hard-earned money, bad actors play havoc with our real lives when they thwart our identity in the virtual world. Nearly every person and every company in existence today needs to deal with identity, and every executive, director, and manager needs to understand what identity management is about and why it’s important.

What makes up an identity?

An identity in the modern world typically is composed of three distinct segments:

Authentication. This is a method for associating an entity in the virtual world with its real-world equivalent. Typically, for a person using a website, this is logging on to the website using their username and password. But it could also be the bank account that is authenticated to belong to you, specifically, and not someone who looks like you or has the same name as you. Authentication is the connection between an entity in the physical world and its counterpart in the virtual world.
Authorization. This is the description of what the particular identity has access to or permission to use. For a user on a website, this is the permission they’ve been granted. For the bank account, it’s what type of deposits and withdrawals are allowed, and what account limits exist. Authorization is the permission given to identities in the virtual world.
Profiles/attributes. This is a set of information associated with the identity that can be used by the application, and related services, when interacting with the identity. For an identity representing a person, this could be their name, a photo, and their home address. For the bank account it could be the name of the account, account number, and account balance. Profiles or attributes are extended information available that describes the entity. When you log in to Facebook, you make use of your Facebook identity. First, you log in using a username and password—this is authentication, and it confirms that you are the person associated with this Facebook identity.

You move to your favorite group and you start reading messages in that group. Before you are allowed to view the messages in the group, though, Facebook has checked to make sure you have the necessary permission to do so—this is authorization, and it confirms that this identity has access to interact with this particular group.

You click “New Post” and type a post you want to send to the members of the group. Facebook is doing further authorization checks to make sure you have all the correct permissions to, first, create new posts, and, second, to put that post into this particular group. Finally, someone reads your post and wants to find out more about you. So, they click on your picture to find out who you are and what topics you are interested in. They are looking at your profile and other attributes to find out more information about the identity they’ve been interacting with.

Where trust comes from

Have you ever viewed a Facebook profile and wondered whether the information in the profile was accurate? Or, to bring up the worst-case scenario, have you wondered whether the person associated with the profile was actually real? It should be no surprise that there is no magic method of validating that the profile of an identity contains accurate and useful information about the real-world entity associated with the virtual identity. Or even if the person represented by the profile truly exists.

How can the online identity be useful without knowing whether or not the information it includes is accurate, or even real? Because there is nothing about the identity itself to give you that information, you instead have to rely on the applications that create, manage, and use the identity to ensure the identity is valid. This is a matter of trust. In the modern internet world, trust is an attribute associated not with the virtual identity itself, but with the application that is making use of the entity. When you view your account balance at the bank, you have trust in the bank, which gives you a belief that the account balance is accurate and the funds are available. The bank elicits a high level of trust from you.

When you view someone’s photograph on a dating application or public chat room, you have no trust that the application validated that photograph, and hence you may have little trust that it is a valid photograph of the person the identity represents. The dating site elicits very little trust from you. Trust can be inherited. You may have no trust in the chat room application. But you likely have a higher level of trust that someone’s LinkedIn identity is a more accurate view of who they say they are. This is because you have a higher level of trust in LinkedIn than you do in that chat room app. But what if the chat room application makes use of your LinkedIn profile to facilitate logging you in (authenticating you)—hence associating your chat identity with your LinkedIn identity. Then, the reliability that the chat application’s view of an identity is accurate, increases. The chat application’s trust has been increased. Trust and trust sharing are indispensable to our belief in the validity of the services we interact with on the internet. Trust is important when dealing with e-commerce companies, absolutely essential when dealing online with our banks and bank accounts, and potentially a matter of life or death when dealing online with our medical providers. While our trust may be (appropriately) low for the random chat room, trust must be extremely high when dealing with critical systems.

The technologies underpinning identity and trust on the internet are constantly evolving to keep pace with the threats posed by bad actors, who are constantly working to exploit any weakness. We’ll continue to need better mechanisms that are stronger, faster, easier to implement, and easier to use, or we will lose the race to maintain safe and secure systems. The next generation of systems may even be less reliant on central authority, thanks to blockchain and related technologies. Eventually, we should expect trusted identity-sharing to become commonplace, improving our ability to interact safely with one another in the online world. Someday, we might even stop worrying whether a Facebook profile is real.