Yes, those are great observations, Andrew. There are some applications in which we HAVE to perform identity resolution based upon WHATEVER set of usable attributes might be available and apply a scoring algorithm to assess the level of confidence (usually relative, not absolute) we have in the resulting identity. On the “behavioral” attributes front, it can be surprising how wide that scope now extends. On the “strong” attributes front, it can be surprising how spoof-able some of those are (by certain categories of actors). I agree that this has been a good discussion … yes, we (and other groups) return to this and similar topics repeatedly over time … that’s not necessarily a bad thing … I always learn new facts or useful perspectives from the exercise. Avanti, BobN From: Andrew Hughes [mailto:andrewhughes3000@gmail.com] Sent: Wednesday, March 08, 2017 10:38 AM To: Charles Eckert <mr.eckert@gmail.com> Cc: Natale, Bob <RNATALE@mitre.org>; Kaliya Identity Woman <kaliya@identitywoman.net>; dg-idpro@kantarainitiative.org Subject: Re: [DG-IDPro] IdM Poster. Hey Charles - that's a good characterization of identity attributes, but perhaps not the only useful one. I think it applies mostly to the case where identity attributes are being used to recognize or otherwise identify a returning entity. However, when attempting to identify an entity that may not have been previously encountered, and without a previously-stored authoritative data source for comparison, all that is left is characteristics of an entity that can be used to describe that entity. Which is useful in many other scenarios. Other techniques such as enrollment, correlation, step-up authentication, delayed authentication etc. could then be applied if there is a need to determine uniqueness or use a broader context/population. The context within which the analyst is considering the semantics of the 'attribute' is likely to constrain the required characteristics of those attributes. (or something like that) andrew. Andrew Hughes CISM CISSP Independent Consultant In Turn Information Management Consulting o +1 650.209.7542 m +1 250.888.9474 1249 Palmer Road, Victoria, BC V8P 2H8 AndrewHughes3000@gmail.com<mailto:AndrewHughes3000@gmail.com> ca.linkedin.com/pub/andrew-hughes/a/58/682/<http://ca.linkedin.com/pub/andrew-hughes/a/58/682/> Identity Management | IT Governance | Information Security On Wed, Mar 8, 2017 at 5:31 AM, Charles Eckert <mr.eckert@gmail.com<mailto:mr.eckert@gmail.com>> wrote: Have been following this discussion closely and had a few thoughts on this statement. While I agree that each of the attributes you’ve cited are attributes about an entity, I’m not convinced they are good Identity Attributes. Every entity, whether a person or NPE, has a bunch of attributes associated with them. A subset of those attributes are useful to identify that entity within a specific context and I would consider those Identity Attributes. The context piece is important. Email address is unique using unique name/domain pairs for the entire population, a plain username is only workable within an application or site. Even unique identifiers like SIN may collide across national boundaries. This is where the example of the password as an identity attribute falls down and can’t be guaranteed to maintain uniqueness within a population of accounts. I suspect identity attributes have a few key characteristics: 1) Sufficient to identify a specific entity within a context (application, national, global, etc) 2) Tend to be stable over the long term (which is why weight and height, facial hair, etc wouldn’t be great identity attributes) 3) Strong identity attributes are associated with events that define an identity (e.g. birth cert (or change of name) for name, Serial Number at manufacturing, account creation, etc) as they provide a documented start/stop to a specific attribute Behavioural Biometrics “Something you do” is discussed frequently within the authentication context. I see its value in continuous authentication scheme; after the primary authentication event, behaviour can demonstrate whether the entity still has active control over the account. For primary authentication, I’d still look at the first 3 factors only for their point-in-time nature. Unless behavioral biometrics were baked into primary authentication (e.g. cadence of password/pin) then the measurement over time can only demonstrate that the entity had possession previously and/or after the auth event. The full set of entities that need identity includes persons and NPEs (IoT, IoE, etc). These are easy, but longer term identity will also have to apply to other constructs as well: from current generation “chat bots” to future AI entities. Thanks for starting this interesting thread Kaliya. Hopefully this will create a healthy conversation within that program. Charles From: dg-idpro-bounces@kantarainitiative.org<mailto:dg-idpro-bounces@kantarainitiative.org> [mailto:dg-idpro-bounces@kantarainitiative.org<mailto:dg-idpro-bounces@kantarainitiative.org>] On Behalf Of Natale, Bob Sent: Wednesday, March 8, 2017 3:30 AM To: Kaliya Identity Woman Cc: dg-idpro@kantarainitiative.org<mailto:dg-idpro@kantarainitiative.org> Subject: Re: [DG-IDPro] IdM Poster. (thats wrong) Hi Kaliya, Don’t mistake the value of an attribute for the attribute as a construct. My weight, height, marital status, address(es), phone number(s), even SSN, might change over time too … that does not negate there status as useful identity attributes. Avanti, BobN