Have been following this discussion closely and had a few thoughts on this statement.

 

While I agree that each of the attributes you’ve cited are attributes about an entity, I’m not convinced they are good Identity Attributes. Every entity, whether a person or NPE, has a bunch of attributes associated with them. A subset of those attributes are useful to identify that entity within a specific context and I would consider those Identity Attributes.

 

The context piece is important. Email address is unique using unique name/domain pairs for the entire population, a plain username is only workable within an application or site. Even unique identifiers like SIN may collide across national boundaries. This is where the example of the password as an identity attribute falls down and can’t be guaranteed to maintain uniqueness within a population of accounts.

 

I suspect identity attributes have a few key characteristics:

1)      Sufficient to identify a specific entity within a context (application, national, global, etc)

2)      Tend to be stable over the long term (which is why weight and height, facial hair, etc wouldn’t be great identity attributes)

3)      Strong identity attributes are associated with events that define an identity (e.g. birth cert (or change of name) for name, Serial Number at manufacturing, account creation, etc) as they provide a documented start/stop to a specific attribute

 

Behavioural Biometrics

“Something you do” is discussed frequently within the authentication context. I see its value in continuous authentication scheme; after the primary authentication event, behaviour can demonstrate whether the entity still has active control over the account. For primary authentication, I’d still look at the first 3 factors only for their point-in-time nature. Unless behavioral biometrics were baked into primary authentication (e.g. cadence of password/pin) then the measurement over time can only demonstrate that the entity had possession previously and/or after the auth event.

 

The full set of entities that need identity includes persons and NPEs (IoT, IoE, etc). These are easy, but longer term identity will also have to apply to other constructs as well: from current generation “chat bots” to future AI entities.

 

Thanks for starting this interesting thread Kaliya. Hopefully this will create a healthy conversation within that program.

 

Charles

 

From: dg-idpro-bounces@kantarainitiative.org [mailto:dg-idpro-bounces@kantarainitiative.org] On Behalf Of Natale, Bob
Sent: Wednesday, March 8, 2017 3:30 AM
To: Kaliya Identity Woman
Cc: dg-idpro@kantarainitiative.org

Subject: Re: [DG-IDPro] IdM Poster. (thats wrong)

 

Hi Kaliya,

 

Don’t mistake the value of an attribute for the attribute as a construct.

 

My weight, height, marital status, address(es), phone number(s), even SSN, might change over time too … that does not negate there status as useful identity attributes.

 

Avanti,

BobN