This article has multiple issues. Please help improve it or discuss these issues on the talk page . (Learn how and when to remove these messages)
|
A digital identity is data stored on computer systems relating to an individual, organization, application, or device. For individuals, it involves the collection of personal data that is essential for facilitating automated access to digital services, confirming one's identity on the internet, and allowing digital systems to manage interactions between different parties. It is a component of a person's social identity in the digital realm, often referred to as their online identity.
Digital identities are composed of the full range of data produced by a person's activities on the internet, which may include usernames and passwords, search histories, dates of birth, social security numbers, and records of online purchases. When such personal information is accessible in the public domain, it can be used by others to piece together a person's offline identity. Furthermore, this information can be compiled to construct a "data double"—a comprehensive profile created from a person's scattered digital footprints across various platforms. These profiles are instrumental in enabling personalized experiences on the internet and within different digital services. [1] [2]
Should the exchange of personal data for online content and services become a practice of the past, an alternative transactional model must emerge. As the internet becomes more attuned to privacy concerns, media publishers, application developers, and online retailers are re-evaluating their strategies, sometimes reinventing their business models completely. Increasingly, the trend is shifting towards monetizing online offerings directly, with users being asked to pay for access through subscriptions and other forms of payment, moving away from the reliance on collecting personal data. [3]
Navigating the legal and societal implications of digital identity is intricate and fraught with challenges. Misrepresenting one's legal identity in the digital realm can pose numerous threats to a society increasingly reliant on digital interactions, opening doors for various illicit activities. Criminals, fraudsters, and terrorists could exploit these vulnerabilities to perpetrate crimes that can affect the virtual domain, the physical world, or both. [4]
A critical problem in cyberspace is knowing who one is interacting with. Using only static identifiers such as passwords and email, there is no way to precisely determine the identity of a person in cyberspace because this information can be stolen or used by many individuals acting as one. Digital identity based on dynamic entity relationships captured from behavioral history across multiple websites and mobile apps can verify and authenticate identity with up to 95% accuracy.[ citation needed ]
By comparing a set of entity relationships between a new event (e.g., login) and past events, a pattern of convergence can verify or authenticate the identity as legitimate whereas divergence indicates an attempt to mask an identity. Data used for digital identity is generally encrypted using a one-way hash, thereby avoiding privacy concerns. Because it is based on behavioral history, a digital identity is very hard to fake or steal.
A digital identity may also be referred to as a digital subject or digital entity. They are the digital representation of a set of claims made by one party about itself or another person, group, thing, or concept. A digital twin [5] which is also commonly known as a data double or virtual twin is a secondary version of the original user's data. Which is used both as a way to observe what said user does on the internet as well as customize a more personalized internet experience.[ citation needed ] Due to the collection of personal data, there have been many social, political, and legal controversies tying into data doubles.
The attributes of a digital identity are acquired and contain information about a user, such as medical history, purchasing behavior, bank balance, age, and so on. Preferences retain a user's choices such as favorite brand of shoes, and preferred currency. Traits are features of the user that are inherent, such as eye color, nationality, and place of birth. Although attributes of a user can change easily, traits change slowly, if at all. A digital identity also has entity relationships derived from the devices, environment, and locations from which an individual is active on the Internet. Some of those include facial recognition, fingerprints, photos, and so many more personal attributes/preferences. [6]
Digital identities can be issued through digital certificates. These certificates contain data associated with a user and are issued with legal guarantees by recognized certification authorities.
In order to assign a digital representation to an entity, the attributing party must trust that the claim of an attribute (such as name, location, role as an employee, or age) is correct and associated with the person or thing presenting the attribute. Conversely, the individual claiming an attribute may only grant selective access to its information (e.g., proving identity in a bar or PayPal authentication for payment at a website). In this way, digital identity is better understood as a particular viewpoint within a mutually-agreed relationship than as an objective property.[ citation needed ]
Authentication is the assurance of the identity of one entity to another. It is a key aspect of digital trust. In general, business-to-business authentication is designed for security, but user-to-business authentication is designed for simplicity.
Authentication techniques include the presentation of a unique object such as a bank credit card, the provision of confidential information such as a password or the answer to a pre-arranged question, the confirmation of ownership of an email address, and more robust but costly techniques using encryption. Physical authentication techniques include iris scanning, fingerprinting, and voice recognition; those techniques are called biometrics . The use of both static identifiers (e.g., username and password) and personal unique attributes (e.g., biometrics) is called multi-factor authentication and is more secure than the use of one component alone.[ citation needed ]
Whilst technological progress in authentication continues to evolve, these systems do not prevent aliases from being used. The introduction of strong authentication [ citation needed ] for online payment transactions within the European Union now links a verified person to an account, where such person has been identified in accordance with statutory requirements prior to account being opened. Verifying a person opening an account online typically requires a form of device binding to the credentials being used. This verifies that the device that stands in for a person on the Internet is actually the individual's device and not the device of someone simply claiming to be the individual. The concept of reliance authentication makes use of pre-existing accounts, to piggy back further services upon those accounts, providing that the original source is reliable. The concept of reliability comes from various anti-money laundering and counter-terrorism funding legislation in the US, [7] EU28, [8] Australia, [9] Singapore and New Zealand [10] where second parties may place reliance on the customer due diligence process of the first party, where the first party is say a financial institution. An example of reliance authentication is PayPal's verification method.
Authorization is the determination of any entity that controls resources that the authenticated can access those resources. Authorization depends on authentication, because authorization requires that the critical attribute (i.e., the attribute that determines the authorizer's decision) must be verified.[ citation needed ] For example, authorization on a credit card gives access to the resources owned by Amazon, e.g., Amazon sends one a product. Authorization of an employee will provide that employee with access to network resources, such as printers, files, or software. For example, a database management system might be designed so as to provide certain specified individuals with the ability to retrieve information from a database but not the ability to change data stored in the database, while giving other individuals the ability to change data.[ citation needed ]
Consider the person who rents a car and checks into a hotel with a credit card. The car rental and hotel company may request authentication that there is credit enough for an accident, or profligate spending on room service. Thus a card may later be refused when trying to purchase an activity such as a balloon trip. Though there is adequate credit to pay for the rental, the hotel, and the balloon trip, there is an insufficient amount to also cover the authorizations. The actual charges are authorized after leaving the hotel and returning the car, which may be too late for the balloon trip.
Valid online authorization requires analysis of information related to the digital event including device and environmental variables. These are generally derived from the data exchanged between a device and a business server over the Internet. [11]
Digital identity requires digital identifiers—strings or tokens that are unique within a given scope (globally or locally within a specific domain, community, directory, application, etc.).
Identifiers may be classified as omnidirectional or unidirectional. [12] Omnidirectional identifiers are public and easily discoverable, whereas unidirectional identifiers are intended to be private and used only in the context of a specific identity relationship.
Identifiers may also be classified as resolvable or non-resolvable. Resolvable identifiers, such as a domain name or email address, may be easily dereferenced into the entity they represent, or some current state data providing relevant attributes of that entity. Non-resolvable identifiers, such as a person's real name, or the name of a subject or topic, can be compared for equivalence but are not otherwise machine-understandable.
There are many different schemes and formats for digital identifiers. Uniform Resource Identifier (URI) and the internationalized version Internationalized Resource Identifier (IRI) are the standard for identifiers for websites on the World Wide Web. OpenID and Light-weight Identity are two web authentication protocols that use standard HTTP URIs (often called URLs). A Uniform Resource Name is a persistent, location-independent identifier assigned within the defined namespace.
Digital object architecture [13] is a means of managing digital information in a network environment. In digital object architecture, a digital object has a machine and platform independent structure that allows it to be identified, accessed and protected, as appropriate. A digital object may incorporate not only informational elements, i.e., a digitized version of a paper, movie or sound recording, but also the unique identifier of the digital object and other metadata about the digital object. The metadata may include restrictions on access to digital objects, notices of ownership, and identifiers for licensing agreements, if appropriate.
The Handle System is a general purpose distributed information system that provides efficient, extensible, and secure identifier and resolution services for use on networks such as the internet. It includes an open set of protocols, a namespace, and a reference implementation of the protocols. The protocols enable a distributed computer system to store identifiers, known as handles, of arbitrary resources and resolve those handles into the information necessary to locate, access, contact, authenticate, or otherwise make use of the resources. This information can be changed as needed to reflect the current state of the identified resource without changing its identifier, thus allowing the name of the item to persist over changes of location and other related state information. The original version of the Handle System technology was developed with support from the Defense Advanced Research Projects Agency.
A new OASIS standard for abstract, structured identifiers, XRI (Extensible Resource Identifiers), adds new features to URIs and IRIs that are especially useful for digital identity systems. OpenID also supports XRIs, which are the basis for i-names.
Risk-based authentication is an application of digital identity whereby multiple entity relationship from the device (e.g., operating system), environment (e.g., DNS Server) and data entered by a user for any given transaction is evaluated for correlation with events from known behaviors for the same identity. [14] Analysis are performed based on quantifiable metrics, such as transaction velocity, locale settings (or attempts to obfuscate), and user-input data (such as ship-to address). Correlation and deviation are mapped to tolerances and scored, then aggregated across multiple entities to compute a transaction risk-score, which assess the risk posed to an organization.
There are proponents of treating self-determination and freedom of expression of digital identity as a new human right. Some have speculated that digital identities could become a new form of legal entity. [15] As technology develops so does the intelligence of certain digital identities, moving forward many believe that there should be more developments in legal aspects that regulate online presences and collection.
Digital identity attributes exist within the context of ontologies.
The development of digital identity network solutions that can interoperate taxonomically diverse representations of digital identity is a contemporary challenge. Free-tagging has emerged recently as an effective way of circumventing this challenge (to date, primarily with application to the identity of digital entities such as bookmarks and photos) by effectively flattening identity attributes into a single, unstructured layer. However, the organic integration of the benefits of both structured and fluid approaches to identity attribute management remains elusive.
Identity relationships within a digital network may include multiple identity entities. However, in a decentralized network like the Internet, such extended identity relationships effectively requires both the existence of independent trust relationships between each pair of entities in the relationship and a means of reliably integrating the paired relationships into larger relational units. And if identity relationships are to reach beyond the context of a single, federated ontology of identity (see Taxonomies of identity above), identity attributes must somehow be matched across diverse ontologies. The development of network approaches that can embody such integrated "compound" trust relationships is currently a topic of much debate in the blogosphere.
Integrated compound trust relationships allow, for example, entity A to accept an assertion or claim about entity B by entity C. C thus vouches for an aspect of B's identity to A.
A key feature of "compound" trust relationships is the possibility of selective disclosure from one entity to another of locally relevant information. As an illustration of the potential application of selective disclosure, let us suppose a certain Diana wished to book a hire car without disclosing irrelevant personal information (using a notional digital identity network that supports compound trust relationships). As an adult, UK resident with a current driving license, Diana might have the UK's Driver and Vehicle Licensing Agency vouch for her driving qualification, age, and nationality to a car-rental company without having her name or contact details disclosed. Similarly, Diana's bank might assert just her banking details to the rental company. Selective disclosure allows for appropriate privacy of information within a network of identity relationships.
A classic form of networked digital identity based on international standards is the "White Pages".
An electronic white pages links various devices, like computers and telephones, to an individual or organization. Various attributes such as X.509v3 digital certificates for secure cryptographic communications are captured under a schema, and published in an LDAP or X.500 directory. Changes to the LDAP standard are managed by working groups in the IETF, and changes in X.500 are managed by the ISO. The ITU did significant analysis of gaps in digital identity interoperability via the FGidm (ƒfocus group on identity management).
Implementations of X.500[2005] and LDAPv3 have occurred worldwide but are primarily located in major data centers with administrative policy boundaries regarding sharing of personal information. Since combined X.500 [2005] and LDAPv3 directories can hold millions of unique objects for rapid access, it is expected to play a continued role for large scale secure identity access services. LDAPv3 can act as a lightweight standalone server, or in the original design as a TCP-IP based Lightweight Directory Access Protocol compatible with making queries to a X.500 mesh of servers which can run the native OSI protocol.
This will be done by scaling individual servers into larger groupings that represent defined "administrative domains", (such as the country level digital object) which can add value not present in the original "White Pages" that was used to look up phone numbers and email addresses, largely now available through non-authoritative search engines.
The ability to leverage and extend a networked digital identity is made more practicable by the expression of the level of trust associated with the given identity through a common Identity Assurance Framework.
Several writers have pointed out the tension between services that use digital identity on the one hand and user privacy on the other.[1][2][3][4][5] Services that gather and store data linked to a digital identity, which in turn can be linked to a user's real identity, can learn a great deal about individuals. GDPR is one attempt to address this concern using the regulation. This regulation tactic was introduced by the European Union (EU) in 2018 for addressing concerns about the privacy and personal data of EU citizens. GDPR applies to all companies, regardless of location, that handle users within the EU. Any company that collects, stores, and operates with data from EU citizens must disclose key details about the management of that data to EU individuals. EU citizens can also request for certain aspects of their collected data to be deleted. [16] To help enforce GDPR, the EU has applied penalties to companies that operate with data from EU citizens but fail to follow the regulations [17]
Many systems provide privacy-related mitigations when analyzing data linked to digital identities. One common mitigation is data anonymization, such as hashing user identifiers with a cryptographic hash function. Another popular technique is adding statistical noise to a data set to reduce identifiability, such as in differential privacy. Although a digital identity allows consumers to transact from anywhere and more easily manage various ID cards, it also poses a potential single point of compromise that malicious hackers can use to steal all of that personal information.[6]
Hence, several different account authentication methods have been created to protect users. Initially, these authentication methods will require a setup from the user to enable these security features when attempting a login.
This subsection is written like a personal reflection, personal essay, or argumentative essay that states a Wikipedia editor's personal feelings or presents an original argument about a topic.(June 2022) |
The term 'digital identity' is utilized within the academic field of digital rhetoric to refer to identity as a 'rhetorical construction'. [21] Digital rhetoric explores how identities are formed, negotiated, influenced, or challenged within the ever-evolving digital environments. Understanding different rhetorical situations in digital spaces is complex but crucial for effective communication, as scholars argue that the ability to evaluate such situations is necessary for constructing appropriate identities in varying rhetorical contexts. [22] [23] [24] Furthermore, it is important to recognize that physical and digital identities are intertwined, and the visual elements in online spaces shape the representation of one's physical identity. [25] As Bay suggests, "what we do online now requires more continuity—or at least fluidity—between our online and offline selves". [25]
Regarding the positioning of digital identity in rhetoric, scholars pay close attention to how issues of race, gender, agency, and power manifest in digital spaces. While some radical theorists initially posited that cyberspace would liberate individuals from their bodies and blur the lines between humans and technology, [26] others theorized that this 'disembodied' communication could potentially free society from discrimination based on race, sex, gender, sexuality, or class. [27] Moreover, the construction of digital identity is intricately tied to the network. This is evident in the practices of reputation management companies, which aim to create a positive online identity to increase visibility in various search engines. [21]
Clare Sullivan presents the grounds for digital identity as an emerging legal concept. The UK's Identity Cards Act 2006 confirms Sullivan's argument and unfolds the new legal concept involving database identity and transaction identity. Database identity is the collection of data that is registered about an individual within the databases of the scheme and transaction identity is a set of information that defines the individual's identity for transactional purposes. Although there is reliance on the verification of identity, none of the processes used are entirely trustworthy. The consequences of digital identity abuse and fraud are potentially serious since in possible implications the person is held legally responsible. [28]
Corporations are recognizing the power of the internet to tailor their online presence to each individual customer. Purchase suggestions, personalized adverts, and other tailored marketing strategies are a great success for businesses. Such tailoring, however, depends on the ability to connect attributes and preferences to the identity of the visitor. For technology to enable direct value transfer of rights and non-bearer assets, human agency must be conveyed, including the authorization, authentication, and identification of the buyer and/or seller, as well as “proof of life,” without a third party. A solution to confirm legal identities resulted from the financial crisis of 2008. The Global LEI System would be able to provide every registered business in the world with an LEI. The LEI - Legal Entity Identifier provides businesses permanent identification worldwide for legal identities.
The LEI [29] is:
Digital death is the phenomenon of people continuing to have Internet accounts after their deaths. This results in several ethical issues concerning how the information stored by the deceased person may be used or stored or given to the family members. It also may result in confusion due to automated social media features such as birthday reminders, as well as uncertainty about the deceased person's willingness to pass their personal information to a third party. Many social media platforms do not have clear policies about digital death. Many companies secure digital identities after death or legally pass those on to the deceased people's families. Some companies will also provide options for digital identity erasure after death. Facebook/Meta is a clear-cut example of a company that provides digital options after death. Descendants or friends of the deceased individual can let Facebook know about the death and have all of their previous digital activity removed. Digital activity is but not limited to messages, photos, posts, comments, reactions, stories, archived history, etc. Furthermore, the entire Facebook account will be deleted upon request. [30]
Although many facets of digital identity are universal owing in part to the ubiquity of the Internet, some regional variations exist due to specific laws, practices, and government services that are in place. For example, digital identity can use services that validate driving licences, passports and other physical documents online to help improve the quality of a digital identity. Also, strict policies against money laundering mean that some services, such as money transfers need a stricter level of validation of digital identity. Digital identity in the national sense can mean a combination of single sign on, and/or validation of assertions by trusted authorities (generally the government).[ citation needed ]
Countries or regions with official or unofficial digital identity systems include:
Countries or regions with proposed digital identity systems include:
Authentication is the act of proving an assertion, such as the identity of a computer system user. In contrast with identification, the act of indicating a person or thing's identity, authentication is the process of verifying that identity. It might involve validating personal identity documents, verifying the authenticity of a website with a digital certificate, determining the age of an artifact by carbon dating, or ensuring that a product or document is not counterfeit.
Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that provides centralized authentication, authorization, and accounting (AAA) management for users who connect and use a network service. RADIUS was developed by Livingston Enterprises in 1991 as an access server authentication and accounting protocol. It was later brought into IEEE 802 and IETF standards.
A public key infrastructure (PKI) is a set of roles, policies, hardware, software and procedures needed to create, manage, distribute, use, store and revoke digital certificates and manage public-key encryption.
In cryptography, a public key certificate, also known as a digital certificate or identity certificate, is an electronic document used to prove the validity of a public key. The certificate includes the public key and information about it, information about the identity of its owner, and the digital signature of an entity that has verified the certificate's contents. If the device examining the certificate trusts the issuer and finds the signature to be a valid signature of that issuer, then it can use the included public key to communicate securely with the certificate's subject. In email encryption, code signing, and e-signature systems, a certificate's subject is typically a person or organization. However, in Transport Layer Security (TLS) a certificate's subject is typically a computer or other device, though TLS certificates may identify organizations or individuals in addition to their core role in identifying devices. TLS, sometimes called by its older name Secure Sockets Layer (SSL), is notable for being a part of HTTPS, a protocol for securely browsing the web.
In cryptography, X.509 is an International Telecommunication Union (ITU) standard defining the format of public key certificates. X.509 certificates are used in many Internet protocols, including TLS/SSL, which is the basis for HTTPS, the secure protocol for browsing the web. They are also used in offline applications, like electronic signatures.
In cryptography, a certificate authority or certification authority (CA) is an entity that stores, signs, and issues digital certificates. A digital certificate certifies the ownership of a public key by the named subject of the certificate. This allows others to rely upon signatures or on assertions made about the private key that corresponds to the certified public key. A CA acts as a trusted third party—trusted both by the subject (owner) of the certificate and by the party relying upon the certificate. The format of these certificates is specified by the X.509 or EMV standard.
Identity and access management, sometimes also referred to as just Identity management (IdM), is a framework of policies and technologies to ensure that the right users have the appropriate access to technology resources. IAM systems fall under the overarching umbrellas of IT security and data management. Identity and access management systems not only identify, authenticate, and control access for individuals who will be utilizing IT resources but also the hardware and applications employees need to access.
An electronic identification ("eID") is a digital solution for proof of identity of citizens or organizations. They can be used to view to access benefits or services provided by government authorities, banks or other companies, for mobile payments, etc. Apart from online authentication and login, many electronic identity services also give users the option to sign electronic documents with a digital signature.
A federated identity in information technology is the means of linking a person's electronic identity and attributes, stored across multiple distinct identity management systems.
OpenID is an open standard and decentralized authentication protocol promoted by the non-profit OpenID Foundation. It allows users to be authenticated by co-operating sites using a third-party identity provider (IDP) service, eliminating the need for webmasters to provide their own ad hoc login systems, and allowing users to log in to multiple unrelated websites without having to have a separate identity and password for each. Users create accounts by selecting an OpenID identity provider, and then use those accounts to sign on to any website that accepts OpenID authentication. Several large organizations either issue or accept OpenIDs on their websites.
A credential service provider (CSP) is a trusted entity that issues security tokens or electronic credentials to subscribers. A CSP forms part of an authentication system, most typically identified as a separate entity in a Federated authentication system. A CSP may be an independent third party, or may issue credentials for its own use. The term CSP is used frequently in the context of the US government's eGov and e-authentication initiatives. An example of a CSP would be an online site whose primary purpose may be, for example, internet banking - but whose users may be subsequently authenticated to other sites, applications or services without further action on their part.
Mutual authentication or two-way authentication refers to two parties authenticating each other at the same time in an authentication protocol. It is a default mode of authentication in some protocols and optional in others (TLS).
An Extended Validation (EV) Certificate is a certificate conforming to X.509 that proves the legal entity of the owner and is signed by a certificate authority key that can issue EV certificates. EV certificates can be used in the same manner as any other X.509 certificates, including securing web communications with HTTPS and signing software and documents. Unlike domain-validated certificates and organization-validation certificates, EV certificates can be issued only by a subset of certificate authorities (CAs) and require verification of the requesting entity's legal identity before certificate issuance.
Electronic authentication is the process of establishing confidence in user identities electronically presented to an information system. Digital authentication, or e-authentication, may be used synonymously when referring to the authentication process that confirms or certifies a person's identity and works. When used in conjunction with an electronic signature, it can provide evidence of whether data received has been tampered with after being signed by its original sender. Electronic authentication can reduce the risk of fraud and identity theft by verifying that a person is who they say they are when performing transactions online.
An information card is a personal digital identity that people can use online, and the key component of an identity metasystem. Visually, each i-card has a card-shaped picture and a card name associated with it that enable people to organize their digital identities and to easily select one they want to use for any given interaction. The information card metaphor has been implemented by identity selectors like Windows CardSpace, DigitalMe or Higgins Identity Selector.
Identity assurance in the context of federated identity management is the ability for a party to determine, with some level of certainty, that an electronic credential representing an entity with which it interacts to effect a transaction, can be trusted to actually belong to the entity.
A whole new range of techniques has been developed to identify people since the 1960s from the measurement and analysis of parts of their bodies to DNA profiles. Forms of identification are used to ensure that citizens are eligible for rights to benefits and to vote without fear of impersonation while private individuals have used seals and signatures for centuries to lay claim to real and personal estate. Generally, the amount of proof of identity that is required to gain access to something is proportionate to the value of what is being sought. It is estimated that only 4% of online transactions use methods other than simple passwords. Security of systems resources generally follows a three-step process of identification, authentication and authorization. Today, a high level of trust is as critical to eCommerce transactions as it is to traditional face-to-face transactions.
A user profile is a collection of settings and information associated with a user. It contains critical information that is used to identify an individual, such as their name, age, portrait photograph and individual characteristics such as knowledge or expertise. User profiles are most commonly present on social media websites such as Facebook, Instagram, and LinkedIn; and serve as voluntary digital identity of an individual, highlighting their key features and traits. In personal computing and operating systems, user profiles serve to categorise files, settings, and documents by individual user environments, known as ‘accounts’, allowing the operating system to be more friendly and catered to the user. Physical user profiles serve as identity documents such as passports, driving licenses and legal documents that are used to identify an individual under the legal system.
ID.me, Inc. is an American online identity network company that allows people to provide proof of their legal identity online. ID.me digital credentials can be used to access government services, healthcare logins, or discounts from retailers. The company is based in McLean, Virginia.
Digital identity is used in Australia by residents to validate who they are over digital media, such as over the Internet.