Issuance Digital identities can be issued through
digital certificates. These certificates contain data associated with a user and are issued with legal guarantees by recognized
certification authorities.
Trust, authentication and authorization In order to assign a digital representation to an entity, the attributing party must trust that the claim of an attribute (such as name, location, role as an employee, or age) is correct and associated with the person or thing presenting the attribute. Conversely, the individual claiming an attribute may only grant selective access to its information (e.g., proving identity in a bar or
PayPal authentication for payment at a website). In this way, digital identity is better understood as a particular viewpoint within a mutually-agreed relationship than as an objective property.
Authentication Authentication is the assurance of the identity of one entity to another. It is a key aspect of digital trust. In general, business-to-business authentication is designed for security, but user-to-business authentication is designed for simplicity. Authentication techniques include the presentation of a unique object such as a
bank credit card, the provision of confidential information such as a
password or the answer to a pre-arranged question, the confirmation of ownership of an email address, and more robust but costly techniques using
encryption. Physical authentication techniques include
iris scanning, fingerprinting, and
voice recognition; those techniques are called
biometrics. The use of both static identifiers (e.g., username and password) and personal unique attributes (e.g., biometrics) is called
multi-factor authentication and is more secure than the use of one component alone. Whilst technological progress in authentication continues to evolve, these systems do not prevent aliases from being used. The introduction of strong authentication for
online payment transactions within the
European Union now links a verified person to an account, where such person has been identified in accordance with statutory requirements prior to account being opened. Verifying a person opening an account online typically requires a form of device binding to the credentials being used. This verifies that the device that stands in for a person on the Internet is actually the individual's device and not the device of someone simply claiming to be the individual. The concept of
reliance authentication makes use of pre-existing accounts, to piggy back further services upon those accounts, providing that the original source is reliable. The concept of reliability comes from various anti-money laundering and counter-terrorism funding legislation in the US, EU28, Australia, Singapore and New Zealand where second parties may place reliance on the customer due diligence process of the first party, where the first party is say a financial institution. An example of reliance authentication is PayPal's verification method.
Authorization Authorization is the determination of any entity that controls resources that the authenticated can access those resources. Authorization depends on authentication, because authorization requires that the critical attribute (i.e., the attribute that determines the authorizer's decision) must be verified. For example, authorization on a credit card gives access to the resources owned by
Amazon, e.g., Amazon sends one a product. Authorization of an employee will provide that employee with access to network resources, such as printers, files, or software. For example, a database management system might be designed so as to provide certain specified individuals with the ability to retrieve information from a database but not the ability to change data stored in the database, while giving other individuals the ability to change data. Consider the person who rents a car and checks into a hotel with a credit card. The car rental and hotel company may request authentication that there is credit enough for an accident, or profligate spending on room service. Thus a card may later be refused when trying to purchase an activity such as a balloon trip. Though there is adequate credit to pay for the rental, the hotel, and the balloon trip, there is an insufficient amount to also cover the authorizations. The actual charges are authorized after leaving the hotel and returning the car, which may be too late for the balloon trip. Valid online authorization requires analysis of information related to the digital event including device and environmental variables. These are generally derived from the data exchanged between a device and a business server over the Internet.
Verification While there are various forms of verification systems by different platforms, several open web based solutions used a web standard microformat called rel="me" ==== Rel="me" Verifcation ==== The rel="me" value is an HTML link relationship attribute used to indicate that two web resources represent the same person or entity. It originated as part of early web microformats and has been used in decentralized identity systems to associate profiles and websites controlled by a single individual. The rel="me" value is part of the HTML rel attribute, which defines relationships between linked resources. The me relation indicates identity equivalence between the current page and the linked page. The attribute was introduced through the XHTML Friends Network (XFN), a microformat designed to express relationships between people and web resources.When two pages link to each other using rel="me", software systems can interpret this as evidence that both are controlled by the same entity. ===== Rel=me Use in identity verification ===== Although this standard exists beyond the platforms known as the
Fediverse, most prominent use of rel="me" is in decentralized identity verification systems, within the
Fediverse and Mastodon. Online reporters such as
The Markup have noted the importance of this system as they used it on their own accounts. They write:''"One Twitter alternative’s verification system is simple, open, and free...In comparison [to Twitter's verfication system], there is an elegant simplicity to the verification approach used by Mastodon, the Twitter-like alternative social network that we’ve been trying out at The Markup. Rather than attempt to verify the person behind the keyboard, Mastodon offers a mechanism for external websites to claim an account as being affiliated using a green background and check mark icon. In other words, Mastodon makes no claims about who an account belongs to, just that a particular website has vouched for it."''
Mashable writers describe the user experience of verifying this way on Mastodon:"So, if you put a link in your Mastodon profile, the company...checks if the linked page links back to your Mastodon profile. If so, you get a verification checkmark next to that link, since you are confirmed as the owner...The company does this by checking the rel="me" attribute — a standard way to check whether or not linked website belongs to a user on a third party site." ===== Adoption and use of Rel=me Beyond Mastodon ===== Use of rel="me" is most common in decentralized and open web ecosystems, but is supported in platform such as: • Social networks such as Mastodon , Flipboard, Medium, Pixelfed, Loops, and Threads . • IndieWeb identity and authentication systems, including Automatic's Gravatar. •
Github supports in their profile system. • Wikipedia itself uses rel=me for its user pages and Wikimedia documents that support via their rel-me extension. • Websites publising services such as Micro.blog support this, as does Wordpress.com. • Within the IndieWeb ecosystem, rel="me" is used to link multiple profiles and domains representing the same individual, and forms part of authentication approaches such as IndieAuth.
Digital identifiers Digital identity requires digital identifiers—strings or tokens that are unique within a given scope (globally or locally within a specific domain, community, directory, application, etc.). Identifiers may be classified as
omnidirectional or
unidirectional. Omnidirectional identifiers are public and easily discoverable, whereas unidirectional identifiers are intended to be private and used only in the context of a specific identity relationship. Identifiers may also be classified as
resolvable or
non-resolvable. Resolvable identifiers, such as a
domain name or
email address, may be easily dereferenced into the entity they represent, or some current state data providing relevant attributes of that entity. Non-resolvable identifiers, such as a person's real name, or the name of a subject or topic, can be compared for equivalence but are not otherwise machine-understandable. There are many different schemes and formats for digital identifiers.
Uniform Resource Identifier (URI) and the internationalized version
Internationalized Resource Identifier (IRI) are the standard for identifiers for websites on the
World Wide Web.
OpenID and
Light-weight Identity are two web authentication protocols that use standard
HTTP URIs (often called URLs). A
Uniform Resource Name is a persistent, location-independent identifier assigned within the defined namespace.
Digital object architecture Digital object architecture is a means of managing digital information in a network environment. In digital object architecture, a digital object has a machine and platform independent structure that allows it to be identified, accessed and protected, as appropriate. A digital object may incorporate not only informational elements, i.e., a digitized version of a paper, movie or sound recording, but also the unique identifier of the digital object and other metadata about the digital object. The metadata may include restrictions on access to digital objects, notices of ownership, and identifiers for licensing agreements, if appropriate.
Handle System The
Handle System is a general purpose distributed information system that provides efficient, extensible, and secure identifier and resolution services for use on networks such as the internet. It includes an open set of protocols, a
namespace, and a
reference implementation of the protocols. The protocols enable a
distributed computer system to store identifiers, known as handles, of arbitrary resources and resolve those handles into the information necessary to locate, access, contact, authenticate, or otherwise make use of the resources. This information can be changed as needed to reflect the current state of the identified resource without changing its identifier, thus allowing the name of the item to persist over changes of location and other related state information. The original version of the Handle System technology was developed with support from the
Defense Advanced Research Projects Agency.
Extensible resource identifiers A new
OASIS standard for abstract, structured identifiers,
XRI (Extensible Resource Identifiers), adds new features to URIs and IRIs that are especially useful for digital identity systems.
OpenID also supports XRIs, which are the basis for
i-names.
Risk-based authentication Risk-based authentication is an application of digital identity whereby multiple entity relationship from the device (e.g., operating system), environment (e.g., DNS Server) and data entered by a user for any given transaction is evaluated for correlation with events from known behaviors for the same identity. Analysis are performed based on quantifiable metrics, such as transaction velocity, locale settings (or attempts to obfuscate), and user-input data (such as ship-to address). Correlation and deviation are mapped to tolerances and scored, then aggregated across multiple entities to compute a transaction risk-score, which assess the risk posed to an organization.
Taxonomies of identity Digital identity attributes exist within the context of
ontologies. The development of digital identity network solutions that can interoperate taxonomically diverse representations of digital identity is a contemporary challenge.
Free-tagging has emerged recently as an effective way of circumventing this challenge (to date, primarily with application to the identity of digital entities such as bookmarks and photos) by effectively flattening identity attributes into a single, unstructured layer. However, the organic integration of the benefits of both structured and fluid approaches to identity attribute management remains elusive.
Networked identity Identity relationships within a digital network may include multiple identity entities. However, in a decentralized network like the Internet, such extended identity relationships effectively requires both the existence of independent trust relationships between each pair of entities in the relationship and a means of reliably integrating the paired relationships into larger relational units. And if identity relationships are to reach beyond the context of a single, federated ontology of identity (see
Taxonomies of identity above), identity attributes must somehow be matched across diverse ontologies. The development of network approaches that can embody such integrated "compound" trust relationships is currently a topic of much debate in the
blogosphere. Integrated compound trust relationships allow, for example, entity A to accept an assertion or claim about entity B by entity C. C thus vouches for an aspect of B's identity to A. A key feature of "compound" trust relationships is the possibility of selective disclosure from one entity to another of locally relevant information. As an illustration of the potential application of selective disclosure, let us suppose a certain Diana wished to book a hire car without disclosing irrelevant personal information (using a notional digital identity network that supports compound trust relationships). As an adult, UK resident with a current driving license, Diana might have the UK's
Driver and Vehicle Licensing Agency vouch for her driving qualification, age, and nationality to a car-rental company without having her name or contact details disclosed. Similarly, Diana's bank might assert just her banking details to the rental company. Selective disclosure allows for appropriate
privacy of information within a network of identity relationships. A classic form of networked digital identity based on international standards is the "White Pages". An electronic
white pages links various devices, like computers and telephones, to an individual or organization. Various attributes such as X.509v3 digital certificates for secure cryptographic communications are captured under a schema, and published in an
LDAP or
X.500 directory. Changes to the LDAP standard are managed by working groups in the
IETF, and changes in X.500 are managed by the
ISO. The ITU did significant analysis of gaps in digital identity interoperability via the FGidm (ƒfocus group on
identity management). Implementations of X.500[2005] and LDAPv3 have occurred worldwide but are primarily located in major data centers with administrative policy boundaries regarding sharing of personal information. Since combined X.500 [2005] and LDAPv3 directories can hold millions of unique objects for rapid access, it is expected to play a continued role for large scale secure identity access services. LDAPv3 can act as a lightweight standalone server, or in the original design as a TCP-IP based Lightweight Directory Access Protocol compatible with making queries to a X.500 mesh of servers which can run the native OSI protocol. This will be done by scaling individual servers into larger groupings that represent defined "administrative domains", (such as the country level digital object) which can add value not present in the original "White Pages" that was used to look up phone numbers and email addresses, largely now available through non-authoritative search engines. The ability to leverage and extend a networked digital identity is made more practicable by the expression of the level of trust associated with the given identity through a common
Identity Assurance Framework. == Social aspects ==