Identity 3.0

Identity 3.0 is a term used to define the next generation of digital identity, which moves beyond basic Digital Identity and Identity 2.0. The key principles were defined in 2014 by the Global Identity Foundation, a not-for-profit organisation working to define the components of a global digital identity ecosystem, following on from work by the Jericho Forum started in 2009 and culminating in 2011 with the publication of their Identity, Entitlement & Access Management Commandments. The need to move beyond Identity 2.0 to Identity 3.0 was first identified by Phillip Hallam-Baker in his book The dotCrime Manifesto: How to Stop Internet Crime and echoed in a March 2008 opinion piece by Tim Mather titled "Get ready for Identity 3.0".
Principles of Identity 3.0
The principles behind the assertion of the need for a paradigm shift in digital identity is outlined in a white paper from the Global Identity Foundation, and outlined in a presentation given by Paul Simmonds at an event in London in June 2014.
Risk
# Decisions around identity are taken by the entity that is assuming the risk; with full visibility of the identity and attributes of all the entities in the transaction chain.
# Attributes of an Identity will be signed by the authoritative source for those attributes.
# Identity will work off-line as well as on-line; with a lack of on-line verification simply another factor in the risk equation.
Privacy
# <li value="4"> Every entity shall need only one identity which is unique and private unto the entity; there will be no body issuing or recording identities.
# The Identity ecosystem will be privacy enhancing; attributes will be minimised, asserting only such information that is relevant to the transaction.
# Entities will only maintain attributes for which they are the authoritative source.
# The identity of one entity to another will be cryptographically unique; negating the need for user-names or passwords and minimising attribute aggregation.
# The biometrics (or other authentication method) of an entity will remain within the sole control of the entity; biometric information will not be used, exchanged or stored outside of the entities sole control.
Functionality
# <li value="9"> The digital representation and function of an entity type will be indistinguishable from another entity type, and will be interchangeable in operation.
# The Identity ecosystem will operate without the need for identity brokers, CA of last resort or other centralised infrastructure.
# Identity will be simply expandable to encompass the security of data; E-mail (for example) can be encrypted simply by having an entities e-mail attributes shared with them.
# Identity shall be (as much as possible) invisible to the end user; identity and attribute verification and exchange should be a background operation until such time that increased levels of user verification is required.
# Everyone plays their part - no more!
Entity Types
The principles are based on a digital identity working identically and interchangeably for all five entity types: People, Devices, Organizations, Code and Agents; as defined by the Jericho Forum in their Identity, Entitlement & Access Management Commandments. as;
* Making a risk-based decision
* About access to data and/or systems
* Based on the trusted identity and attributes
* Of all the entities and components in the transaction chain
Other Related Work
The implementation of an Entitlement-based Identity 3.0 ecosystem is outlined in the Cloud Security Alliance's document "Security Guidance for Critical Areas of Focus in Cloud Computing v3.0".
The Identity Mixer research supports the privacy enhancing nature of Identity 3.0 (Principle #5), and depending on the implementation Principle #6.
In 2016 ThreatMetrix introduced the concept of the digital identity graph, a data science framework that maps the associations among people, devices, accounts, locations and businesses. The graph is designed to allow businesses to improve end user authentication.
Other Coverage
* Can 'digital identity 3.0' fix security? - John E Dunn (ComputerWorld/IDG)
* Identity 3.0: A Mental Model of Cyber Security - Global Cyber Alliance
* Is digital identity broken? Or can ‘Identity 3.0’ help fix it? - Danny Bradbury (IT World Canada)
* Digital Identity 3.0: The Platform for People - Mertens, Willem & Rosemann, Michael (2015)
* Identity 3.0 - An Industry Update for FinTechWeek 2015 - James Varga, Chief Executive Officer (miiCard)
* The Digital Week - Digital Identity 3.0 #Replay
* From the Jericho Forum Identity Commandments to the New Identity 3.0 Principles - Dazza Greenwood (HumanDynamics/law.MIT.edu)
* Consumers are ready to accept Identity 3.0 - Ian Barker (BetaNews)
* Join us for Digital Identity 3.0 - Queensland Digital Economy Strategy (Queensland Government)
* Trusted Identity - IBM
* Towards Identity 3.0: The Past and Future of Networked Identity - Yury Melkov (ITCua)
* Digital Identity 3.0 - Prof. Marek Kowalkiewicz
 
< Prev   Next >