Anil John
Making Digital Services Secure and Trustworthy

Anil John

The Value of Sameness in a World Demanding Identity

 Tweet  Share  Share  Comment  Print  Email

Two terms often used interchangeably in our community are Credential and Token. But they are not the same since what each is able to assert online is not the same. This blog post delves a bit deeper into this topic and the value provided by a Token to both individuals and relying parties.

All too often, the natural inclination of those who build high value online services is to demand identity up-front as a precursor to service delivery. The justification is that doing this 'account setup' upfront makes the conversion to actual identity-driven service delivery easier (for the Relying Party).

The classic example of the failure case for this thinking was the first iteration of HealthCare.gov as documented in the UX analysis done by the Nielson Norman Group. That has since been addressed, but it provides a clear example of the value of separating the need for 'Sameness' (provided by a Token) from the need for 'Identity' (provided by a Credential).

  • Token: Something that an individual possesses and controls that is used to authenticate the individual and is controlled through one or more of the traditional authentication factors (something you know, have, or are)
    • Tokens answer the question 'Are you the same person I encountered before?' (without leaking the identity of the person)
  • Credential: An object or data structure that authoritatively binds an identity to a token possessed and controlled by an individual
    • Credentials answer the question 'Who are you?'

Separating the two and having a clear process to move from the usage of a Token to a Credential provides benefits to both individuals and relying parties:

Benefits to the IndividualBenefits to the Relying Party
  • Anonymous or pseudonymous usage since Tokens only have a MBUN (Meaningless But Unique Number) as the identifier
  • Ability to bring your own strong token to the relying party
  • The UX of transitioning from token to credential usage is familiar. e.g. Please create an account or login to your account to check out!
  • Ability to leverage strong Token types that ensure that the individual who received the token continues to maintain control of it
  • Ability to bring to bear identity proofing and compensating controls that are commensurate with the relying party's risk profile
  • Able to deliver a familiar UX when transitioning from token to credential usage ensuring a friction-free user journey

Question: Is it possible to ensure that the same person has maintained control of a token without a strong process for the initial binding of the person to the token?

RELATED INFO


Did you find this interesting? Don't miss any new posts. Sign up to automatically receive them now!

I will never share, rent, or sell your information to anyone. Cancel anytime.

This blog post first appeared on Anil John | Blog (https://blog.aniljohn.com). The opinions expressed here are my own and do not represent my employer’s view in any way.

Topic(s):
By on |

Continue The Conversation ...

I would love to know your thoughts on this blog post. Please leave a comment below!

I am a digital security coach. I help technical leaders make digital services secure and trustworthy. Learn more »

Free Updates

I will never share, rent, or sell your information to anyone