Identity plays a vital role in every aspect of the universe. Whether it's distinguishing between atoms, molecules, or organisms, the concept of identity is essential. From the tiniest subatomic particles to the largest interconnected structures, identity is key.
The universe has an identity scheme that is easy to use, but never makes a mistake.
When humans started building digital identities, we failed. We created a system where it's possible for multiple users to use the same identity, and as a result, are enmeshed in a relentless battle against identity theft and data breach. Understanding how identity works in the natural world can clarify where things went wrong when humans attempted to replicate this system.
Silicon and Carbon
Silicon and carbon are among the most similar elements on the periodic table. They have some major differences, such as silicon being an inorganic compound, but many of the compounds created using carbon or silicon are almost twins. Carbon is an element of life forms, playing a major role in metabolic processes, while silicon is an element of the machines, serving as a major component for parts, such as semiconductors. They are very similar, but completely different. If you combine a silicon atom with two oxygen atoms and you get sand. Do the same thing with carbon and you get the gas, carbon dioxide. There is never a mistake.
The Social Security Number
Our modern identity problem may have started with the Social Security Number (SSN), which was established by the United States government in 1936 as an accounting function. Early Social Security Cards were clearly printed with the words “Not to be used for identification.” Today the SSN may be the most commonly used numbering system in the United States. To date, the Social Security Administration (SSA) had issued over 457.3 million original SSNs, and nearly every legal resident of the United States had one. The SSN's very universality has led to its adoption throughout government and the private sector as a chief means of identifying and gathering information about an individual. That mistake is now so deeply embedded in our human identity system that it may be impossible to excise it.
Better yet would be a reexamination of where we went wrong in our design approach. Arguably, we did not have a design approach; we morphed and evolved what was largely a manual system that functioned well when the only users were those who met face-to-face in very limited numbers of transactions and likely had some direct personal contact or close connections. Early driver's licenses was basically a photocopied piece of paper that had typed information on it. No identifying connection to me. The same is still true of my original pilot’s license.
When we started digitizing this information, it was not for the purpose of identification but for the convenience of those who had to use the information. That is where the system went off the rails.
Convenience is always a fatal flaw in any system that ultimately will be used for any purpose related to security. If it is convenient, it is convenient for all users and attackers are users, too.
What makes the natural identity system flawless is that a carbon atom can never be a silicon atom. We can and should build our digital security systems in such a way that an attacker can never be a legitimate user. If a simple atom or a virus or bacteria can do it successfully, why can’t we?
Securing Digital Identities
Let’s start by looking at the basics of what it takes for an attacker to function as a legitimate user. The attacker must steal or copy the user's identity information. What if we could design protections around the identity information so it could not be transferred to the attacker? How would we go about doing that? Could we somehow harden the information or store it in such a way that we could deny the attacker access? Our attempts to do so in today's world have proven to be largely unsuccessful. There are myriad ways that attackers routinely use to gain access to identity information in our current technology environment.
What if we made the lifetime of the identity information so short that it only existed in the moment it was needed, and the legitimate user never had a need to access it to begin with? If the useful life is short, it is never stored, and the user can’t give it up, the attacker can’t access it. That sounds like a pretty good idea. If you would like to see that system in action, give QWERX a call.