9. Self-managed Identity
User Driven Services let users manage their own online identity.
Unless we control our identity online, we risk unnecessary exposure to identity theft and unwanted correlation of online activity. At the same time, online services increase the risk of attacks when using the same identifier for multiple functions.
User Driven Services allow users to be in maximum control of their identity by distinguishing between the four different types of identifiers used online:
- Authentication IDs
- Presentation IDs
- Reference IDs
- Internal IDs
Users should be able choose their own third-party identity service and have complete control over the three external identifiers used by any User Driven Service: their authentication IDs, their reference IDs, and their presentation IDs. The internal ids relating these external identifiers should never be exposed. Identity Providers should operate in non-correlation modes—so that different services providers automatically receive different authentication tokens, and all presentation IDs should be hand selected by the user for each service whenever possible.
The ideal service will enable intentional correlation only upon user directive, allowing individuals to claim blog posts, social profiles, and microblogging accounts as their own, after initially anonymous or psuedonymous use. Services are also more flexible when they allow users to use multiple distinct identifiers within a given class, e.g., having more than one email address or online chat handle. Finally, when possible, services should allow for anonymous and anonymized use.
OpenID allows users to use a third party service for Single Sign On at millions of websites, bypassing potentially millions of usernames and passwords. Information Cards allow “clicking in” to relying websites rather than logging in, using the credentials and authentication of third party Identity Providers. Azigo’s RemindMe service allows users to selectively activate membership credentials, such as AAA or AARP affiliation, on specific websites for special offers and discounts—without divulging such affiliations to the website in question.
- Does the service allow third party identity providers for managing authentication?
- Does the service fully distinguish all four identifiers used in online identy:
- Authentication ID–used for logins
- Presentation ID–used for labelling authorship and ownership
- Reference ID–used for referring to specific users, e.g., for sending messages
- Internal ID–used internally to link the other three IDs to each other and to appropriate privileges.
- Does the service allow users to modify and manage the three exposed identifiers: Authentication, Presentation, and Reference?
- Does the service allow users to have multiple identifiers in the same class, such as two email addresses or multiple chat handles?
- Impulse from the User
- Data Portability
- Service Endpoint Portability
- Self Hosting
- User Generativity
- Self-managed Identity
- Duty of Care
One more to go…This material is based upon work supported by the National Science Foundation under Award Number IIP-08488990. Any opinions, findings, and conclusions or recommendations expressed in this publication are those of the author and do not necessarily reflect teh views of the National Science Foundation.