The endless identity problem
Identities in the digital world
A quick search online, about the definitions of “identity” and “identity management (IdM)” reveals an underlying issue about the relation of these terms in the digital world. We see that the first one defines identity as “the distinguishing character or personality of an individual”  while the second (identity management) describes “a framework of policies and technologies for ensuring that the right users (in an enterprise) have the appropriate access to technology resources    . The hidden issue we are referring to is that, even though identities are supposed to distinguish individuals (users), their creation and management takes place inside specific contexts, following services’ requirements. Identities today are more of a company resource instead of a representation of the person behind it.
The result is the proliferation of users’ identities and identity related data, which are scattered across different domains and locations and are only meaningful within the service context they are used. Across different service contexts, users’ identities appear as unassociated information that cannot be attributed to the same user nor be exchanged among them (contexts). Adding to this, the continuous growth of digital services and domains, it is clear why the list of “Identity Management problems” (diverse administration models, rigid processes for provisioning and deprovisioning identities, user password fatigue etc.  ) keeps growing at a fast pace.
Multiple efforts have tried to address the various aspects of the IdM problem, but these solutions -usually the outcome of independent groups- examine the problem from different perspectives, narrow contexts and eventually different requirements. The result is a diversification of IdM solutions with serious interoperability issues among emerging IdM islands. Any attempts to integrate these islands (creating the so-called Identity Federations) aggravate rather than solve the problem. Connecting different federations into bigger ones recursively introduce new identities, formats, procedures and eventually new federations. This is due to the fact that a federation is usually the result of a business agreement that serves very specific “non-technical” purposes. Thus, its IdM solution will always be tightly coupled with very specific requirements and features of the services it provides.
Creating new services, identities and federations is a health practice and allows communities design and develop customized solutions according to their own requirements. However, trying to tackle the problem of identity proliferation and interoperability by means of creating bigger and bigger federations in a “fractal” like fashion, will always lead to dead ends and serious scalability issues. Also, approaches that rely on commonly accepted global identifiers has also proven to produce endless global IDs from different parties that try to enforce their own solutions.
A different approach
The digital world is a highly dynamic environment and new business and service agreements between diverse contexts will be constantly formed at a highly increasing rate. Identities and their associated data will always play a key role in this environment and will be exchanged among applications and services. So, there is a need for a unified solution capable of supporting on-demand identity services for any given case. Nevertheless, the diversity of identity problems, appeared today in various environments, makes the quest for the development of “a universally accepted global IdM system”, mission impossible. There are simply too many different services, use cases, agreements with different requirements, and versions of the identity problem. Also, the constant formation of new services and communities will always/endlessly impose additions and modifications to such a system.
A closer look to the problem however, reveals that there no need for everyone to implement and adopt all the identity solutions for all the identity related services or operations. The actual need is to have the identity solutions for the services, one provides or uses. Thus, a global identity solution should not try to create one large system that “does everything”. A global identity solution must empower a provider to deal with its own identity issues. Assuming that existing providers most likely participate in small scale identity systems, this means that they already have implemented many (if not all) of the necessary identity procedures to exchange information for their specific services. Thus, the problem that remains to be solved towards a global solution is how these providers can unconditionally find the correct information they currently need to complete an operation. In other words, we argue that the global identity solution is not an IdM system, but an association of identity related concepts (identities, IdM systems, attributes etc) that will enable identity data which until now where restricted in predefined administrative areas, to be dynamically visible and accessible outside their domains. This association can be realized through a global identity discovery mechanism which does not store the above data but has information about how they are related, and where they are actually located.
University of Patras (UP) has been working on a unified identity discovery system and has proposed an initial architecture . This architecture is technically sound but not easy to adopt since it requires the implementation of a global scale distributed framework as well as the active involvement of users, service providers, authorities etc. The suggested solution influenced various discussions across various standardization fora about the need and requirements of such a system   . Inside the context of CONCORDIA project UP is redesigning the proposed architecture, trying to take advantage of large-scale distributed technologies e.g. blockchain networks and smart contracts.
(By Dr Konstantinos Lampropoulos, University of Patras, Greece – Prof Spyros Denazis, University of Patras, Greece)