Murderous Twins and the Two Faces of Identity

Posted on 16 December 2014 by Joseph Turner

How do we prove our identity? What makes us unique, and how can we display that uniqueness to others? As animals, our physical bodies, our genetic makeup offers one answer, but it is potentially fallible: what about identical twins? If two identical twins went on a camping trip and only one returned, how could we tell which twin it was?1 And beyond identical twins, biometric identity verification would be awkward to implement uniformly at scale, and it poses privacy issues.

A second possibility is our knowledge, or more broadly, our possessions. This is what we use most often in our daily lives. We bring our social security card in to get a drivers license, then we use that drivers license to open a bank account. We use the credit card we are issued to make a purchase. When we call the bank, we recount our last three purchases to prove we are indeed the person named on the account. Though much more practical, this too is fallible, as evidenced by a never ending rash of social engineering attacks and stolen bank information. To return to our evil twin, perhaps you could quiz her on some details of her supposed life. This would only smoke her out in the case where she hadn't done her research.

How do we catch this devilish Mary Kate (or was it Ashley?). The evil twin returns to "her" life, with a husband and two kids. After a couple weeks, she returns to work. She seems different at first, but that's to be expected after such a traumatic experience. After a while though, it starts to get weird. She quits her book club that she loved so much. She can't remember her inside jokes with her husband. The songs she sings her kids at night are different songs. With every day, her real identity becomes more apparent: she isn't who she says she is.

And this brings us to our third indicator of our identities: our actions. In everything we do we display facets of our accumulated knowledge, experience, and idiosyncrasies. Individually, these activities prove nothing, but combined they define our identity in a way that is very hard to fool. Though she might hold up to our initial scrutiny with enough information, it would be basically impossible for her to act consistently like her sister all day, every day.

The two aspects of online identity

Online, without physical form, we are all identical twins. With no physical differentiation, our identities live solely in the context of our knowledge and our possessions. As a consequence, our online identities have two aspects: identity as resource and identity as actor2.

Identity as resource

By passing an identity challenge, whether it's entering your password, entering a texted authentication code, or copying the numbers from your RSA token, you are granted your identity resource. The resource allows the holder to perform the actions granted to that identity. This process is called authentication.

Historically, much effort has gone into building the fortifications surrounding the identity resource. In the recent past (and for many, still to this day), enterprises kept all resources behind the firewall, requiring physical presence (or the secret handshake of a VPN) to even get the opportunity to try and prove your identity.

The move to the cloud has made limiting access in this way much trickier. Without physically limited access, much work has gone into improving the challenge itself. Two-factor authentication and related technologies are modern-day attempts to make access to the identity resource more selective. Unfortunately, they also make it harder to make legitimate identity claims. Though its easy to gloss over it, this is a serious barrier to usability. Like the firewall that came before, it seems like a trade-off many companies are willing to make. Also like the firewall, it isn't foolproof.

Identity as actor

We need more. We need the online equivalent of the concerned husband, the suspicious coworkers, and the irate book club. We need insight into the second face of identity online, one that has been ignored too long: identity as actor.

As in real life, our actions online create and define our identities, as unique as our fingerprints. Like our evil twin, an attacker who has passed the challenge and acquired the identity resource must act consistently with their assumed identity or risk detection - assuming, that is, that the actions are being observed and the differences are being noticed.

The problem is, of course, that it is really tough to monitor our online identities! We take actions across a range of services, some of which in fact use different identity resources, often using several services at the same time. In general, these services are not controlled by the same party, and our actions on a given service are not visible to other identities or other services. As a result, it can be very difficult to get a clear picture of the actions taken by an identity online.

Ultimately, we need protection mechanisms around both faces of our online identities. We need adaptive authentication to provide safety around the identity resource without breaking workflows, introducing confusion, and crippling usability. We also need identity analytics to notice an attacker's errant behavior and adaptive access control to respond to our suspicions as they grow stronger.

With Interlock we at Mobile System 7 believe that we are providing the first unified platform for all three of the above protections, across services, and across identities. You can be confident that no evil twin is stealing your identity, because we'll be there to notice when they don't show up at book club or forget to laugh at the inside jokes. Metaphorically speaking, of course.

Have questions or comments? Hit me up on Twitter. Interested in changing the face of identity with us? Send me your resume.

1: It turns out that identical twins have different fingerprints, but have you ever had your fingerprints taken? I haven't.

2: Why is that a consequence of our online presence? In the real world, after we have proven our identities, say by showing our drivers license, our faces become a token of our identities. If we open a bank account today, the teller will remember our face tomorrow, obviating the need for a second challenge. Online, we have a similar capability, cookies. However, as we move across devices we don't carry our cookies with us, unlike our faces. As a result, online our proof of identity is required semi-regularly before we can take action.

Copyright © 2014 Mobile System 7 -