If five years ago digital identity was still a bit exotic, today it feels casual. It feels like everyone is working on it so it is reasonable to assume that the existing solutions are resilient and robust. However, existing solutions are hardly ever usable and incredibly insecure (with maybe one exception that you won’t like). In this article, I dissect the identity both vertically and horizontally and suggest a couple of options how it could work.

Identity is a ‘pointer’ to a particular physical human body. Like we have an anonymous human body and we want to know who this is? 

There are formal and informal identity recognition processes. 

A formal one is the government issued id. If someone wants to identify me, I give them the id card with name, picture, date of birth and some ‘proof’ of being an official gov issued id. 

The formal identity (at least while we are speaking about id cards and passports) is usually hard to forge but forgable overall. For example, to forge a passport, one has to take an existing valid passport of a real human and change the picture there in a way that it is impossible to guess that the picture was changed. Another option is to get access to authentic materials that are usually used to create passports and replicate whatever should be replicated with authentic materials (paper, ink, stamps, dates, signatures, etc.)

This can’t be done in a diy manner at home and probably requires some semi-official engagement (you know, we live in a fun geopolitical landscape:)

Informal identification relies on one’s knowledge of how this physical body is called. For example parents of a 20yo are usually quite sure that this is exactly that human body they gave birth to. Because they observe this body on a regular basis (every day?) so that it hardly ever can be swapped for another body (considering we can’t manufacture super similar bodies on demand, and I believe this is a realistic assumption still). 

Even grandma and grandpa who probably observe the body once per week/two weeks can identify with almost 100% accuracy that this is still the same body. 

However, from real world experience, we can see it often fails on identical twins. Which should not be the case because even though they look similar they behave quite differently.

The informal identification is observing the appearance and behaviour at a regular cadence and checking it vs all previous observations. 

It somehow happened that around 50 years ago someone invented the internet and then we (as humanity) somehow adopted it. Which brought us to the need to have a digital identity. 

Previously identity related to ‘this physical body’ (you can touch), now it relates to ‘this physical body behind the screen’ (you can’t touch but you can ask it to perform different actions).

But the identity we actually need is a blended identity: where the same physical body sometimes wants to be identified in person and sometimes behind the screen.

The obvious (and logical) way of thinking about digital identity is this: how we can map a physical body into a unique digital identifier. And here things become interesting. From the first view, we have a lot of options. 

1. Option one – finger prints. I remember 15 years ago for the study visa in the UK they already were taking my fingerprints. 

2. Option two – face recognition (including this turn face left turn face right do this do that exercise). Utilized today both by apple and google for payments. 

3. Option three – iris scanning. Utilized by the border control in UAE.

4. Option four – voice recognition. Utilized by HSBC and Barclays as an official identification method. 

As well as more exotic options such as vein pattern under palm skin (Amazon experimented with it), blood vessel pattern at back of eye (US military), shape and size of hand such as finger length, palm width (employee access in some systems), walking pattern such as stride, posture, and movement (utilized by Chinese surveillance systems), Keystroke Dynamics (Typing rhythm (speed, pressure, pauses between keys) utilized by some banks during online sessions for fraud detection, etc. 

The problem is that all of these methods work most of the time but not all of the time. And identity is very sensitive matter that should work all of the time or the share of failures should be negligible. 

Not listing everything, but as an illustration:

• Face recognition classify identical twins as the same person (even in official systems like border control);

• One can do a plastic surgery and change the face (Hezbollah terrorist leaders did that);

• Fingerprints of some people can’t be scanned because of the skin type;

• Voice recognition and face recognition have been cracked by AI already multiple times and it will be only worse from here;

• Iris is changing every several years so you will need to rescan it all the time worldwide but then what if someone lost the eye?

None of existing biometry-based identification approaches works on its own.

Assume we combine all widely accessible methods: face recognition, fingerprint, voice recognition, iris recognition, vein analysis, walking pattern analysis, keystroke dynamics analysis. And then require 5/7. Which guarantees correct identification with high probability (requires more thoughtful analysis but I would assume that under a right approach it is possible to arrive to probability of error being negligible). But also accommodates possibilities of too thin finger skin, no access to iris scanners, etc. 

If injecting randomness in a smart way, one can make forging the MFA biometry-based identification even more challenging. As the malicious actor won’t really know what to prepare for, will have to prepare for everything, and then will have tiny moments to give out the right falsifying mechanism. Which also makes the attack more expensive which raises economic security of the system.

However, going back to the ground, there are two main issues with this system: 

1. It takes more time. And we do identification quite often. So the UX friction will be quite substantial. While most people in the world are quite happy with the digital identity we currently have (till the moment their bank account is empty lol).

2. We do not have an existing infrastructure to make this possible. Or we partially have it. But, for example, we do not have high quality finger scanners in each smartphone, we do not have iris scanning infra throughout the world, we have serious issues with recognizing if the video is real or AI generated, etc. 

So this method doesn’t seem to work realistically. And doing MFA ⅔ won’t give is the security guarantees we want. 

99.9% of DNA doesn’t change through life. At the same time 100% of people have DNA. And it’s unique. So if we could authorize through DNA – that could work. 

The issues are:

• Will require a joint database of all DNAs signed by all issuing authorities that want their citizens to have access to the authentication system.

• Instant DNA recognition devices do not exist (not yet, might exist in the future).

• Mapping from physical to digital: how do you guarantee that this is my own saliva I put for authentication and not my friend’s saliva? Maybe we could analyse tiny pieces of skin (after a fingerprint analysis) but also very nuanced.

Might be a surprising option as we are talking about the ‘machine era’ but think again about parents identifying their kid with very high accuracy. What if we create an authentication mechanism where people who have known me for years need to agree (somehow blindly is better) that I am this one person. What if I tell you that someone has built a tiny prototype of this system? (which doesn’t make much sense till the moment it starts making a huge ton of sense iykyk).

The issues are:

• This type of authentication requires attesters to be online and available for attesting most of the time. 

• Collusions are possible but if capping the minimal time of knowing each other – might be way harder to collude.

Hypothetically, if the vast majority of people were acting in a good faith and the authorities were interested in representing interests of that majority, we could just put together a huge social graph as a source of truth. However, this is utopia. 

So what we want is assigning a unique identifier to a human body that doesn’t change through life and can’t coincide with the unique identifier of another person and can’t be forged artificially.

OR some social consensus/robust behavioural analytics that will dynamically prove through the time that this physical body goes under this identifier (where identified is not mapped from the physical body itself but defined through the social consensus).

Both options seem to be robust enough so that it doesn’t make sense to combine them. However, weaker options of both of them are so much weaker that even combining them doesn’t provide desirable security guarantees.

There is an ongoing process led by Apple, Google, and multiple governments to create a robust digital identity (which is still work in progress). The main idea is to bind a physical body to devices they use. It goes under assumption that this conglomerate is aware of the device history of each particular human (which is probably true today). 

When the human is binded to the device (and the device is binded to multiple KYCs), we assume that the conglomerate knows with high enough probability what is the official id of the device owner. From here, we have several options:

1. Using a private key in the TEE (Trusted Execution Environment) i.e. no biometry at all. Comes with all problems of TEEs. Questionable possibility of rotation (possible but depends on randomness accessible etc).

2. Using Face recognition (e.g. GoogleID). Face recognition should be incredibly robust which I do not believe in long-term. However, because Google does not control the hardware, and hardware manufacturers (e.g. Android) often optimize for cheap offers – Google can’t force reliable TEE in each smartphone. So they have to invent other options.

There was a pilot project, testing the approach of binding humans to devices: California residents can present their ID in Apple Wallet at participating TSA airport security checkpoints by simply tapping their iPhone or Apple Watch at the identity reader. Upon tapping their iPhone or Apple Watch, customers will see a prompt on their device displaying which specific information is being requested by the TSA. Only after authorizing with Face ID or Touch ID is the requested identity information released from their device. On the security of this: Face ID: 1 in 1,000,000 false match vs Touch ID: 1 in 50,000. 

The obvious problems are: 

• Whatever GoogleID and wallet use that is not TEE – long-term (even mid-term) is very questionable because of the deep fake quality evolution (that will never end).

• Still some share of people on the earth without smartphones (around 40%) with the lowest penetration in Bangladesh, India, and Brazil. This doesn’t seem to be a real obstacle because one day it will change (when some digital corp will identify them as an opportunity for growth and will find the way to make smartphones available and desired in the region), and also they probably do not really need digital identity right now. Tho it does split the world for those with digital identity and without, which is long term is a bad trend but so is the world.

Despite this, I have a very high confidence that whatever the real security of this approach is, it will become the internationally imposed standard in the west in less than five years. China, Russia, and (maybe) Iran will probably have / already have their own solutions for digital identities that will be somehow composable with the western (e.g. composable enough for the airports). 

So whatever projects, products, and visions we are building that explicitly or implicitly touch on identity – I think it is a sober assumption that this will be the standard worldwide.

Considering how the world has evolved (slowly but consistently being populated by machines), there is also an urgency for robust and resilient machine identity. Which technically is quite a different problem to solve. 

Computers do not have any biometry as well as unique behaviour that can be observed throughout the time. Most machines arrive identical except for their serial number. 

So the obvious solutions are:

• Deriving identity from the unique serial number (but it is unique to this manufacturer, not in the worldwide sense of uniqueness). 

• Using a TEE pre-loaded private key as the identity (the same as AppleID and wallet suggest us). But industrial machines (that we want to have identities most of all) often do not have TEEs.

The obvious terrible solution is just to use a key as an identifier and maybe rotate it from time to time. The issue with stealing the identity key in open access (not in TEE) is so high (based on the attacks we see) that even considering it as an option is quite insane (unless we do not need high security guarantees which can be actually the case for some contexts). However, all startups and products suggesting identities for machines today do exactly this.

There is no real unique identifier that can be mapped into an identity. So we are dropping this option.

But what about behavioural identification? What if each machine behaves in a unique way that can be observed through the time and can be confirmed that this is the same machine? We drop anything related to AI, because if something was trained on existing data it won’t provide us with the desirable level of uniqueness. Instead, we think about mathematical tools and ways to get randomness / entropy. For example, if we take what the computer ‘has seen’ (assume it has a camera) within the first five minutes of its life and then map it into the identifier, I would claim the level of uniqueness will be good enough.

This can be done only on the OS manufacturer level, and not as an add on solution. Because we want to bind this entropy collection and processing to a particular machine. But overall it seems to be an option. 

Can we run an internal randomness algorithm? Depends on what algorithms are at our disposal. I do not have enough knowledge to make a sanity check for this option. So I will leave it open.

Thank you for reading. You are welcome to share your thoughts and argue with me here: lisaakselrod@gmail.com

If five years ago digital identity was still a bit exotic, today it feels casual. It feels like everyone is working on it so it is reasonable to assume that the existing solutions are resilient and robust. However, existing solutions are hardly ever usable and incredibly insecure (with maybe one exception that you won’t like). In this article, I dissect the identity both vertically and horizontally and suggest a couple of options how it could work.

Identity is a ‘pointer’ to a particular physical human body. Like we have an anonymous human body and we want to know who this is? 

There are formal and informal identity recognition processes. 

A formal one is the government issued id. If someone wants to identify me, I give them the id card with name, picture, date of birth and some ‘proof’ of being an official gov issued id. 

The formal identity (at least while we are speaking about id cards and passports) is usually hard to forge but forgable overall. For example, to forge a passport, one has to take an existing valid passport of a real human and change the picture there in a way that it is impossible to guess that the picture was changed. Another option is to get access to authentic materials that are usually used to create passports and replicate whatever should be replicated with authentic materials (paper, ink, stamps, dates, signatures, etc.)

This can’t be done in a diy manner at home and probably requires some semi-official engagement (you know, we live in a fun geopolitical landscape:)

Informal identification relies on one’s knowledge of how this physical body is called. For example parents of a 20yo are usually quite sure that this is exactly that human body they gave birth to. Because they observe this body on a regular basis (every day?) so that it hardly ever can be swapped for another body (considering we can’t manufacture super similar bodies on demand, and I believe this is a realistic assumption still). 

Even grandma and grandpa who probably observe the body once per week/two weeks can identify with almost 100% accuracy that this is still the same body. 

However, from real world experience, we can see it often fails on identical twins. Which should not be the case because even though they look similar they behave quite differently.

The informal identification is observing the appearance and behaviour at a regular cadence and checking it vs all previous observations. 

It somehow happened that around 50 years ago someone invented the internet and then we (as humanity) somehow adopted it. Which brought us to the need to have a digital identity. 

Previously identity related to ‘this physical body’ (you can touch), now it relates to ‘this physical body behind the screen’ (you can’t touch but you can ask it to perform different actions).

But the identity we actually need is a blended identity: where the same physical body sometimes wants to be identified in person and sometimes behind the screen.

The obvious (and logical) way of thinking about digital identity is this: how we can map a physical body into a unique digital identifier. And here things become interesting. From the first view, we have a lot of options. 

1. Option one – finger prints. I remember 15 years ago for the study visa in the UK they already were taking my fingerprints. 

2. Option two – face recognition (including this turn face left turn face right do this do that exercise). Utilized today both by apple and google for payments. 

3. Option three – iris scanning. Utilized by the border control in UAE.

4. Option four – voice recognition. Utilized by HSBC and Barclays as an official identification method. 

As well as more exotic options such as vein pattern under palm skin (Amazon experimented with it), blood vessel pattern at back of eye (US military), shape and size of hand such as finger length, palm width (employee access in some systems), walking pattern such as stride, posture, and movement (utilized by Chinese surveillance systems), Keystroke Dynamics (Typing rhythm (speed, pressure, pauses between keys) utilized by some banks during online sessions for fraud detection, etc. 

The problem is that all of these methods work most of the time but not all of the time. And identity is very sensitive matter that should work all of the time or the share of failures should be negligible. 

Not listing everything, but as an illustration:

• Face recognition classify identical twins as the same person (even in official systems like border control);

• One can do a plastic surgery and change the face (Hezbollah terrorist leaders did that);

• Fingerprints of some people can’t be scanned because of the skin type;

• Voice recognition and face recognition have been cracked by AI already multiple times and it will be only worse from here;

• Iris is changing every several years so you will need to rescan it all the time worldwide but then what if someone lost the eye?

None of existing biometry-based identification approaches works on its own.

Assume we combine all widely accessible methods: face recognition, fingerprint, voice recognition, iris recognition, vein analysis, walking pattern analysis, keystroke dynamics analysis. And then require 5/7. Which guarantees correct identification with high probability (requires more thoughtful analysis but I would assume that under a right approach it is possible to arrive to probability of error being negligible). But also accommodates possibilities of too thin finger skin, no access to iris scanners, etc. 

If injecting randomness in a smart way, one can make forging the MFA biometry-based identification even more challenging. As the malicious actor won’t really know what to prepare for, will have to prepare for everything, and then will have tiny moments to give out the right falsifying mechanism. Which also makes the attack more expensive which raises economic security of the system.

However, going back to the ground, there are two main issues with this system: 

1. It takes more time. And we do identification quite often. So the UX friction will be quite substantial. While most people in the world are quite happy with the digital identity we currently have (till the moment their bank account is empty lol).

2. We do not have an existing infrastructure to make this possible. Or we partially have it. But, for example, we do not have high quality finger scanners in each smartphone, we do not have iris scanning infra throughout the world, we have serious issues with recognizing if the video is real or AI generated, etc. 

So this method doesn’t seem to work realistically. And doing MFA ⅔ won’t give is the security guarantees we want. 

99.9% of DNA doesn’t change through life. At the same time 100% of people have DNA. And it’s unique. So if we could authorize through DNA – that could work. 

The issues are:

• Will require a joint database of all DNAs signed by all issuing authorities that want their citizens to have access to the authentication system.

• Instant DNA recognition devices do not exist (not yet, might exist in the future).

• Mapping from physical to digital: how do you guarantee that this is my own saliva I put for authentication and not my friend’s saliva? Maybe we could analyse tiny pieces of skin (after a fingerprint analysis) but also very nuanced.

Might be a surprising option as we are talking about the ‘machine era’ but think again about parents identifying their kid with very high accuracy. What if we create an authentication mechanism where people who have known me for years need to agree (somehow blindly is better) that I am this one person. What if I tell you that someone has built a tiny prototype of this system? (which doesn’t make much sense till the moment it starts making a huge ton of sense iykyk).

The issues are:

• This type of authentication requires attesters to be online and available for attesting most of the time. 

• Collusions are possible but if capping the minimal time of knowing each other – might be way harder to collude.

Hypothetically, if the vast majority of people were acting in a good faith and the authorities were interested in representing interests of that majority, we could just put together a huge social graph as a source of truth. However, this is utopia. 

So what we want is assigning a unique identifier to a human body that doesn’t change through life and can’t coincide with the unique identifier of another person and can’t be forged artificially.

OR some social consensus/robust behavioural analytics that will dynamically prove through the time that this physical body goes under this identifier (where identified is not mapped from the physical body itself but defined through the social consensus).

Both options seem to be robust enough so that it doesn’t make sense to combine them. However, weaker options of both of them are so much weaker that even combining them doesn’t provide desirable security guarantees.

There is an ongoing process led by Apple, Google, and multiple governments to create a robust digital identity (which is still work in progress). The main idea is to bind a physical body to devices they use. It goes under assumption that this conglomerate is aware of the device history of each particular human (which is probably true today). 

When the human is binded to the device (and the device is binded to multiple KYCs), we assume that the conglomerate knows with high enough probability what is the official id of the device owner. From here, we have several options:

1. Using a private key in the TEE (Trusted Execution Environment) i.e. no biometry at all. Comes with all problems of TEEs. Questionable possibility of rotation (possible but depends on randomness accessible etc).

2. Using Face recognition (e.g. GoogleID). Face recognition should be incredibly robust which I do not believe in long-term. However, because Google does not control the hardware, and hardware manufacturers (e.g. Android) often optimize for cheap offers – Google can’t force reliable TEE in each smartphone. So they have to invent other options.

There was a pilot project, testing the approach of binding humans to devices: California residents can present their ID in Apple Wallet at participating TSA airport security checkpoints by simply tapping their iPhone or Apple Watch at the identity reader. Upon tapping their iPhone or Apple Watch, customers will see a prompt on their device displaying which specific information is being requested by the TSA. Only after authorizing with Face ID or Touch ID is the requested identity information released from their device. On the security of this: Face ID: 1 in 1,000,000 false match vs Touch ID: 1 in 50,000. 

The obvious problems are: 

• Whatever GoogleID and wallet use that is not TEE – long-term (even mid-term) is very questionable because of the deep fake quality evolution (that will never end).

• Still some share of people on the earth without smartphones (around 40%) with the lowest penetration in Bangladesh, India, and Brazil. This doesn’t seem to be a real obstacle because one day it will change (when some digital corp will identify them as an opportunity for growth and will find the way to make smartphones available and desired in the region), and also they probably do not really need digital identity right now. Tho it does split the world for those with digital identity and without, which is long term is a bad trend but so is the world.

Despite this, I have a very high confidence that whatever the real security of this approach is, it will become the internationally imposed standard in the west in less than five years. China, Russia, and (maybe) Iran will probably have / already have their own solutions for digital identities that will be somehow composable with the western (e.g. composable enough for the airports). 

So whatever projects, products, and visions we are building that explicitly or implicitly touch on identity – I think it is a sober assumption that this will be the standard worldwide.

Considering how the world has evolved (slowly but consistently being populated by machines), there is also an urgency for robust and resilient machine identity. Which technically is quite a different problem to solve. 

Computers do not have any biometry as well as unique behaviour that can be observed throughout the time. Most machines arrive identical except for their serial number. 

So the obvious solutions are:

• Deriving identity from the unique serial number (but it is unique to this manufacturer, not in the worldwide sense of uniqueness). 

• Using a TEE pre-loaded private key as the identity (the same as AppleID and wallet suggest us). But industrial machines (that we want to have identities most of all) often do not have TEEs.

The obvious terrible solution is just to use a key as an identifier and maybe rotate it from time to time. The issue with stealing the identity key in open access (not in TEE) is so high (based on the attacks we see) that even considering it as an option is quite insane (unless we do not need high security guarantees which can be actually the case for some contexts). However, all startups and products suggesting identities for machines today do exactly this.

There is no real unique identifier that can be mapped into an identity. So we are dropping this option.

But what about behavioural identification? What if each machine behaves in a unique way that can be observed through the time and can be confirmed that this is the same machine? We drop anything related to AI, because if something was trained on existing data it won’t provide us with the desirable level of uniqueness. Instead, we think about mathematical tools and ways to get randomness / entropy. For example, if we take what the computer ‘has seen’ (assume it has a camera) within the first five minutes of its life and then map it into the identifier, I would claim the level of uniqueness will be good enough.

This can be done only on the OS manufacturer level, and not as an add on solution. Because we want to bind this entropy collection and processing to a particular machine. But overall it seems to be an option. 

Can we run an internal randomness algorithm? Depends on what algorithms are at our disposal. I do not have enough knowledge to make a sanity check for this option. So I will leave it open.

Thank you for reading. You are welcome to share your thoughts and argue with me here: lisaakselrod@gmail.com