I've been having a lot of conversations recently about the nature of identity. I posited a few weeks ago that every human being who ever lived, or ever will live, has a unique identity based on a combination of DNA and fingerprint. The conversations seemed to focus on two primary issues that I'll call "cost" and "context."

As many readers pointed out, if you're trying to authenticate someone to see if they have authorization to use a particular printer, waiting for DNA test results could add a factor of weeks - if not months - to the time needed to log in! It's theoretically possible to build a device that would allow for rapid (if not actually instantaneous) DNA matching, but it would probably be cheaper to simply buy a printer for everyone who wanted to use one.

This recalls a rule of thumb about as old as the security business itself - the cost of protecting a resource should not be greater than the cost of replacing it (including recreating the status quo). So-called "irreplaceable" resources do exist, but they're much rare than most people believe. Usually "irreplaceable" means "It'll cost more than I have available to spend." 

On the other hand, the cost of stealing a resource should not exceed the value of the resource (however you wish to measure "value" - actual cash, prestige, leverage, etc.). A password should be sufficient to protect a printer from misuse. A bank vault will require controls that are more stringent. But what about the launch sequence of a nuclear missile? Restoring the status quo could be very difficult and very expensive. The authentication costs and difficulty should be commensurate with that.

Others pointed out that, as far as the printer is concerned, it doesn't matter if I'm the unique individual identified by my DNA sequence and fingerprint as long as I supply the proper credentials to satisfy the authenticator that I am someone with the proper authority to submit print jobs. And, in fact, the "identity" doesn't even have to be unique. As we've seen in last week's look at dynamic roles, hundreds of people could have the same attribute that gives them authorization to use that printer.

Even if a resource required a proof of "uniqueness" (such as, say, a bank account) the authorizing agent doesn't look at who I am, but only at whether I present the right credential for access. If the account is in the name "Elvis Presley" I don't need to prove that I am the resurrected king of Rock and Roll, but only that I have the proofs required to show that I am allowed access to the account that also carries the name attribute "Elvis Presley". The unique identifier in this case is the account number. But that account number could be duplicated at some other bank in another part of the world. For my purposes in accessing my account, though, it's only necessary that the account number be unique within this particular banking institution. That is, within the context of this bank there is only one account with this number.

Dave Kearns is a consultant and editor of IdM, the Journal of Identity Management.