• United States

Wishing for a single identity

Feb 25, 20043 mins
Access ControlEnterprise Applications

* Identifying an authentication scheme that would be efficient for both user and system operator

Last issue we began looking at the use of a person’s e-mail address as the username needed for authentication in an identity management scheme. Usernames have to be unique – at least within their context. E-mail addresses need to be unique also, or else the mail won’t get through. So it seems like a perfect match, right?

Well, I did mention last time that the biggest problem was the fact that the “@” symbol is rarely available as a character to use in a username. That is a significant problem, but one which could be overcome with a bit of effort on the part of everyone (i.e., you and me). That would still leave a problem or two.

Many people are reluctant to use their e-mail address anywhere outside of their e-mail client because they (often rightly) believe that by doing so would lead to an increase in the amount of spam they receive. I get close to 500 pieces of spam on a typical day, so I can understand when people are unwilling to share their e-mail address except with those they trust absolutely. This leads to another, corollary problem.

Since people will do anything they can to avoid spam, they will frequently acquire multiple e-mail addresses in an effort to stay one step ahead of the spammers. Others find creating multiple e-mail accounts a fairly easy way to filter and categorize their mail. I personally use a dozen or so active e-mail accounts at a half dozen different domains. So while every e-mail address is unique, there’s no guarantee that a particular one is the sole – or even primary – address of a particular user.

E-mail addresses would seem, then, to associate more with a persona than an identity. Just as you have multiple personas, so too do you have multiple e-mail addresses. While that isn’t a problem for the person with those addresses – they know who they are – associating “” with “” isn’t a trivial task.

So, it seems, I’ve managed to make the client or customer feel better (they can use the same username at any site they choose to), but have made the vendor or site-owner’s problem much bigger – multiple accounts for a single user.

I wish I could say at this point that I have the ideal solution, but I don’t. It would be useful, to everyone, if a user had a single, unique username for all times and all places. That would, however, require a degree of cooperation that’s unheard of both in business and in politics. Still, it can be our goal, and we can continue to work towards it. Someday, perhaps, it might actually be realized.