• United States

What can be used as an ‘identifier’

Aug 20, 20034 mins
Access ControlEnterprise Applications

* Is it the plastic card that identifies you or the numbers of the card?

Last week’s analogy of charge card systems for the identity management concept of “persona” drew two distinct types of criticisms. The first, that “group membership” or “role” were most closely identified with the analogy, I talked about last issue. The second is almost diametrically opposed.

Richard Probst, Nominum’s vice president of product marketing, summed it up well in an e-mail introducing the concept of “identifier,” which he defined as “a value that can be presented to distinguish [one] persona from others.” He went on to point out that “for the American Express or Visa examples you started with, the defining attribute is nothing physical, and is not a piece of plastic – it’s a number. I can call a merchant and read my credit card number over the phone, and prove that I belong to the Visa group. It’s not the plastic, it’s the number. And credit card numbers are just one example of identifiers.” 

Analogies are never perfect and most usually break down under too close an examination.

Let’s re-examine the Visa Check card analogy in light of Probst’s use of “identifier.”

You’ll remember that the point of Visa’s marketing was that its check/debit card was easier to use then writing a check, which it illustrates by giving an exaggerated look at the check approval process. Those who used Visa’s piece of plastic were much more quickly on their way. Using a paper check, like using a plastic debit card, is an indicator of group membership – depositors of a bank. But the debit card also indicates that the holder is a depositor at a bank. So what’s the difference?

One difference is mathematical. When a debit card is misused the merchant is requested to cut it up so that it can’t be used again. The merchant can’t destroy all of your checks, however. Another difference, though, is that the card can carry authentication information – perhaps a signature on the back, perhaps biometric data magnetically encoded. A check carries no such information.

But Probst pointed out that the “identifier” wasn’t actually the piece of plastic, but the identification number embossed on the card. The check also carries an “identifier” in the form of a number – the account number assigned by the bank to that checking account. The above paragraph’s show of difference between paper and plastic also applies to the differences between the account numbers on the paper or on the plastic.

Probst’s remarks are good, but refer to the authentication within the group membership, I believe. The American Express card and the Visa Check card are badges, or identifiers, of group membership. Since I can’t show you my “badge” over the telephone (or over the Internet) then I need a different way to demonstrate my group membership. But even if I can show you the card, I need a way to show you that I am a current member in good standing. The number on the card becomes the “username” for the object being managed – the account with Amex, Visa or the bank. Just as you need to authenticate as a particular username to gain access to your computer network, so too do you need to authenticate as a particular username to gain the rights and privileges associated with the group membership.

That account number object probably only has one persona. But a human object can have a persona with an identifier which is the account number object (the bank) – the bank account object becoming an attribute of the human object. That’s a topic for another day – and we still haven’t gotten to the “yacht club scenario.” Hurry back!