Identity, trust, and their role in modern applications
Lee Atchison
Co-Founder & CTO, Product Genius Corporation. Thought Leader, Cloud Expert, Best Selling Author. O'Reilly Media, LinkedIn Learning. Host Software Engineering Daily. Ex-Amazon, Ex-AWS. softwarearchitectureinsights.com.
In the software world, identity is the mapping of a person, place, or thing in a verifiable manner to a software resource. Whenever you interact with nearly anything on the internet, you are dealing with identities:
Everyone has multiple identities—multiple ways that people know who you are and interact with you in the virtual world. Here are a few of my identities:
Each of these is a different way of identifying me to my friends, family, co-workers, partners, and vendors. You deal with identities all the time. Identities can represent more than people. Everything you interact with in the real world that has a presence in the virtual world has to deal with identity and identity management:
Identity is everywhere. But when you need to correlate an item in the virtual world with an item in the real world, and you need to validate that they are one and the same—you require a way of identifying the item and validating the connection.
Bad actors are always trying to thwart this process. Whether they are trying to steal your login credentials to get access to your Instagram account, or trying to take ownership of your savings account to steal your hard-earned money, bad actors play havoc with our real lives when they thwart our identity in the virtual world.
Nearly every person and every company in existence today needs to deal with identity, and every executive, director, and manager needs to understand what identity management is about and why it’s important.
What makes up an identity?
An identity in the modern world typically is composed of three distinct segments:
When you log in to Facebook, you make use of your Facebook identity. First, you log in using a username and password—this is authentication, and it confirms that you are the person associated with this Facebook identity.
You move to your favorite group and you start reading messages in that group. Before you are allowed to view the messages in the group, though, Facebook has checked to make sure you have the necessary permission to do so—this is authorization, and it confirms that this identity has access to interact with this particular group.
You click “New Post” and type a post you want to send to the members of the group. Facebook is doing further authorization checks to make sure you have all the correct permissions to, first, create new posts, and, second, to put that post into this particular group.
Finally, someone reads your post and wants to find out more about you. So, they click on your picture to find out who you are and what topics you are interested in. They are looking at your profile and other attributes to find out more information about the identity they’ve been interacting with.
Recommended by LinkedIn
Where trust comes from
Have you ever viewed a Facebook profile and wondered whether the information in the profile was accurate? Or, to bring up the worst-case scenario, have you wondered whether the person associated with the profile was actually real? It should be no surprise that there is no magic method of validating that the profile of an identity contains accurate and useful information about the real-world entity associated with the virtual identity. Or even if the person represented by the profile truly exists.
How can the online identity be useful without knowing whether or not the information it includes is accurate, or even real? Because there is nothing about the identity itself to give you that information, you instead have to rely on the applications that create, manage, and use the identity to ensure the identity is valid. This is a matter of trust.
In the modern internet world, trust is an attribute associated not with the virtual identity itself, but with the application that is making use of the entity.
When you view your account balance at the bank, you have trust in the bank, which gives you a belief that the account balance is accurate and the funds are available. The bank elicits a high level of trust from you.
When you view someone’s photograph on a dating application or public chat room, you have no trust that the application validated that photograph, and hence you may have little trust that it is a valid photograph of the person the identity represents. The dating site elicits very little trust from you.
Trust can be inherited. You may have no trust in the chat room application. But you likely have a higher level of trust that someone’s LinkedIn identity is a more accurate view of who they say they are. This is because you have a higher level of trust in LinkedIn than you do in that chat room app.
But what if the chat room application makes use of your LinkedIn profile to facilitate logging you in (authenticating you)—hence associating your chat identity with your LinkedIn identity. Then, the reliability that the chat application’s view of an identity is accurate, increases. The chat application’s trust has been increased.
Trust and trust sharing are indispensable to our belief in the validity of the services we interact with on the internet. Trust is important when dealing with e-commerce companies, absolutely essential when dealing online with our banks and bank accounts, and potentially a matter of life or death when dealing online with our medical providers. While our trust may be (appropriately) low for the random chat room, trust must be extremely high when dealing with critical systems.
The technologies underpinning identity and trust on the internet are constantly evolving to keep pace with the threats posed by bad actors, who are constantly working to exploit any weakness. We’ll continue to need better mechanisms that are stronger, faster, easier to implement, and easier to use, or we will lose the race to maintain safe and secure systems. The next generation of systems may even be less reliant on central authority, thanks to blockchain and related technologies.
Eventually, we should expect trusted identity-sharing to become commonplace, improving our ability to interact safely with one another in the online world. Someday, we might even stop worrying whether a Facebook profile is real.
Want more from Lee?
If you are interested in getting more great content from Lee Atchison, sign up for his Software Architecture Insights newsletter. Sign up and you’ll be entered into a contest to win a free, signed copy of one of Lee’s O’Reilly Media books, such as Architecting for Scale, or Overcoming IT Complexity.
Driving Innovation and Transforming Enterprises | Technology Leadership | AI & Copilot Expert | Architectural Expertise | Strategic Visionary | Technical Delivery Excellence | USAF Veteran
1y"Great piece on the foundational concept of identity in software! 🌐 It's worth noting that as our digital footprints expand, the accuracy and security of identity mapping become paramount. Beyond the functional role of identity in authenticating interactions, it's also a significant trust factor. In an age where data breaches and identity theft are rampant, ensuring robust identity management not only safeguards technical processes but also fortifies the trust between businesses and users. This underscores the essence of identity as not just a technical requirement, but a cornerstone of digital trust and reliability. Thanks for emphasizing the weight of this concept. It's a reminder that in the digital realm, our 'identity' is more than just who we are; it's how we're protected and perceived.🔒👤"