Digital identity is the way a computer stores a record of an external person or system. It is closely related to authentication.
What is digital identity?
In access management, digital identity is the recorded set of measurable characteristics by which a computer can identify an external entity. That entity may be a person, an organization, a software program, or a computer.
Digital identity relies on computer-identifiable attributes. For example, a computer may be able to identify a person because they know a password or their voice resonates at certain frequencies. A computer could also identify another computer by its IP address or media access control (MAC) address.
Two coworkers, Jim and Sharon, may be able to recognize each other by sight. But a computer does not know who “Jim” is or “Sharon” is. A computer instead stores a separate user profile for Jim and Sharon, which includes a name, a set of facts about their identity, and a set of privileges. And it has to check who they are by some measurable method, such as whether or not they enter the correct password. (Jim could potentially impersonate Sharon if he knows her username and password.)
Note that “digital identity” can also refer to a computerized equivalent of government-issued personal identification — sometimes, these are called “digital IDs.” However, this article focuses on digital identity within access management systems.
Who possesses a digital identity?
Almost every person who uses computers or accesses the Internet today has some form of digital identity. That may be an email address and password combination, their Internet browsing history, shopping history, and credit card information saved by an online store, or identifying characteristics stored in an identity and access management (IAM) system.
Examples of data points that can help form a digital identity include:
- Username and password
- Purchasing behavior or history
- Date of birth
- Social security number
- Online search activities, such as electronic transactions
- Medical history
Computers and computing devices have a form of identity as well. Networking systems and protocols use several methods to identify these devices; for instance, many systems use IP or MAC addresses. Organizations also have stored characteristics that allow external systems to recognize and interact with them. Even API endpoints* can be said to have digital identities. With a properly secured API, endpoints must prove who they are to make and receive API requests.
*An API is a way for one software program to request services from another. An API endpoint is where such a request starts from or is received, like a software program or an API server.
How does identity relate to access control?
Access control defines which data a user can view, change, or copy. As an accountant, Sharon may have access to her company’s books and payroll system. But as a salesperson, Jim only needs to access the customer database and a few other systems and should not have access to the books or payroll system. Their employer uses access control to 1) identify Sharon and Jim and 2) ensure Sharon can access the payroll system and Jim cannot.
As seen in the example, identity is part of what determines access. In this case, Sharon’s and Jim’s identities are also associated with specific roles. Access cannot be properly controlled without knowing who the person is and their role. Therefore, authentication is an important part of access control.
What is authentication?
Authentication is the process of verifying identity. Access control systems check one or more characteristics of users or devices to authenticate them.
There are three main characteristics or “factors” that authentication can assess:
- Knowledge: This authentication factor is something the user knows: for example, entering a password or answering a security question (e.g., “What is your mother’s maiden name?”). Some services, such as banks and credit bureaus, may also prompt customers to provide additional personal information, like their mailing address or government identification number, to verify their identity.
- Possession: This authentication factor is something the user has — in other words, it involves checking if the user possesses an assigned physical or digital token. For instance, a system may send a verification code to a user’s smartphone to check that they possess the phone or ask the user to plug a hardware token into their USB port.
- Inherent qualities: This authentication factor is something the user is; it checks qualities that are natural to the user. Examples include retina scans, facial recognition, and voice recognition.
These factors are often assessed together, as in multi-factor authentication (MFA).
Authentication vs. authorization
Authentication differs from authorization, which relates to what permissions each person has. However, both depend at least partially on digital identity. Who a person is typically helps determine what they are allowed to do. The CEO of a company is likely authorized to access more data than a lower-level employee, for example. Learn more about authorization and authentication.
How does a user’s digital identity affect their privacy?
Digital identity often relies on storing and verifying personal information — for example, their email address, a face record (as in facial recognition), or facts about their life (answers to security questions). This can become a data privacy issue if the personal data is leaked, unauthorized persons view the data, or if the user is unaware of how their personal data is used.
What is identity and access management (IAM)?
Identity and access management (IAM) includes several technologies that work together to manage and track digital identities, along with the privileges associated with each identity. Digital identity is foundational for IAM; without some way to know who a user is, an organization cannot assign and restrict their privileges.
IAM is extremely important for preventing data loss, cyber-attacks, and other threats. Strong authentication helps ensure that attackers cannot impersonate a legitimate user. Properly configured authorization limits the potential damage if a user account is compromised because the attacker will still only have access to some data, not every system in the organization.