That it will never come again is what makes life so sweet.
—Emily Dickinson in “That it will never come again” (1741)
To clarify the terms used in subsequent chapters, we need to describe what an identity is and how it is used, as well as the most common events in the life of an identity.
Terminology
The concepts of an identity, an identifier, and an account are closely related but subtly different. We use the term “identifier” to refer to a single attribute whose purpose is to uniquely identify a person or entity, within a specific context. Email addresses, passport numbers, driver’s license numbers, and employee numbers are all examples of identifiers used for people. Nonhuman entities, such as agents, bots, or devices, may be identified by an alphanumeric string of characters assigned at their time of creation or registration within a context where they will act. Identifiers allow us to refer to a specific person or nonhuman entity and are essential to identity management.
The term “identity” is defined as a collection of attributes associated with a specific person or entity in a particular context. An identity includes one or more identifiers and may contain other attributes associated with a person or entity. Human identities may include attributes such as name, age, address, phone number, eye color, and job title. Nonhuman identities may include attributes such as an owner, IP address, and perhaps a model or version number. The attributes which make up an identity may be used for authentication and authorization as well as conveying information about the identity to applications.
A given person may have more than one identity. Just as a person might take on different personas in different social contexts, such as a parent, child, engineer, or coach, a person can have multiple online identities as well. One might have a work identity used to perform tasks for an employer. The identity attributes might include an identifier issued by the employer, a department name, building location, and manager. One might also have a variety of personal identities used for different purposes, including managing a youth sports team or running a side business. These real-world examples demonstrate the contextual aspect of our definition. An online identity consists of at least one identifier and a set of attributes for a user or entity in a particular context, such as an application or suite of applications.
An identity is associated with an account in each such context. We define an account as a local construct within a given application or application suite that is used to perform actions within that context. Identity attributes may be contained within an application’s account object, or they may be stored separately and referenced from the account object. An account may have its own identifier in addition to that of the identity associated with it. Having an account identifier separate from the identity associated with the account provides a degree of separation. The account identifier can be used in other application records to make it easier for users to change the username or other identifier associated with their account.
We will use the term “identity” when specifically referring to online identities as the set of attributes about a person or entity. We will use the term account when referring to an account as a construct within an application or service that has an identity associated with it. It should be noted that an account can have more than one identity associated with it through account linking which will be explained further in Chapter 18. To summarize, a person logs in to use an account which has various identity attributes associated with it and which enables them to perform actions within a system.
Nonhuman actors can certainly have identities as well. Software components serving as agents or bots and smart devices can have identities and may interact with other software or devices in ways that require authentication and authorization just like human actors. In order to keep this book to a manageable size, however, we will primarily discuss human actors and their online identities.
As you might guess, an Identity Management (IdM) System is a set of services that support the creation, modification, and removal of identities and associated accounts, as well as the authentication and authorization required to access resources. Identity management systems are used to protect online resources from unauthorized access and comprise an important part of a comprehensive security model.
Events in the Life of an Identity
Events in the Life of an Identity
Provisioning
The first step in the life of an identity is its creation. The act of creating an account and associated identity information is often referred to as provisioning. Provisioning might be done by having users register, importing identity information from a legacy system or leveraging an external identity service. Regardless of the mechanism used, the objective of the provisioning phase is to establish an account with associated identity data. This involves obtaining or assigning a unique identifier for the identity, optionally a unique identifier for the account distinct from that of the identity, creating an account and associating identity profile attributes with the account.
For example, a user named Alice wishes to use some online banking services. Alice might establish an online account at a bank by filling out an account registration form. Alice would provide identity information including a username, a password, her name, home address, phone number, email address, and some form of tax ID. This data would be used to provision an online account at the bank associated with Alice’s personal identity.
Alice could create multiple online accounts at the bank for different identities. In addition to the personal account, Alice might establish a second identity as a small business owner with a second online account using her business identity and tax ID. The provisioning phase establishes an online identity and account, which are then used to access online services.
Authorization
When an account is created, it is often necessary to specify what the account can do, in the form of privileges. We use the term authorization for the granting of privileges that govern what an account is allowed to do.
When Alice creates her online account, the bank authorizes her account to access the application to view checking accounts. If she does not have a brokerage account at the bank, her account would not be authorized to access the bank’s stock trading application. Needless to say, her account would also not be authorized to view account information for the bank’s other customers! Alice’s authorization indicates the privileges her account has been granted. Authorization for an account is typically done at the time an account is created and may be updated over time.
Authentication
To access online content that is not publicly available, a user needs to authenticate. A user provides an identifier to signify the account they wish to use and enters login credentials for the account. These are validated against credentials previously registered during the account provisioning phase. The credentials may involve something the user knows, something the user has, and/or something the user is. A password is something the user knows. A numeric code generated from a previously registered device, such as a mobile phone, involves something the user has. Biometric information such as a fingerprint is something the user is. Authentication with one or more credentials which are validated against previously registered information demonstrates, to some degree of confidence, a user’s right to use an account to access protected resources.
After Alice establishes her online identity and account at the bank, she can access the bank’s online services. To access protected resources, such as her checking account balance, she will need to authenticate by entering the username and password established during the registration step. The username indicates the account she wishes to use, and knowledge of the password demonstrates her right to use the account.
Access Policy Enforcement
Once a user has been authenticated and associated with an account, it is necessary to enforce access policy to ensure any actions taken by the user are allowed by the privileges they have been granted. We use the term access policy enforcement for the enforcement of access policy specified by authorization. In other words, authorization specifies what a user or entity is allowed to do, and access policy enforcement checks that a user’s requested actions are allowed by the privileges they’ve been authorized to use.
When Alice logs in to the bank’s online retail banking application and makes a request, the application will check she has the authorization to make the request. If she attempts to access the stock trading services, she would be denied as she is not authorized to access those services. In this case, the application might display a message indicating she is not allowed to view that service, perhaps with information on how to sign up for it.
Sessions
Once a user has been authenticated and authorized, they will perform various actions within an application. Some applications, typically traditional web applications and sensitive applications, only allow a user to remain active for a limited period of time before requiring the user to authenticate again. They do this by managing a session for the user. A session tracks information such as whether the user has been authenticated, and if so, typically also the authentication mechanism or strength level used, and when authentication occurred, in addition to a user identifier. This enables an application to know when the user should be prompted to reauthenticate.
The length of time a user is allowed to remain active before reauthentication is known as a session limit or session timeout. The session timeout settings will typically vary by the sensitivity of the data in the application. Session limits help protect against users who walk away from their screen without logging off and identity information that may have changed since the session was created. A session limit that forces a user to periodically reauthenticate provides a check that it is still the legitimate user at the keyboard. It can also trigger a renewal of the user’s identity information and account status.
Alice’s retail banking application that provides access to her bank account may allow only a relatively short session, measured in minutes. Another, less sensitive service offered by the bank, such as an investment newsletter, may allow a longer session, measured in hours or days. Each time Alice makes a request of either application, it is necessary for the application to check if she has authenticated recently enough for the requested transaction. If so, she can continue without authenticating again. If too much time has elapsed since she last authenticated, she would have to authenticate again.
Single Sign-On (SSO)
After a user accesses one application, they may wish to do something else involving another application. Single sign-on (SSO) is the ability to log in once and then access additional protected resources or applications with the same authentication requirements, without having to reenter credentials.
When Alice accesses her bank’s web site, single sign-on would provide convenient access to multiple banking services. If Alice signed up for the investment newsletter service at her bank, she could log in to access first the retail banking application to view her account balance and then access the investment newsletter without having to sign in again.
Single sign-on is possible when a set of applications has delegated authentication to the same entity. An authenticated session in that entity that can be used to access multiple resources via single sign-on is often called an SSO session.
Stronger Authentication
Step-up authentication and multi-factor authentication (MFA) both involve authenticating a user with stronger forms of authentication. Some forms of authentication, such as username-password authentication, are considered relatively weak because they involve a single factor, the password, which can be captured and easily used by others. Stronger forms of authentication involve other factors, such as something the user has and/or something the user is. Authentication that requires multiple factors at the same time is known as multi-factor authentication. Multi-factor authentication typically involves a password as well as possession of a device such as a laptop or mobile phone or possibly a biometric factor such as a fingerprint or voiceprint.
Step-up authentication is the act of elevating an existing authentication session to a higher level of assurance by authenticating with a stronger form of authentication. For example, a user might initially log in with a username and password to establish an authentication session. Later, upon accessing a more sensitive feature or application with higher authentication requirements, the user would be prompted for additional credentials, such as a one-time password generated on their mobile phone. Step-up authentication may be required when a user accesses a more sensitive application or when they attempt to perform more sensitive transactions, like withdrawing unusually high amounts of money.
Alice might initially log in with a username and password and be able to view her account balance on the bank’s web site. If she later attempts to transfer a large amount of money out of her account, she might have to step up her session and enter a stronger authentication factor, such as a special one-time use code generated by an application on her phone. This elevates her session to a higher level of authentication assurance which provides a higher degree of confidence that the user requesting access or performing a transaction is the legitimate account owner.
Logout
When a user is done with an application, they should terminate their session by logging out. At a minimum, the act of logging out should terminate the user’s application session. If they return to the application, they would have to authenticate again before being granted access. In situations where single sign-on is used, there may be multiple sessions to terminate, and it is a design decision as to which sessions should be terminated when the user logs out of one application.
The act of logging out is slightly different than a session timing out. In the former case, the user explicitly requests that their session be terminated. When a session times out, an application may elect to keep the session in a suspended state and reconstitute the session if the user authenticates again.
In a scenario where Alice has logged into her bank’s web site and viewed her bank balance as well as a recent investment newsletter, she would have a session in the retail banking application, in the investment newsletter application, and in the bank’s SSO service. If she is idle for a few minutes to take a phone call, her session in the retail banking application may time out. When she finishes her phone call, she would have to reauthenticate to continue. When she finishes viewing her account, she would click a “Logout” link to terminate all of her open sessions.
Account Management and Recovery
During the course of an identity’s lifetime, it may be necessary to change various attributes of the user profile for the identity. For example, a user may need to update their email address or phone number. A user may need to update their name in some circumstances or to periodically change their password or mobile device used in the authentication process. In a company, a user’s profile might be updated to reflect a new position, address, or privileges such as roles. Account management consists of features or processes which enable users and administrators to view and update user profile attributes associated with an identity.
A user may also forget their password or lose a device that is required for an authentication process. If this happens, a user needs to establish new credentials. This requires an alternate means of establishing the user’s ownership of the account before allowing them to set new credentials. Account recovery is a mechanism to validate a user is the legitimate owner of an account through some secondary means and then allow the user to establish new credentials.
If Alice goes on a trip and forgets her password after being gone for a while, she would need a means of resetting her password. She may have to enter a code using an alternate authentication mechanism she set up previously or she may be able to trigger an account recovery link sent to her email that will enable her to reset her credentials. Similarly, if Alice decides to move, she would need the ability to update her profile at the bank to reflect her new address. Throughout the lifetime of an identity, various changes may occur, requiring the ability to update the identity profile attributes and/or reestablish new credentials.
Deprovisioning
There may come a time when it is necessary to close an account. In this case, the user’s account and associated identity information must be deprovisioned so that it can no longer be used. Deprovisioning may take the form of completely deleting the account and associated identity information or simply disabling the account, to preserve information for audit purposes.
If Alice decides at some point to terminate her relationship with the bank, she would request that her accounts be closed. The bank would close out her checking and savings accounts and terminate her online account so that she could no longer log in. The bank would, however, need to keep sufficient information to meet tax reporting and audit obligations.
Summary
This chapter has introduced the concept of an account and an associated identity and the most typical events that occur during their existence, from provisioning and authorization to authentication and access policy enforcement, all the way to deprovisioning. In the next chapters, we’ll dive into more detail for each event, starting with a summarized history of approaches to identity management.
Key Points
Provisioning creates an account and associated identity.
Authentication validates a user is entitled to use an account.
Authorization specifies the privileges granted for an account.
Access policy enforcement checks that requests are within the privileges granted by authorization.
A session and session limit are used to govern how long a user can remain active without reauthenticating.
Single sign-on allows a user to log in once and then access additional protected resources without reentering credentials.
Multi-factor authentication requires authentication by multiple forms of authentication, such as something the user knows (a password), something the user has (such as a device), and/or something the user is (such as a fingerprint).
Step-up authentication is the elevation of an existing authentication session to a higher authentication assurance level when a user authenticates with a stronger form of authentication.
Logout terminates an authenticated session, requiring reauthentication to access a protected resource again.
Account management features allow a user or administrator to update account and identity profile attributes.
Account recovery is required when a user loses the ability to authenticate using previously established credentials.
Deprovisioning is the removal or disabling of an account and associated identity information.