When I wake up my laptop, it asks for a username and password. The right answer provides access not only to the machine and its locally stored applications and data, but also my keychain of stored website passwords. The same is true with my smartphone: I provide a short numeric password and have access to my stored data and configured applications – which include cached passwords for email and various online services.
So, you might say, on a fundamental level my digital identity is absolutely tied to a few specific edge devices that I possess, carry around with me, and try hard not to lose.
Yet on another level, my identity lives in the cloud. Whether it’s Facebook, Twitter, LinkedIn, Google Documents, Windows Live, Netflix, Amazon.com, Salesforce.com, Dropbox, the SD Times editorial wiki, this blog or elsewhere, my identity is in cyberspace. It’s accessible from any machine’s applications, via any browser and even APIs.
Therefore, my digital identity simultaneously has absolutely nothing to do with whichever edge devices I’m using today.
This thought occurred to me when meeting with PowerCloud, a Xerox PARC spinoff that’s building a cloud-based authentication system for small business networks. In effect, infrastructure devices like routers and switches are registered with the PowerCloud system, and are programmed to only allow authorized edge devices (laptops, desktops, smartphones, network printers) to connect to the LAN. It’s a clever system that not only improves network security but also simplifies network configuration.
The whole PowerCloud system is based on authenticating specific devices based on either their MAC address (for the edge device) or a firmware token (for the infrastructure device). The system doesn’t care who is using the hardware; if it’s not authorized it can’t connect. That’s very different, of course, than how most of us view the Web, where it’s all about username and password. But it’s the way that the invisible world works. For example, your phone is authenticated to the mobile network based on an electronic serial number baked into the phone or a removable SIM card — not based on phone number or your unlock password.
The best security schemes involve something that you have (a device, a fingerprint or other physical token) and something that you know (a password or passphrase). But what does that mean for identity? Am I user “alan” on my laptop? Or am I user 132588 on LinkedIn?
Who am I? And does it even matter?