When I was a student, there was a proposed law that many didn't like. In October 1994 people took to the streets to protest against the CJB. As the darkness fell on hide park, the protest turned to riot. As the peaceful crowds melted into the inky blackness, the helicopters whired overhead. A story is told, amongst my friends, that a roaming light picked out one of our number and the tannoy roared “disperse now or force will be used”. The fear gripped him and the last we saw of him that night was a far-away shape running shouting “I'm dispersing.....I'm dispersing......”
Little did I realise in those early days of the internet how prophetic those words where. Identity is dispersing. The web has brought us to a paradox – by making an identity information it ceases to a property of the thing-in-and-of-itself, the very thing it is meant to represent. Twenty years ago presenting my passport was enough to prove in a meaningful way that I was I. Today I find facsimiles of my identity scattered across the digital wasteland, my identity now appears to have several parallel lifes of it's own, often more impressive than mine. The problem extends beyond the sphere of personnel identity and infects organisational identity - is the bank I see before me just a spector with an evil genius behind the facade ready to steal my keys? As more of our important interactions take place in the meta-reality of the information space, validating the actual agents behind the digital identity becomes more urgent.
The identity problem has a long history in Philosophy and in it's most relevant guises is known as the problem of intentionality. Without a long exegesis of the literature (as I really can't remember back to the lectures I didn't make it to) the philosophical position is that, thanks primarily to Saul Kripke in Naming and Necessity, philosophy has gone beyond the study of language to talk of the actual things themselves.
My approach to the current operational paradox is based upon an intuition I had when I reading about Navajo code talkers and specifically about one of the features of the language which made it so cryptographically useful, that nouns were often derived from verbs. My intuition was that the paradox of digital identity is driven by the treatment of identity as a noun, a static subject of discourse. In order to deal with identity as a piece of static digital information we have to have the messy business of multiple/complex identities and we need to face the fact it becomes eminently more steal/fake-able when it moves from the physical realm to the binary. Why don't we treat identity as a verb, as a process? This seems to capture an important aspect of identity, that in our transactions with other we often validate each other through shared historical events, anticipated responses and word patterns. When Gordon Jackson's character in the Great Escape responses instinctively in English to a question asked in English by a German soldier inspecting his papers his identity as an escapee is revealed. When Arnie in Terminator II, impersonating John Connor, asks John's foster mum “How's Wolfy?”, her positive response indicates that she is being impersonated (the dog's name was Max).
So how does this approach actually help in Information Security? One suggestion might be to make our transactions with entities more information rich by including shared historical events, essentially making the one of the factors of authentication a dynamic known value. For example, an email from your bank that details the last three transactions before it was sent is a lot harder for a phisher to fake and fairly easy for the recipient to validate. One might also include a new number to enter in a transaction (in addition to PIN and/or CV2), the amount of the previous transaction that card was used for. A discrepancy on the back end processing could be quickly checked and the transaction flaged if the numbers didn't match. This approach doesn't directly defend against covert channels, cloning or man-in-the-middle but would significantly cut down the time window available to make use of captured information. The approach also has the added benefit of increasing security as the card is more diversely and regularly it is used, instead of the common-sense intuition that it would reduce it. It could also provide a valid defence against a fraudulent use that was patterned to look similar to the mark (and therefore evade detection due to geographical/spending anomaly).
It seems to me a rethinking some of our assumptions about identity could enhance our approach to some of the common challenges of our information rich lives.