Identity

What Is Identity?

In computing and communications, identity is the set of attributes and identifiers that uniquely represent an entity, such as a user, device, service, or organization, within an information system or network. Identity is the foundation on which access control, accountability, and trust are built: a system cannot grant appropriate permissions, log actions to the correct principal, or bind transactions to responsible parties without first resolving who or what is acting. The concept spans physical credentials, cryptographic keys, biometric measurements, and behavioral patterns, each of which can serve as evidence for asserting or verifying that a claimed identity corresponds to a known entity.

The technical treatment of identity has evolved alongside the growth of networked computing. Early timesharing systems assigned users numeric identifiers and passwords in local databases. As networks expanded, federated and distributed identity models emerged to allow a single credential established with one provider to be accepted by others, reducing the proliferation of separate usernames and passwords across systems. Standards bodies including NIST, IETF, and ISO have produced extensive guidance on digital identity, culminating in frameworks such as NIST Special Publication 800-63, which defines identity assurance levels, credential lifecycle management, and authenticator requirements across government and enterprise deployments.

Digital Identity and Attributes

A digital identity is a structured collection of attributes associated with an entity. Attributes may include a username, an email address, organizational affiliation, assigned roles, biometric templates, device certificates, and any other claims that describe the entity or its relationship to the system. These attributes are stored in identity directories or databases, such as LDAP-compliant directories or cloud-based identity providers, and are referenced whenever the entity seeks access to resources. The completeness and accuracy of attribute sets determine the granularity of access decisions available to the system. Privacy considerations govern which attributes are collected, retained, and shared with third parties: data minimization principles, codified in regulations such as the EU's General Data Protection Regulation, require that only the attributes necessary for a given transaction be disclosed.

Authentication and Verification

Authentication is the process by which a system verifies that an entity is who it claims to be. Verification relies on evidence in one or more categories: something the entity knows (a password or PIN), something the entity has (a physical token, smart card, or mobile device), or something the entity is (a fingerprint, iris pattern, or voice characteristic). Multi-factor authentication (MFA) requires evidence from at least two categories, substantially reducing the risk that a stolen credential alone can grant unauthorized access. The NIST Digital Identity Guidelines define three identity assurance levels that prescribe authentication requirements based on the sensitivity of the resources being protected. Standards such as FIDO2, OpenID Connect, and SAML provide interoperable protocols for authentication exchanges between identity providers and relying parties across organizational boundaries.

Identity in Distributed and Federated Systems

Large-scale digital services require identity to be portable and interoperable across organizational and technical boundaries. Federated identity systems allow a user authenticated by one identity provider to access resources managed by a different organization's service provider, using token-based protocols that convey verified claims without transmitting raw credentials. Single sign-on (SSO) implementations built on protocols such as OAuth 2.0 and OpenID Connect realize this pattern for web and mobile applications. Decentralized identity approaches, including W3C Decentralized Identifiers (DIDs) and Verifiable Credentials, extend the model further by enabling users to present cryptographically signed identity claims directly from their own controlled wallets without routing through a central identity broker. The W3C Decentralized Identifiers specification defines a URI-based identifier scheme whose resolution is anchored to distributed ledgers or peer-to-peer infrastructure, reducing dependence on any single authority.

Applications

Identity has applications in a range of fields, including:

  • User authentication and access control in enterprise and cloud systems
  • Government digital services and electronic identity cards
  • Financial fraud prevention and know-your-customer compliance
  • Internet of Things device identity and certificate management
  • Healthcare patient identity matching and record deduplication
Loading…