No Room for Authentication?

I recently picked up this piece from Evan Williams of Blogger and Twitter fame. Williams takes a different approach to that of the traditionally perceived access management flow where authentication establishes who you are and authorisation establishes what you are allowed to access. In the blog, Williams assigns the ‘permission’ aspect directly to authentication and asserts representation as the way in which you establish self.

I’m not sure I really want to take on the thinking of a very successful entrepreneur but I’m not sure I agree completely with his analysis simply because it is stateless and does not take in to account the transaction part of an identity exchange. Williams merely describes a set of data that can be held about our identity and does not really enter the workflow of how that is used.

Let’s start with his first assertion – Authentication as something that asserts that I have permission to do something. I don’t agree with this. Merely having a set of authentication credentials does not give me permission to do or achieve anything – as the SAML / federated access world proves. An authentication credential merely asserts that I have a certain key and I have proved to a lesser or greater extent that I am allowed to assert that key as belonging to me. Looking at one of the examples that Williams gives – a State ID – breaks it down further. A State ID does not give me permission to drink – it does not make that assertion or state that permission set at all. It will merely state my age. It is only when a transaction happens, i.e. when I show the barman my ID and he is happy to accept that this authoritatively stated date of birth means I can drink in the jurisdiction I am in, that permission to drink is established. That’s not part of the authentication (i.e. the barman being happy that this ID belongs to me) but most certainly a separate function. The separate function is accurately named authorisation.

I think that William’s focus on representation is important and necessary – it can highlight the fact the we chose to present part of our identity profile in different environments and this is how we are then represented in that space. I’m not sure that this answers the question ‘who am I’ as William’s defines it though. It defines how I would like to be portrayed in this environment. So in LinkedIn I may wish to expose my work phone number as part of my identity profile, but on Facebook I would not. I also think you have to be careful about what is a representation of me – i.e. a factual piece of information like DOB, phone number, address etc. and what are my personal preferences – what I like to wear, eat etc. Williams muddles these slightly between representation and personalisation that comes further on.

As you can probably guess, I’m not sure I agree with communication as a separate piece of identity in this space. Surely communication is just another part of representation – this is how you reach me in this context?

Personalisation and Reputation I agree are important parts of the identity puzzle and definitely go beyond the representation space. They are also one of the most tricky areas to get right – reputation outstripping personalisation in complexity 🙂

So overall an interesting piece and one that helped me think about how I’m currently perceiving the identity puzzle, although I’m not sure I agree with its proposals. The absence of authorisation puzzles me – how does twitter then explain the ways in which I can establish authorisation barriers in my twitter account such as restricting DMs, retweets, publication etc? These aren’t part of the authentication profile as I can use Twitter regardless of all of these functions. I think the transactional nature of identity has to be in this piece somewhere, and I think authorisation is still right the right place to be looking.