Not just a number
There are new horizons for identity and access management.
In the late 1960s, individualism and the loss of identity formed the theme for an iconic British TV series called The Prisoner. In most of the 17 episodes, the opening sequence included the dialogue: “You are Number Six,” to which the central character replies: “I am not a number. I am a free man!”
What really is dumb is using something as hopelessly identity-irrelevant as passwords.Mark Eardley is channel manager at SuperVision Biometric Systems.
At about the same time, the Californian band, Jefferson Airplane, released White Rabbit , a song that became similarly iconic about what happens when “logic and proportion have fallen sloppy dead” and the world of identity has been turned on its hallucinating head.
From a different century perhaps, but relevant messages nonetheless.
In terms of corporate IT identities today, I suppose people would all like to think that they are more than just a PIN, a password, or - even worse - a plastic 'smart card'. I'd certainly like to think some value has been derived from the individualistic 60s, and that people have a stronger insistence to be recognised as individuals with distinct identities.
And yet most identity management or identity and access management (IAM) solutions can only recognise people from their PINs, passwords or cards. In itself, that's fairly insulting - the solutions see people as nothing more than inanimate bits of code.
Whether or not this simplistic reduction of identity bothers me personally is not the point. What does bother me is the fact that identity is treated with such little respect, that it is afforded such little significance. And this widespread, dismissive approach is certainly relevant because it undermines any IT system that purports to manage identity.
I have always been offended when I hear the tired old adage that people are always the weakest link in IT security, that so-called 'dumb users' are always the fly in the magic ointment designed to protect corporate systems. Not only are people treated as code, it seems people are also widely regarded as being stupid.
Dumb users or dumb systems?
The fact is people are not stupid. And they do not respond well to the imposition of security measures that create obstacles to doing their jobs, and that strike them as doing almost nothing to protect their inevitably IT-based work and the IT-dependent organisations for which they do it.
Ask most users and they will say that managing their passwords and PINs comes high on their IT drag-list. Press a little harder and they will probably admit to sharing them, writing them down or storing them in some digital format.
That's hardly surprising. I know of a senior executive at a merchant bank who had 17 separate work-related passwords. The discovered fact that he was storing the latest, updated version of each one in a spread-sheet almost cost him his job. Dumb user? I think not...
What really is dumb is using something as hopelessly identity-irrelevant as passwords to control the access and activities of someone who has the authorisations of such an able, respected and trusted senior employee.
Perhaps if people were to treat user identity with the dignity it deserves, they could begin to leverage all the benefits associated with highly sophisticated IAM solutions. But in order to do this, I suggest that people have to reconsider the ways in which they authenticate users' identities.
Accurate identity authentication surely has to be the foundation for accurate identity management. If users can't be positively identified, then what hope do people have for managing their access and activities?
Of course, as an advocate of biometrics, I'm bound to say that the technology doesn't just offer the potential to dramatically increase levels of accuracy in user authentication. I'm also convinced their whole objective is to recognise people - not code -- allowing systems to respond to us accordingly as individuals.
Far from seeing the use of my biometric self as some Orwellian, Big Brother intrusion into the sanctity of my identity - which most people have anyway handed over to a more or less gimmicky variation on the dumber-than-dumb concept of a passcode - I consider it to be an accurate, respectful recognition of who I am and the access privileges and trust that I have earned.
As to those naysayers who seek to undermine the integrity and competency of modern biometrics, I suggest they reflect a little more deeply on the glaringly absurd inadequacies of cards, PINs and passwords - all of which are routinely forgotten, lost, shared and stolen.
Instead of regurgitating a lot of heavily-chewed myths about why biometrics are so flawed, isn't it perhaps time to talk to some of the local vendors that are running biometric-based systems that safely, securely and accurately control physical access for millions, yes millions, of people at thousands of South African companies?
Because these local biometric vendors have created in SA one of the world's largest and most diverse markets for a form of authentication that recognises people for what they are - people.
Mark Eardley has worked in the South African biometrics industry since 2006. He has directed the marketing for a local biometric brand and is currently responsible for business development at SuperVision Biometric Systems, South Africaâs oldest biometric specialist.