Glossary
2-Factor Authentication
Requires two requires two forms of identification in order to access a system, e.g.: a PIN and a smart-card. There are three forms of identification “factor” generally in use today:
1. Something you know: a password, PIN, etc.
2. Something you have: a credit card, smartcard, hardware token,.
3. Something you are: biometric information; eg: fingerprint, retina scan, etc.
In most systems, at least two of the above “factors” are necessary to identify an individual. Sometimes, n-factor authentication requires an increasing number of factors to be presented in order to identify a person beyond reasonable doubt.
Claims
A claim is an assertion of the truth of something. Several claims can be made as a set. For example, someone may claim that their last name is “Smith”, their first name is “John” and that their date of birth is “June 17th 1965”. These claims can be corroborated by a trusted third party to provide some level of assurance as to the accuracy of a claim.
Digital Identity
A digital identity is a set of characteristics (or “claims”) by which a person or thing is recognizable or distinguished in the digital realm. Digital identity allows us to address an individual or thing without confusing it for someone/something else.
Identity Metasystem
From http://www.identityblog.com/stories/2005/07/05/IdentityMetasystem.htm, the Identity Metasystem is an interoperable architecture for digital identity that assumes people will have several digital identities based on multiple underlying technologies, implementations, and providers. Using this approach, not only will individuals be put in control of their identity, but organizations will be able to continue to use their existing identity infrastructure investments, choose the identity technology that works best for them, and more easily migrate from old technologies to new technologies without sacrificing interoperability with others.
Identity Provider
An organization who acts as a trusted provider of identity information through a Security Token Service (STS).
Identity Selector
Windows CardSpace is an example of an identity selector for the Windows platform. It helps the user select an appropriate identity to send to a web site or web service. CardSpace achieves this by presenting the user's identities asa set of information cards.
Identity Theft
Identity theft is the appropriation of another person's personal information (e.g., name, Social Security number, credit card number, or passport) without that person's knowledge. Identity theft manifests itself in many different forms in both the physical world and online. Frequently, online identity theft comes in the form of “phishing.”
InfoCard
The codename for Windows CardSpace before Marketing could decide what to call it (rarely used now). Also information cards are sometimes abbreviated as info cards to save typing.
Information Cards
Information Cards are the actual cards that you can create, import and export from the Windows CardSpace system and other identity selectors like DigitalMe. They're essentially signed blobs of XML metadata.
Laws of Identity
From http://www.identityblog.com/stories/2005/07/25/thelaws.html...
1. Users remain in control of, and consent to the release of, their identity:
The solution that discloses the least amount of identifying information and best limits its use is the most stable long-term solution
2. Minimal disclosure for a constrained use:
only information necessary to identify a given party for a given task or scenario should be released at any time … and this information should not be cached and/or stored.
3. Justifiable parties:
Digital identity systems must be designed so the disclosure of identifying information is limited to parties having a necessary and justifiable place in a given identity relationship
4. Directed Identity:
A universal identity system must support both "omni-directional" identifiers for use by public entities and "unidirectional" identifiers for use by private entities, thus facilitating discovery while preventing unnecessary release of correlation handles
5. Pluralism of Operators and Technologies:
A universal identity system must channel and enable the inter-working of multiple identity technologies run by multiple identity providers
6. Human Integration:
The universal identity metasystem must define the human user to be a component of the distributed system integrated through unambiguous human-machine communication mechanisms offering protection against identity attacks
7. Consistent Experience Across Contexts:
The unifying identity metasystem must guarantee its users a simple, consistent experience while enabling separation of contexts through multiple operators and technologies
Phishing
Phishing schemes trick individual consumers into releasing banking and other identity-related information. They take advantage of consumers’ inability to confirm the identity of who they’re dealing with (their Bank, a credit card company, an online business, etc). The classic example is where the user receives an email purporting to come from their bank whereas it actuallt comes from a phisher. When the user clicks on a link they are taken to a page at the phisher's website that looks exactly like their bank's website. When they enter a username and password, the phisher grabs these and redirects the user to the real website so that the user is unaware of being phished. The phisher can then logon using the stolen credentials and access the user's bank account.
Relying Party
The requestor and eventual consumer of the token asserting some claims about an individual in order to uniquely identify the individual concerned.
Security Token Service (STS)
A web service which is responsible for releasing cryptographically-signed tokens containing corroborated claims about an individual.
Subject
You, me and everyone else online about whom Identity Providers make claims.
Token
A token is a corroborated set of claims, cryptographically signed (to ensure that the contents of the token have not been tampered with) by an identity provider (typically either a trusted third party such as a bank, credit card company or insurance company but also by the user themselves) who is able to assert that the information contained within the token is accurate.