Open main menu

A digital identity is information on an entity used by computer systems to represent an external agent. That agent may be a person, organization, application, or device. ISO/IEC 24760-1 defines identity as "set of attributes related to an entity".[1]

The information contained in a digital identity allows for assessment and authentication of a user interacting with a business system on the web, without the involvement of human operators. Digital identities allow our access to computers and the services they provide to be automated, and make it possible for computers to mediate relationships.

The term "digital identity" also denotes certain aspects of civil and personal identity that have resulted from the widespread use of identity information to represent people in an acceptable trusted digital format in computer systems.

Digital identity is now often used in ways that require data about persons stored in computer systems to be linked to their civil, or national, identities. Furthermore, the use of digital identities are now so widespread that many discussions refer to "digital identity" as the entire collection of information generated by a person’s online activity. This includes usernames and passwords, online search activities, birth date, social security, and purchasing history.[2] Especially where that information is publicly available and not anonymized, and can be used by others to discover that person's civil identity. In this wider sense, a digital identity is a version, or facet, of a person's social identity. This may also be referred to as an online identity.[3]

The legal and social effects of digital identity are complex and challenging. However, they are simply a consequence of the increasing use of computers, and the need to provide computers with information that can be used to identify external agents.


A critical problem in cyberspace is knowing with whom one is interacting. Using static identifiers such as password and email there are no ways to precisely determine the identity of a person in digital space, because this information can be stolen or used by many individuals acting as one. Digital identity based on dynamic entity relationships captured from behavioral history across multiple websites and mobile apps can verify and authenticate an identity with up to 95 percent accuracy.

By comparing a set of entity relationships between a new event (e.g., login) and past events, a pattern of convergence can verify or authenticate the identity as legitimate where divergence indicates an attempt to mask an identity. Data used for digital identity is generally anonymized using a one-way hash, thereby avoiding privacy concerns. Because it is based on behavioral history, a digital identity is impossible to fake or steal.

Related termsEdit

Subject and entityEdit

A digital identity may also be referred to as a digital Subject or digital entity and is the digital representation of a set of claims made by one party about itself or another person, group, thing or concept.[4][5]

Attributes, preferences and traitsEdit

Every digital identity has zero or more identity attributes. Attributes are acquired and contain information about a subject, such as medical history, purchasing behaviour, bank balance, age and so on.[6] Preferences retain a subject's choices such as favourite brand of shoes, preferred currency. Traits are features of the subject that are inherent, such as eye colour, nationality, place of birth. While attributes of a subject can change easily, traits change slowly, if at all. Digital identity also has entity relationships derived from the devices, environment and locations from which an individual transacts on the web.

Technical aspectsEdit


Digital identities can be issued through digital certificates, which act the same way passports do in the physical world. They contain data which is associated with a user, and are issued with legal guarantees by a recognized certification authority (CA).

Trust, authentication and authorizationEdit

In order to assign a digital representation to an entity, the attributing party must trust that the claim of an attribute (such as name, location, role as an employee, or age) is correct and associated with the person or thing presenting the attribute (see Authentication below). Conversely, the individual claiming an attribute may only grant selective access to its information, e.g. (proving identity in a bar or PayPal authentication for payment at a web site). In this way, digital identity is better understood as a particular viewpoint within a mutually-agreed relationship than as an objective property.


Authentication is a key aspect of trust-based identity attribution, providing a codified assurance of the identity of one entity to another. Authentication methodologies include the presentation of a unique object such as a bank credit card, the provision of confidential information such as a password or the answer to a pre-arranged question, the confirmation of ownership of an e-mail address, and more robust but relatively costly solutions utilizing encryption methodologies. In general, business-to-business authentication prioritises security while user to business authentication tends towards simplicity. Physical authentication techniques such as iris scanning, handprinting, and voiceprinting are currently being developed and in the hope of providing improved protection against identity theft. Those techniques fall into the area of Biometry (biometrics). A combination of static identifiers (username & passwords) along with personal unique attributes (biometrics), would allow for multi factor authentication. This process would yield more creditable authentication, which in nature is much more difficult to be cracked and manipulated.

Whilst technological progress in authentication continues to evolve, these systems do not prevent aliases from being used. The introduction of strong authentication[citation needed] for online payment transactions within the European Union now links a verified person to an account, where such person has been identified in accordance with statutory requirements prior to account being opened. Verifying a person opening an account online typically requires a form of device binding to the credentials being used. This verifies that the device that stands in for a person on the Web is actually the individuals device and not the device of someone simply claiming to be the individual. The concept of reliance authentication makes use of pre-existing accounts, to piggy back further services upon those accounts, providing that the original source is reliable. The concept of reliability comes from various anti-money laundering and counter-terrorism funding legislation in the USA,[7] EU28,[8] Australia,[9] Singapore and New Zealand[10] where second parties may place reliance on the customer due diligence process of the first party, where the first party is say a financial institution. An example of reliance authentication is PayPal's verification method.


Authorization is the determination of any entity that controls resources that the authenticated can access those resources. Authorization depends on authentication, because authorization requires that the critical attribute (i.e., the attribute that determines the authorizer's decision) must be verified. For example, authorization on a credit card gives access to the resources owned by Amazon, e.g., Amazon sends one a product. Authorization of an employee will provide that employee with access to network resources, such as printers, files, or software. For example, a database management system might be designed so as to provide certain specified individuals with the ability to retrieve information from a database but not the ability to change data stored in the database, while giving other individuals the ability to change data.[citation needed]

Consider the person who rents a car and checks into a hotel with a credit card. The car rental and hotel company may request authentication that there is credit enough for an accident, or profligate spending on room service. Thus a card may later be refused when trying to purchase an activity such as a balloon trip. Though there is adequate credit to pay for the rental, the hotel, and the balloon trip, there is an insufficient amount to also cover the authorizations. The actual charges are authorized after leaving the hotel and returning the car, which may be too late for the balloon trip.

Valid online authorization requires analysis of information related to the digital event including device and environmental variables. These are generally derived from the hundreds of entities exchanged between a device and business server to support an event using standard Internet protocols.

Digital identifiersEdit

Digital identity fundamentally requires digital identifiers—strings or tokens that are unique within a given scope (globally or locally within a specific domain, community, directory, application, etc.). Identifiers are the key used by the parties to an identification relationship to agree on the entity being represented. Identifiers may be classified as omnidirectional and unidirectional.[11] Omnidirectional identifiers are intended to be public and easily discoverable, while unidirectional identifiers are intended to be private and used only in the context of a specific identity relationship.

Identifiers may also be classified as resolvable or non-resolvable. Resolvable identifiers, such as a domain name or e-mail address, may be dereferenced into the entity they represent, or some current state data providing relevant attributes of that entity. Non-resolvable identifiers, such as a person's real-world name, or a subject or topic name, can be compared for equivalence but are not otherwise machine-understandable.

There are many different schemes and formats for digital identifiers. The most widely used is Uniform Resource Identifier (URI) and its internationalized version Internationalized Resource Identifier (IRI)—the standard for identifiers on the World Wide Web. OpenID and Light-Weight Identity (LID) are two web authentication protocols that use standard HTTP URIs (often called URLs), for example.

Digital Object ArchitectureEdit

Digital Object Architecture (DOA)[12] provides a means of managing digital information in a network environment. A digital object has a machine and platform independent structure that allows it to be identified, accessed and protected, as appropriate. A digital object may incorporate not only informational elements, i.e., a digitized version of a paper, movie or sound recording, but also the unique identifier of the digital object and other metadata about the digital object. The metadata may include restrictions on access to digital objects, notices of ownership, and identifiers for licensing agreements, if appropriate.

Handle SystemEdit

The Handle System is a general purpose distributed information system that provides efficient, extensible, and secure identifier and resolution services for use on networks such as the internet. It includes an open set of protocols, a namespace, and a reference implementation of the protocols. The protocols enable a distributed computer system to store identifiers, known as handles, of arbitrary resources and resolve those handles into the information necessary to locate, access, contact, authenticate, or otherwise make use of the resources. This information can be changed as needed to reflect the current state of the identified resource without changing its identifier, thus allowing the name of the item to persist over changes of location and other related state information. The original version of the Handle System technology was developed with support from the Defense Advanced Research Projects Agency (DARPA).

Extensible Resource IdentifiersEdit

A new OASIS standard for abstract, structured identifiers, XRI (Extensible Resource Identifiers), adds new features to URIs and IRIs that are especially useful for digital identity systems. OpenID also supports XRIs, and XRIs are the basis for i-names.

Risk-Based AuthenticationEdit

Risk-Based Authentication is an application of digital identity whereby multiple entity relationship from the device (e.g., operating system), environment (e.g., DNS Server) and data entered by a user for any given transaction is evaluated for correlation with events from known behaviors for the same identity. Analysis are performed based on quantifiable metrics, such as transaction velocity, locale settings (or attempts to obfuscate), and user-input data (such as ship-to address). Correlation and deviation are mapped to tolerances and scored, then aggregated across multiple entities to compute a transaction risk-score, which assess the risk posed to an organization.

Policy aspectsEdit

There are proponents of treating self-determination and freedom of expression of digital identity as a new human right.[citation needed] Some have speculated that digital identities could become a new form of legal entity.[13]

Taxonomies of identityEdit

Digital identity attributes—or data—exist within the context of ontologies.

The development of digital identity network solutions that can interoperate taxonomically-diverse representations of digital identity is a contemporary challenge. Free-tagging has emerged recently as an effective way of circumventing this challenge (to date, primarily with application to the identity of digital entities such as bookmarks and photos) by effectively flattening identity attributes into a single, unstructured layer. However, the organic integration of the benefits of both structured and fluid approaches to identity attribute management remains elusive.

Networked identityEdit

Identity relationships within a digital network may include multiple identity entities. However, in a decentralised network like the Internet, such extended identity relationships effectively require both (a) the existence of independent trust relationships between each pair of entities in the relationship and (b) a means of reliably integrating the paired relationships into larger relational units. And if identity relationships are to reach beyond the context of a single, federated ontology of identity (see Taxonomies of identity above), identity attributes must somehow be matched across diverse ontologies. The development of network approaches that can embody such integrated "compound" trust relationships is currently a topic of much debate in the blogosphere.

Integrated compound trust relationships allow, for example, entity A to accept an assertion or claim about entity B by entity C. C thus vouches for an aspect of B's identity to A.

A key feature of "compound" trust relationships is the possibility of selective disclosure from one entity to another of locally relevant information. As an illustration of the potential application of selective disclosure, let us suppose a certain Diana wished to book a hire car without disclosing irrelevant personal information (utilising a notional digital identity network that supports compound trust relationships). As an adult, UK resident with a current driving license, Diana might have the UK's Driver and Vehicle Licensing Agency vouch for her driving qualification, age and nationality to a car-rental company without having her name or contact details disclosed. Similarly, Diana's bank might assert just her banking details to the rental company. Selective disclosure allows for appropriate privacy of information within a network of identity relationships.

A classic form of networked digital identity based on international standards is the "White Pages".

An electronic white pages links various devices, like computers and telephones, to an individual or organization. Various attributes such as X.509v3 digital certificates for secure cryptographic communications are captured under a schema, and published in an LDAP or X.500 directory. Changes to the LDAP standard are managed by working groups in the IETF, and changes in X.500 are managed by the ISO. The ITU did significant analysis of gaps in digital identity interoperability via the FGidm, focus group on identity management.

Implementations of X.500[2005] and LDAPv3 have occurred worldwide but are primarily located in major data centers with administrative policy boundaries regarding sharing of personal information. Since combined X.500 [2005] and LDAPv3 directories can hold millions of unique objects for rapid access, it is expected to play a continued role for large scale secure identity access services. LDAPv3 can act as a lightweight standalone server, or in the original design as a TCP-IP based Lightweight Directory Access Protocol compatible with making queries to a X.500 mesh of servers which can run the native OSI protocol.

This will be done by scaling individual servers into larger groupings that represent defined "administrative domains", (such as the country level digital object) which can add value not present in the original "White Pages" that was used to look up phone numbers and email addresses, largely now available through non-authoritative search engines.

The ability to leverage and extend a networked digital identity is made more practicable by the expression of the level of trust associated with the given identity through a common Identity Assurance Framework.

Self-sovereign identityEdit

Self-Sovereign Identity is a digital identity that is under complete, ultimate control of its entity. No one except the entity of the identity or someone with its explicit permission can use it. No one can impersonate it, censor its actions or delete it.

"Self-sovereign identity is multi-source, but not all multi-source identity systems are self-sovereign. Self-sovereignty requires that people and organizations have control of their credentials and interact as peers."[14]

Ideologically Self-Sovereign Identity concept is based on the idea of Sovereign Source Authority.[15][16]

Technically Self-Sovereign Identity is made possible by the strong cryptography and trust-minimized secure append-only storage and timestamping technology (Distributed Ledger Technology - decentralized hosting done at many independent nodes), where the identifiers of the Self-Sovereign Identities stored and from where they are globally resolvable (discoverable).

Self-Sovereign identity is centered on an entity (human person when it is used by humans), free from dependence on any corporation, organization, or nation-state.[17]

Blockchain based Digital-Decentralized IdentityEdit

Today’s online ecosystem is full of imposters, scammers, and hackers using fake websites, profiles, and identities for various nefarious purposes. Not only does this make it hard to avoid these malicious actors, it becomes challenging to locate authentic websites, retailers, and other online entities with whom a person would want to interact. Blockchain technology provides an opportunity to revolutionize the ways in which we interact with our data and our digital identities, ensuring authenticity in immutable and verifiable ways. Projects such as Radium (RADS), Decred (DCR), and Civic (CVC) have all been developed to address these issues and more. For example, Radium Identities allow users to manage their own online presence in a way that creates a historical record of their activities secured in the blockchain in order to establish a pattern of trusted behavior. After creating an identity, a user can use that identity with all other Radium functions, including file signing and verification, decentralized elections and voting, data validation, signed messaging, IPFS encryption and data transport, service access, custom asset creation and manipulation, and smart contract execution. [18]

Security issues and privacyEdit

With automated face recognition, tagging, location tracking and widespread digital authentication systems many actions of a person become easily associated with identity,[19] as a cause, sometimes privacy is lost and security is subverted. An identity system that builds on confirmed pseudonyms can provide privacy and enhance security for digital services and transactions. Cyberspace creates opportunities for identity theft. Exact copies of everything sent over a digital communications channel can be recorded. Thus, cyberspace needs a system that allows individuals to verify their identities to others without revealing to them the digital representation of their identities.

With sharing content on social media and the internet becoming a social norm there are many preventive measures that users can take to protect themselves. Companies and databases collect information about us, even if we're simply browsing the internet or online shopping. Collecting all this data allows for them to customize what we see based on what we like. Derived through algorithms these third parties gather information to track us.[20] Regarding all of this information, many of it is stored on a cloud. Protecting one's personal information and digital identity is a gray area. As of right now laws regarding digital safety are very vague and lack validity.[21] In addition to the legal aspects, this ethically cross a line.[21] We are presented with the legal terms which are known as the terms and conditions, which are discussed more in depth in Privacy, however as users we do not always know what we are agreeing to. Companies capitalize on the fine print and gather more information about us than needed for that product to successfully work.[22] With data breaches and identity fraud occurring more and more, an example of a solution is to remove the idea of a whole identity from users. Instead of using very specific information to identify oneself online, use one thing to separate yourself from the rest of online users.[23]

Anonymous attribute systemsEdit

An anonymous attribute is one that retains its uniqueness, but is put through a one-way hash so that it is represented in a string of characters that have no innate meaning or value. The one-way hash is an algorithm of inordinate complexity that generates the character string so that it is indecipherable compared to the original. In this way, a social security number, can be retained for attribute comparison, but the values used for comparison, while unique, would in no way resemble the original social security number.

Legal issuesEdit

Clare Sullivan presents the grounds for digital identity as an emerging legal concept.[24] The UK's Identity Cards Act 2006 confirms Sullivan's argument and unfolds the new legal concept involving database identity and transaction identity. Database identity refers to the collection of data that is registered about an individual within the databases of the scheme and transaction identity is a set of information that defines the individual's identity for transactional purposes. Although there is reliance on the verification of identity, none of the processes used are entirely trustworthy. The consequences of digital identity abuse and fraud are potentially serious, since in possible implications the person is held legally responsible.[24]

Business aspectsEdit

Corporations have begun to recognize the Internet's potential to facilitate the tailoring of the online storefront to each individual customer. Purchase suggestions, personalised adverts and other tailored marketing strategies are a great success to businesses. Such tailoring however, depends on the ability to connect attributes and preferences to the identity of the visitor.[25]

Variance by jurisdictionEdit

While many facets of digital identity are universal owing in part to the ubiquity of the Internet, some regional variations exist due to specific laws, practices and government services that are in place. For example, Digital identity in Australia can utilize services that validate Driving licences, Passports and other physical documents online to help improve the quality of a digital identity, also strict Anti-money laundering policies mean that some services, such as money transfers need a stricter level of validation of digital identity.

See alsoEdit


  1. ^ "ISO/IEC 24760-1: A framework for identity management - Part 1: Terminology and concepts". ISO. 2011. Retrieved 2015-12-05.
  2. ^ "What is a Digital Identity? - Definition from Techopedia". Retrieved 2016-10-01.
  3. ^ Global, IndraStra. "Digital Identity – A Gateway to All Other Use Cases". IndraStra. ISSN 2381-3652.
  4. ^ "Digital Identity - Eclipsepedia".
  5. ^ Deh, Dragana; Glođović, Danica (2018-09-05). "The Construction of Identity in Digital Space". AM Journal of Art and Media Studies. 0 (16): 101. doi:10.25038/am.v0i16.257. ISSN 2406-1654.
  6. ^ Windley, Phillip J. (2005). Digital Identity. O'Reilly Media, Inc. pp. 8–9. ISBN 978-0596008789.
  7. ^
  8. ^ "EUR-Lex - 52013PC0045 - EN - EUR-Lex".
  9. ^ "Anti-Money Laundering and Counter-Terrorism Financing Act 2006".
  10. ^ Affairs, The Department of Internal. "AML/CFT Act and Regulations".
  11. ^ Cameron, Kim (May 2005). "The Laws of Identity". Microsoft.
  12. ^ Kahn, Robert; Wilensky, Robert (May 13, 1995). "A Framework for Distributed Digital Object Services". Corporation for National Research Initiatives.
  13. ^ Sullivan, Clare (2012). "Digital Identity and Mistake". International Journal of Law and Technology.
  14. ^ Windley, Phil. "Multi-Source and Self-Sovereign Identity". Retrieved 2019-09-11.
  15. ^ "What is "Sovereign Source Authority"?". Retrieved 2019-03-05.
  16. ^ Smolenski, Natalie (2016-09-19). "Identity and Digital Self-Sovereignty". Learning Machine. Retrieved 2019-03-05.
  17. ^ RWOT5 in Boston, Massachusetts (October 2017). Contribute to WebOfTrustInfo/rwot5-boston development by creating an account on GitHub, Web of Trust Info, 2019-01-10, retrieved 2019-03-05
  18. ^ Jacobeen, Justin (19 March 2019). "Radium Core: An Identity Management and Information Validity System" (PDF).
  19. ^ Camp, L. Jean (2004). "Digital Identity". IEEE Technology and Society Magazine. IEEE.(subscription required)
  20. ^ Beck, Estee N. (2015). "The Invisible Digital Identity: Assemblages in Digital Networks". Computers and Composition. 35: 125–140. doi:10.1016/j.compcom.2015.01.005. ISSN 8755-4615.
  21. ^ a b Sullivan, Clare (2013). "Digital identity, privacy and the right to identity in the United States of America". Computer Law & Security Review. 29 (4): 348–358. doi:10.1016/j.clsr.2013.05.011. ISSN 0267-3649.
  22. ^ Holt, Jennifer; Malčić, Steven (2015). "The Privacy Ecosystem: Regulating Digital Identity in the United States and European Union". Journal of Information Policy. 5: 155–178. doi:10.5325/jinfopoli.5.2015.0155. JSTOR 10.5325/jinfopoli.5.2015.0155.
  23. ^ Michael, Salmony (March 2018). "Rethinking digital identity". Retrieved 2018-11-08.
  24. ^ a b Sullivan, Clare (2010). Digital Identity. The University of Adelaide. doi:10.1017/UPO9780980723007. ISBN 978-0-9807230-0-7.
  25. ^ Ableson, Hal; Lessig, Lawrence (10 September 1998). "Digital Identity in Cyberspace".