Software Engineer

I am a Software Engineer. I have a Bachelor (Honours) of Science in Information Technology from the University of Sunderland - Class of 2003. I have been developing software since 2001 when I was offered a role at CERN as part of their Technical Student Programme.

By 2016 I had grown really tired of the software industry and by the end of 2019 Apple killed whatever excitement I had left. I am not sure what the next 10 years will bring. What I do know is that my apettite to do work that is impactful has only grown bigger and stronger. Great people make me tick more than anything.

I am also tired.

A post about user identity that is thought provoking on user authorisation and security, or just utter bullshit

User identity

Disclaimer: I am no security expert.

Use case

Provide a way for a user to identify himself before remotely accessing a multi-user software that requires to associate the user with her data.

Introduction

There are two forms of user identification.

  1. Non authorised by the user
  2. Authorised by the user

Definitions

Non authorised identification is a user saying who he is.
Authorised identification is a user saying who he is and trusting her.

For brevity, non authorised identification will be known simply as identification.

In essence, an authorised identification is a two stage identification. In the first stage the user provides an alias that is known of, usually in the form of a username. In the second stage the user provides proof to his claim, usually in the form of a password.

Imagine sitting behind a large door. A user comes and knocks.

  • “Who is this?”
  • “This is John” <- Identification
  • “Prove it!”
  • “Here is my passport” <- Authorised

Identity

The identity of the user is her email. An email is required both for identifying it to its owner and for verifying a new residence. An identity can have many residences.

Residence

Each identity is paired with a residence. A residence vouches for the user identity. Should the residence be removed, the identity can no longer be vouched for.

Characteristics of a residence

A residence has an identifier which needs to adhere to the following principles.

  1. Private.
    The identifier of a residence is private even to its owner.

  2. Unique.
    A residence identifier needs to be unique from a pool of residences.

  3. Secure.
    The identifier needs to be securely stored.

Creating a new residence.

Assuming the owner of the identity wants to create a new residence from which she can access the software.

The user requests for the new residence to be added. Subsequently, verifies the new residence via email. The new residence can now vouch for the user’s identity.

Delete a residence

The owner should be able to remove a residence. If a residence is deleted, the identity is also permanently removed as a residence.

Mockups

Some mockups as to how it looks in practice.

Inspired by

  1. Yahoo! & Sprint Displayed Passwords at Scale. What Happened?
  2. Sign On
  3. Persona