What is digital identity?

Digital identity is the way a computer stores a record of an external person or system. It is closely related to authentication.

Learning Objectives

After reading this article you will be able to:

  • Define identity in a computing context
  • Understand the three main authentication factors for verifying identity
  • Describe identity and access management (IAM)

Copy article link

What is digital identity?

In access management, digital identity is the recorded set of measurable characteristics by which a computer can identify an external entity. That entity may be a person, an organization, a software program, or another computer.

Digital identity relies on computer-identifiable attributes. For example, a computer may be able to identify a person because they know a password, or their voice resonates at certain frequencies. A computer could also identify another computer by its IP address or media access control (MAC) address.

Two coworkers, Jim and Sharon, may be able to recognize each other by sight. But a computer does not know who "Jim" is or who "Sharon" is. A computer instead stores a separate user profile for Jim and Sharon, which includes a name, a set of facts about their identity, and a set of privileges. And it has to check who they are by some measurable method, such as whether or not they enter the correct password. (Potentially, Jim could impersonate Sharon if he knows her username and her password.)

Note that the term "digital identity" can also refer to a computerized equivalent of government-issued personal identification — sometimes these are called "digital IDs." But this article focuses on digital identity within the context of access management systems.

Who possesses a digital identity?

Almost every person who uses computers or accesses the Internet today has some form of digital identity. That may be an email address and password combination, their history of Internet browsing, their shopping history and credit card information saved by an online store, or identifying characteristics stored in an identity and access management (IAM) system.

Computers and computing devices have a form of identity as well. Networking systems and protocols use several different methods to identify these devices; for instance, many systems use IP addresses or MAC addresses for this purpose. Organizations also have stored characteristics that allow external systems to recognize and interact with them. Even API endpoints* can be said to have digital identities. With a properly secured API, endpoints need to prove who they are in order to make and receive API requests.

*An API is a way for one software program to request services from another. An API endpoint is the point where such a request starts from or is received, like a software program or an API server.

How does identity relate to access control?

Access control defines which data a user can view, change, or copy. As an accountant, Sharon may have access to her company's books and payroll system. But as a salesperson, Jim only needs to access the customer database and a few other systems, and should not have access to the books or payroll system. Their employer uses access control to 1) identify Sharon and Jim, and 2) make sure Sharon can access the payroll system, and Jim cannot.

As seen in the example, identity is part of what determines access. In this case, Sharon's and Jim's identities are associated with specific roles as well. Access cannot be properly controlled without knowing who the person is and what their role is. Therefore, authentication is an important part of access control.

What is authentication?

Authentication is the process of verifying identity. Access control systems check one or more characteristics of users or devices in order to authenticate them.

There are three main characteristics or "factors" that authentication can assess:

  1. Knowledge: This authentication factor is something the user knows: for example, entering a password or answering a security question (e.g. "What is your mother's maiden name?"). Some services, such as banks and credit bureaus, may also prompt their customers to provide additional personal information, like their mailing address or government identification number, to verify their identity.
  2. Possession: This authentication factor is something the user has — in other words, it involves checking if the user possesses an assigned physical or digital token. For instance, a system may send a verification code to a user's smartphone to check that they possess the phone, or it may ask the user to plug a hardware token into their USB port.
  3. Inherent qualities: This authentication factor is something the user is; it checks qualities that are natural to the user. Examples include retina scans, facial recognition, and voice recognition.

Often, several of these factors will be assessed together, as in multi-factor authentication (MFA).

Authentication vs. authorization

Authentication differs from authorization, which relates to what permissions each person has. However, both depend at least partially on digital identity. Who a person is typically helps determine what they are allowed to do. The CEO of a company is likely authorized to access more data than a lower-level employee, for example. Learn more about authorization and authentication.

How does a user's digital identity affect their privacy?

Digital identity often relies on storing and verifying personal information — for example, their email address, a record of their face (as in facial recognition), or facts about their life (answers to security questions). This can become a data privacy issue if the personal data is leaked, if unauthorized persons view the data, or if the user is not aware of how their personal data is used.

What is identity and access management (IAM)?

Identity and access management (IAM) includes a number of technologies that work together to manage and track digital identities, along with the privileges associated with each identity. Digital identity is foundational for IAM; without some way to know who a user is, an organization cannot assign and restrict their privileges.

IAM is extremely important for preventing data loss, cyber attacks, and other threats. Strong authentication helps ensure that attackers cannot impersonate a legitimate user. Properly configured authorization limits the potential damage if a user account is in fact compromised, because the attacker will still only have access to some data, not every system in the organization.

Cloudflare Zero Trust is a security platform that enables organizations to take an identity-aware, Zero Trust approach to prevent threats. It integrates with various single sign-on (SSO) solutions in order to verify user identity before granting access to applications. Learn more about Cloudflare Zero Trust.