Digital identity is the way a computer stores a record of an external person or system. It is closely related to authentication.
In access management, digital identity is the recorded set of measurable characteristics by which a computer can identify an external entity. That entity may be a person, an organization, a software program, or another computer.
Digital identity relies on computer-identifiable attributes. For example, a computer may be able to identify a person because they know a password, or their voice resonates at certain frequencies. A computer could also identify another computer by its IP address or media access control (MAC) address.
Two coworkers, Jim and Sharon, may be able to recognize each other by sight. But a computer does not know who "Jim" is or who "Sharon" is. A computer instead stores a separate user profile for Jim and Sharon, which includes a name, a set of facts about their identity, and a set of privileges. And it has to check who they are by some measurable method, such as whether or not they enter the correct password. (Potentially, Jim could impersonate Sharon if he knows her username and her password.)
Note that the term "digital identity" can also refer to a computerized equivalent of government-issued personal identification — sometimes these are called "digital IDs." But this article focuses on digital identity within the context of access management systems.
Almost every person who uses computers or accesses the Internet today has some form of digital identity. That may be an email address and password combination, their history of Internet browsing, their shopping history and credit card information saved by an online store, or identifying characteristics stored in an identity and access management (IAM) system.
Computers and computing devices have a form of identity as well. Networking systems and protocols use several different methods to identify these devices; for instance, many systems use IP addresses or MAC addresses for this purpose. Organizations also have stored characteristics that allow external systems to recognize and interact with them. Even API endpoints* can be said to have digital identities. With a properly secured API, endpoints need to prove who they are in order to make and receive API requests.
*An API is a way for one software program to request services from another. An API endpoint is the point where such a request starts from or is received, like a software program or an API server.
Access control defines which data a user can view, change, or copy. As an accountant, Sharon may have access to her company's books and payroll system. But as a salesperson, Jim only needs to access the customer database and a few other systems, and should not have access to the books or payroll system. Their employer uses access control to 1) identify Sharon and Jim, and 2) make sure Sharon can access the payroll system, and Jim cannot.
As seen in the example, identity is part of what determines access. In this case, Sharon's and Jim's identities are associated with specific roles as well. Access cannot be properly controlled without knowing who the person is and what their role is. Therefore, authentication is an important part of access control.
Authentication is the process of verifying identity. Access control systems check one or more characteristics of users or devices in order to authenticate them.
There are three main characteristics or "factors" that authentication can assess:
Often, several of these factors will be assessed together, as in multi-factor authentication (MFA).
Authentication differs from authorization, which relates to what permissions each person has. However, both depend at least partially on digital identity. Who a person is typically helps determine what they are allowed to do. The CEO of a company is likely authorized to access more data than a lower-level employee, for example. Learn more about authorization and authentication.
Digital identity often relies on storing and verifying personal information — for example, their email address, a record of their face (as in facial recognition), or facts about their life (answers to security questions). This can become a data privacy issue if the personal data is leaked, if unauthorized persons view the data, or if the user is not aware of how their personal data is used.
Identity and access management (IAM) includes a number of technologies that work together to manage and track digital identities, along with the privileges associated with each identity. Digital identity is foundational for IAM; without some way to know who a user is, an organization cannot assign and restrict their privileges.
IAM is extremely important for preventing data loss, cyber attacks, and other threats. Strong authentication helps ensure that attackers cannot impersonate a legitimate user. Properly configured authorization limits the potential damage if a user account is in fact compromised, because the attacker will still only have access to some data, not every system in the organization.
Cloudflare for Teams is an IAM platform that uses a Zero Trust approach to prevent threats, whether they come from inside or outside of the organization. It integrates with various single sign-on (SSO) solutions in order to verify user identity. Learn more about Cloudflare for Teams.