For Account-based identity, you need to be sure of the identity of the account holder (the User ID / Password of your Facebook-account, your company-network, etc.). For Token-based identity (Certified claim about your age for example) you need a certified claim about an attribute of that identity.
In other words, while account-based identity focuses on linking a person in possession of authentication factors to a trove of information, token-based identity is focused on claims about the subject’s attributes. More succinctly: account-based identity focuses on who you are whereas token-based identity is focused on what you are.
One of my favorite scenarios for exploring this is meeting a friend for lunch. You arrive at the restaurant on time and she’s nowhere to be found. You go to the hostess to inquire about the reservation. She tells you that your reservation is correct, and your friend is already there. She escorts you to the table where you greet your friend. You are seated and the hostess leaves you with a menu. Within a few moments, the waitress arrives to take your order. You ask a few questions about different dishes. You both settle on your order and the waitress leaves to communicate with the kitchen. You happily settle in to chat with your friend, while your food is being prepared. Later you might get a refill on a drink, order dessert, and eventually pay.
While you, your friend, the host, and waitstaff recognized, remembered, and interacted with people, places, and things countless times during this scenario, at no time were you required to be identified as a particular person. Even paying with a credit card doesn’t require that. Credit cards are a token-based identity system that says something about you rather than who you are. And while you do have an account with your bank, the brilliance of the credit card is that you no longer have to have accounts with every place you want credit. You simply present a token that gives the merchant confidence that they will be paid. Here are a few of the “whats” in this scenario:
- My friend
- The person sitting at Table 3
- Over 21
- Guest who ordered the medium-rare steak
- Someone who needs a refill
- Excellent tipper
- Person who owes $179.35
- Person in possession of a MasterCard
You don’t need an account at the restaurant for any of this to work. But you do need relationships
. Some, like the relationship with your friend and MasterCard, are long-lived and identified. Most are ephemeral and pseudonymous
. While the server at the restaurant certainly “identifies” patrons, they usually forget them as soon as the transaction is complete. And the identification is usually pseudonymous (e.g. “the couple at table four” rather than “Phillip and Lynne Windley”).
In the digital realm, we suffer from the problem of not being in proximity to those we’re interacting with. As a result, we need a technical means to establish a relationship. Traditionally, we’ve done that with accounts and identifying, using authentication factors, who is connecting
. As a result, all online relationships tend to be long-lived and identified in important ways—even when they don’t need to be. This has been a boon to surveillance capitalism
Account- and token-based identity are not mutually exclusive. In fact, token-based identity often has its roots in an account somewhere, as we discovered about MasterCard. But the key is that you’re leveraging that account to avoid being in an administrative relationship in other places. To see that, consider the interactions that happen after an automobile accident