Towards a Behavioural Identity Framework

WLPC Welcomer use behaviour to identify people.  Identity is established by comparing past behaviour when visiting websites with current behaviour.

People are known by their email address.  Their behaviour is recorded with devices that communicate with websites. Devices have id’s that the person defines.

Each website and each person can control what behaviour is accepted as proof of identity.

Identification from Behaviour (2)

The encryption key used for the device ID is obtained by calculating from the characteristics of a device. The weighting used is unique to each website and is only known to the website.

When a person visits a website the website sees if it has seen the device and/or the email.  If they are found then it is assumed it is the same person and/or the same device.  If the device is unknown then the person is asked to give the device a name.  If the email address is not known, the person is asked for the email address and proves they have control over it either through OpenID or responding to an email message. The person is also asked to prove they have access to their email address if the email address has not been matched to the device address.

The website looks at the forms of authentication that the person used, when they used it, and where they used it. This information is used by the website and the person to see if authentication is required.  Authentication consists of asking the person to enter something they have previously entered on any participating website and prove it is them.  The most basic form of identification is a four digit pin entered by the person and stored at a website.  Any website that has stored information with a particular device can be asked by the person to perform it again if it is a participating website.

Whenever an authentication is redone then the email is encrypted again and is sent to all websites the person has previously visited and where they are still active.  Websites and individuals can choose whether or not to be part of the network of notifications or they may choose to only allow notifications to selected websites.

The system is designed to operate with one website on its own, or with any subset of websites operating together for any subset of persons.

The system is designed to have changing encrypted email tokens, and to have device ids that vary for each website.

Security is maintained by diversity and by the record of behaviour for every person being different and continually changing through use.