Identity is the only security boundary that has ever mattered in computer security defense. Physical boundaries, firewall boundaries, security domains, forests, realms and virtual networks\u2026 none of those matter if a single logon credential that can access multiple domains is compromised.Today\u2019s identity solutions are able to access sometimes hundreds of thousands of different security domains using a single credential, but surprisingly can do so while decreasing overall risk. How is this possible?Identity in the early daysIn the early days of computers and networking, most people used a single logon name and password to access everything. This proved to be a very bad strategy, as the compromise of one computer could lead to a compromise of every other computer sharing the same logon credentials. Everyone was told to create a different password for every different system they accessed.Identity mid-termWith most people now accessing dozens to hundreds of different password-protected resources, using different passwords for each resource required either writing them all down (a big no-no), using a password manager (which stored all the passwords and maybe also auto-logged people in as they visited all the different sites), or some sort of single sign-on (SSO) solution.SSO solutions became fairly popular in the enterprise and password managers became fairly prevalent in the home user space. But both types of solutions have never worked across all security domains and platforms with a decent amount of consistency. A few broadly applying SSO solutions were created, tried and abandoned, such as Microsoft\u2019s original Passport and the decentralized OpenID standard. None of the mid-term SSO solutions really took off despite all their promises of global use and acceptance.Identity todayIt took social media killer apps, like Facebook and Twitter, to run roughshod over the rest of the identity also-rans for new winners to emerge. Their huge user populations assured that whatever solution and protocols they used were going to end up being global and pervasive. New global identity standards and solutions popped up overnight \u2014 or so it seemed to identity observers. The new solutions were not always globally trusted and agreed upon. It hurt the feelings of many smart, dedicated people who had been working on other, potentially better solutions, for far longer. It didn\u2019t matter. Assimilate or fall behind.After the initial pain of being pushed around by a few 800 lb. gorillas subsided, the forced new standards ended up being a good thing. The end result is that we have fewer, but more popularly accepted SSO authentication standards to choose among. And they can be used across both enterprise and consumer platforms.When discussing today\u2019s identity solutions you\u2019ll hear the following protocols and solutions bandied about: Facebook\u2019s Graph API, oAuth, OpenIDConnect, xAuth, SAML, RESTful, and FIDO Alliance. After decades of trying, the world of pervasive identities is finally coming within reach. On many web sites, you can use your Facebook, Twitter, or favorite oAuth- or xAuth-enabled SSO logon to authenticate. There are still interoperability problems, but those barriers are coming down fast.Today, you can use your password, phone, digital certificates, biometric identity, two-factor authentication (2FA), or multi-factor authentication (MFA) SSO solution to logon to a myriad of sites. Each identity can have different \u201cattributes\u201d or \u201cclaims\u201d associated with it, be associated with one or more trusted devices, have different assurance levels, and be used on different sites of your choosing.Of course, right now, we don\u2019t have universally accepted SSO that works at all sites, but we\u2019re getting closer. And now that we are closer, I\u2019m almost certain we don\u2019t really want it.There is a distinct need for most of us to have multiple identities tied to different things. For example, most of us have work and personal accounts. My work wants the ability to retain all my work-related content at all times and even has the ability to immediately erase all work content if they terminate my employment. At the same time, I don\u2019t want my work admins having access to my personal content browsing history on my home computer. I don\u2019t want my personal documents somehow ending up on my work computer and vice-versa, which does sometimes happen today with our more pervasive global identities. I remember how surprised I was when my wife plugged her iPod into my work computer to charge and suddenly her iTunes had copies of my work documents.Perfect single identityIn my perfect world, it would be great if I had a single, global identity that had different \u201cpersonas\u201d, such as \u201cWork Roger\u201d and \u201cHome Roger\u201d, that I could apply in different use case scenarios and that would be sure to keep the different content and resources separate. It will probably work that way in the future, but we are not quite there yet.Doesn\u2019t a single sign-on open up more risk?You may be wondering if having a single, unifying identity (or even just fewer, but more pervasive identities), means that a single identity compromise will lead to a worse set of consequences due to the single failure. After all, isn\u2019t using a single identity sign-on a lot like using a single password for all your web sites? Have we gone full circle just to end up with the same problems?Yes and no, and mostly no if you do the right thing.If the global identity mechanism you are using gets compromised at its source (i.e., the identity provider), there is a greater risk that the compromised identity can be used at more places. For example, if a bad guy compromises your Facebook account logon name and password, it is more likely that he might be able to access everywhere you logon using your Facebook account credentials.But that\u2019s why Facebook, and most other popular social sites and authentication providers are pushing stronger 2FA and MFA solutions, and you should use them. That way even if the hacker gets your password, he doesn't get (at least not immediately, if ever) the second factor or physical device required as part of your authentication.Additionally, most of the global identity solutions don\u2019t use a single authentication token on the participating sites. Instead, your \u201cglobal token\u201d is used to create separate site- and session-specific authentication tokens that are never used at other sites. This means if an attacker breaks into a particular site that relies on your global authentication token, it can\u2019t be used elsewhere. It\u2019s win-win. Much better than a shared password.Biometric worriesI do worry about the casual use of biometrics and how they may one day be stored in everyone\u2019s global identity account. Biometrics are never as great as they are purported to be. They aren\u2019t as accurate as claimed, often easy to fake, and often don\u2019t work (just have a little sweat or dirt on your fingerprint and try using your fingerprint reader).But suppose you are a big biometric fingerprint fan and you want to be able to use them to access any website, so you pick a global authentication provider that accepts your fingerprints. It sounds like a great idea. But once we start storing fingerprints in global identities, attackers who compromise the identity provider will have your fingerprints\u2026forever. They could possibly \u201cbe you\u201d on all the other web sites that accept your fingerprints.So far two things have saved us from biometric identity theft being a widespread problem (beyond the fact that biometrics just aren\u2019t accepted in many places beyond phones and laptops). First, most biometrics are stored and used locally. This means the hacker has to access and compromise your device to get access to your biometric identity, and even if he gets access, the biometrics would not work beyond that single compromised device.A second, and related issue, is that once you logon using your biometric identity, what happens authentication-wise from then on is that the authentication system uses one of the other previous discussed authentication methods. It is using some other authentication token besides your\u00a0fingerprint. Your biometric identity (usually) doesn\u2019t leave your local device. That would change if people started to overly rely on biometric authentication globally.ConclusionNever have we been closer than we are now to getting pervasive, global identities. My advice: enable and require the use of 2FA\/MFA options with your global identities. That way you get all of the benefit with less of the risk.