https://copilot.microsoft.com/shares/C4r9mNqyGUmzY8Egdoa3y
`markdown
identity_anchor.md
Purpose
Define the core identity anchor that all systems trust as the root of “who this person is,” across:
- Gaming
- Nonprofit
- Financial pipelines
- GitHub / dev ecosystem
- Public identity
The identity anchor is not a single credential (phone, email, password).
It is a composite, cryptographic, behavior‑aware identity root that cannot be trivially lost or stolen.
Core principles
- Person, not credential: Identity is tied to the human, not any single device or factor.
- Composite, not singular: Many signals combine into one anchor.
- Recoverable, not fragile: No single loss (phone, email, password) destroys identity.
- Cryptographically bound: Anchor is represented by signed, verifiable tokens.
- Behavior‑aware: Long‑term behavior is part of the identity signal.
- Zero‑lockout: Anchor is designed to support recovery, not permanent loss.
Anchor components
The identity anchor is built from multiple classes of signals:
-
Static references (not stored in raw form)
- Government ID references (driver’s license, SSN, etc.) — referenced only, not stored in cleartext
- Legal name
- Date of birth (optional, minimized)
-
Digital identifiers
- Primary emails (current + historical)
- Primary phone numbers (current + historical)
- Usernames / handles (gaming, GitHub, etc.)
- Domains / websites under control
-
Device & environment
- Trusted device IDs
- OS / platform fingerprints
- Typical IP ranges / geos (coarse, privacy‑respecting)
- Network patterns (home, work, usual locations)
-
Behavioral profile
- Typing rhythm
- Navigation patterns
- Session timing
- Game behavior patterns
- Transaction patterns
-
Cryptographic layer
- Long‑term identity keypair(s)
- Signed identity tokens
- Signed “identity manifest” (public)
Identity anchor token
The Identity Anchor Token (IAT) is the cryptographic representation of the anchor.
Properties
- Signed by the platform’s identity root key.
- Bound to:
- actor_id
- device trust state
- behavior confidence
- risk posture
- Short‑lived for sessions, long‑lived for anchor references (with rotation).
Example (conceptual fields)
- anchor_id (UUID)
- actor_id
- issued_at
- expires_at
- device_id
- behaviorconfidencescore
- risk_level
- signature
Anchor lifecycle
- Initialization
- User passes strong onboarding checks:
- multi‑factor verification
- device binding
- behavior baseline start
- System creates:
- anchor_id
- initial identity anchor token
- initial trusted device list
- Stabilization
- Over time, behavior models mature.
- Trusted devices are confirmed.
- Recovery methods are added:
- identity vault
- offline codes
- additional factors
- Rotation
- Anchor tokens are rotated periodically.
- Long‑term keys can be rotated with:
- strong re‑verification
- multi‑path confirmation
- Old tokens are invalidated but logged.
- Recovery
If user loses:
Recovery uses:
- behavior match
- trusted devices (remaining)
- identity vault
- offline codes
- optional human‑assisted review (for extreme cases)
The anchor_id remains the same; tokens and factors are rebuilt around it.
Trust model
Internal systems
All internal services (gaming, nonprofit, financial, GitHub protection, public identity) trust:
- anchor_id as the canonical identity root.
- Identity Anchor Token as proof of:
- continuity
- behavior match
- device trust
- risk posture
External verification
Public‑facing identity can be proven via:
- Signed identity manifest (JSON) hosted on:
- official domain
- official GitHub repo
- Optional verification endpoints that:
- confirm anchor_id ↔ public handle mappings
- expose non‑sensitive proof of authenticity
Relationship to zero‑lockout
The identity anchor is the center of the zero‑lockout design:
- Multiple factors orbit the anchor.
- Loss of any one factor does not destroy the anchor.
- Recovery always aims to re‑bind the user to the same anchor_id, not create a new identity.
Security considerations
- Never store raw government IDs where not strictly necessary.
- Minimize PII; prefer references and hashes.
- Protect long‑term keys with:
- HSMs or equivalent
- strict access control
- audit logging
- Treat behavior models as sensitive data.
- Ensure anchor operations are fully logged and auditable.
Summary
The identity anchor is:
- a composite identity root, not a single credential
- cryptographically represented via anchor tokens
- behavior‑aware, device‑aware, and risk‑aware
- designed for zero‑lockout and high assurance across all of your systems.
`
https://copilot.microsoft.com/shares/C4r9mNqyGUmzY8Egdoa3y
`markdown
identity_anchor.md
Purpose
Define the core identity anchor that all systems trust as the root of “who this person is,” across:
The identity anchor is not a single credential (phone, email, password).
It is a composite, cryptographic, behavior‑aware identity root that cannot be trivially lost or stolen.
Core principles
Anchor components
The identity anchor is built from multiple classes of signals:
Static references (not stored in raw form)
Digital identifiers
Device & environment
Behavioral profile
Cryptographic layer
Identity anchor token
The Identity Anchor Token (IAT) is the cryptographic representation of the anchor.
Properties
Example (conceptual fields)
Anchor lifecycle
If user loses:
Recovery uses:
The anchor_id remains the same; tokens and factors are rebuilt around it.
Trust model
Internal systems
All internal services (gaming, nonprofit, financial, GitHub protection, public identity) trust:
External verification
Public‑facing identity can be proven via:
Relationship to zero‑lockout
The identity anchor is the center of the zero‑lockout design:
Security considerations
Summary
The identity anchor is:
`