Ask HN: Is static identity becoming a limitation in modern systems?

1 points by Gnobu 33 days ago | 2 comments

I’ve been noticing a pattern across different systems (security, payments, operations):

Most systems treat identity as something stable — once verified, it’s assumed to remain consistent.

But in real-world usage, identity behaves differently depending on:

• context (location, environment, timing)

• intent (what the user is trying to do)

• interaction flow (sequence of actions)

This creates a mismatch.

So systems compensate by:

• collecting more user data

• adding more rules

• increasing verification steps

Yet issues still show up:

• legitimate users get blocked

• risky behavior passes through

• systems behave inconsistently under edge cases

It feels like the limitation isn’t identity verification itself — but the assumption that identity is static.

Curious how others here think about this:

Are there practical ways to model identity as something dynamic without making systems overly complex or slow?

PaulHoule 33 days ago |

The thing I am worried about is not "slow" or "complex" in the sense of it being a lot of code. What I am worried about is it being "correct".

I work on a subscription service where there are numerous ways to "log in" like maybe your IP address tells us you work for one of our members, or we integrate with the SSO for your organization, it might even be both -- on campus you use your IP but you need your SSO from home or on campus you might use the SSO not for access but to tell us who you are so you can access features like bookmarks. For other members you log in with a username and password. And there are even more ways to log in.

You'd better believe we have to think about this complexity whenever we work on the auth system but it is worth because of these things serves a certain tranche of customers.

Gnobu 33 days ago | |

That makes a lot of sense especially the focus on correctness. What you described is interesting because even with multiple login paths (IP, SSO, credentials), you’re already adapting identity based on context, just in a structured way. I guess the challenge I’m thinking about is what happens after login — when behavior starts to shift. Do your systems treat identity as stable at that point, or do they continue adjusting based on what the user is doing?