Identity, security, access control, mashups, and social networking: a perfect storm of chaos that is only growing in complexity. Johannes Ernst from NetMesh led a discussion at Mashup Camp 2 in which a number of identity-related problems were explored:
- Protecting individual data using just a password is low security.
- Identity theft is rampant. There was one participant who cited the uniquely American problem of getting a new credit card using just a name and a social security number.
- Exchanging or updating identity-based data is terribly difficult. It doesn’t seem possible for 500 small API vendors to agree upon a standard single sign-on service. (Say that three times fast!) Also, how does an individual specify what personal data he/she will permit any two partners to share with each other?
- Enabling services fail to take social networks into account.
Vendors need to stop putting out additional independent logins. Even though i-names are ready, the process of adoption has yet to begin. Really - did I need to set up six separate wiki accounts for the six wiki-backed conferences that I've attended in the last few months? I’ve signed up for my i-name, so =christine is ready to go.
Do we need Microsoft or Yahoo! to drive adoption? They didn't do well the first time around. Passport imposed a financial burden upon small businesses when it was launched, since small businesses didn’t have API savvy. That being said, Windows Live ID is entering into a market that’s evolved substantially. Ernst revealed that Microsoft is now considering letting independent vendors use an open version of InfoCard (AKA Windows CardSpace), under the banner of Open Source Identity Selector (OSIS).
The independent identity community is driving a couple of standards-based efforts: OpenID and i-names. Both of these are involved in the creation of an OpenID 2.0. These services will only become available once there is enough demand from both vendors and consumers. Kaliya Hamlin had some encouraging news: Wikipedia is adopting OpenID for their contributor logins. (Disclosure note: Omidyar Network is an investor in Wikia, a related entity.)
As a user, I also have a nagging dumb question: why is a single sign-on service considered more secure than using the same password for all of your accounts, which as consumers we are told to never do? (This is a technical question, not a rhetorical question, so please do comment if you have a straightforward answer.) Let's resolve these issues of identity, and get people educated on what the community has rallied around and why.
Most of the people in the room had a variation on the core problem of how to handle a single user across multiple systems. This doesn't address the user's perspective, however. While vendors may see themselves as independent of each other, the user thinks about experiences more holistically. Standards-setters need to keep this in mind in architecting not only the technology, but also the user experience and the strategy for rollout and adoption.