The web lacks what Marc Canter calls “a big momma identity backplane”. Identity is left down to individual websites to decide how they’ll handle it. The result, of course, is a fragmented identity experience across the web, or what Kim Cameron calls a “patchwork of identity one-offs” (and I love this as it describes the situation succinctly and perfectly).
I started my MSc project focusing on one of the solutions to the problem of identity management, which is OpenID. This is an open federated identity protocol for sharing an identifier across different services, made up of identity providers (such as Google or Yahoo) and relying parties (a website that allows users to login using their Google or Yahoo account). I’ve moved away from sole focus on OpenID as I think “What should usable identity management on the web look like?” is a more interesting research question.
OpenID has a terrible user experience. Signing in with a URL is confusing for average users who have learned that authentication requires a username and a password. Learning how to use OpenID has a higher cognitive overhead for novice users than simply signing up via HTTP authentication. The redirects — an undelightful part of the OpenID experience — are also a phishing risk.
Ben Laurie explains how OpenID is a phishing heaven with a kitten site story:
“…I just persuade you to go anywhere at all, say my lovely site of kitten photos, and get you to log in using your OpenID. Following the protocol, I find out where your provider is (i.e. the site you log in to to prove you really own that OpenID), but instead of sending you there (because, yes, OpenID works by having the site you’re logging in to send you to your provider) I send you to my fake provider, which then just proxies the real provider, stealing your login as it does. I don’t have to persuade you that I’m anything special, just someone who wants you to use OpenID, as the designers hope will become commonplace, and I don’t have to know your provider in advance.”
There are too many identity providers, not enough relying parties. And there’s also the NASCAR problem.
I think solutions to web identity management are trying to handle identity on the wrong level. I like the “big momma identity backplane” idea. How about an interim identity backplane: a** smart browser that knows who you are.** Aza Raskin creates a great argument here. It absolutely baffles me that this doesn’t already exist (apart from a fledgling Firefox plugin that supports Yahoo and Google).
A smart identity-enabled browser seems far more valuable to me than a browser that has social services built in. The identity-enabled browser should:
- allow a painless login and signup: users select a bundle of attributes — their identity — to sign up with, and select an existing identity to sign in with
- allow anonymity
- not remove control from users that they already have
- allow users to see clearly what data they are sending to services, and what data services own from them
- hide the complexity of authenticating with web services from the user
- keep the user safe from phishing
The success of an identity-enabled browser depends on how well it implements the above. One problem is the conflict between identity handled in the browser and interfaces that invite identity management on the web canvas.
In conclusion, I seem to have picked an enormous and deeply complicated topic, and I’m dipping my toe in the water.