Nearly 2 years ago, Bill Gates mentioned in a keynote that Microsoft would support OpenID and gave a broad signal to the industry that we would start seeing convergence in the digital identity space.
My old team, Windows Live ID, just announced today that they are officially becoming an OpenID provider. In plain terms, this means you will soon be able to use your Windows Live ID to sign into any OpenID relying party. This partnership is great for every party involved. Microsoft benefits from increasing utility of Windows Live ID at sites and services that usually shun anything from Redmond. OpenID benefits from another boost in credibility as well as exposing OpenID relying parties to over 400M Windows Live ID users.
The last few years has seen a lot of movement in the Identity 2.0 space. Windows Live ID opened up through their Web Authentication and Card space, Facebook launched Facebook Connect, and in the not-so-reclusive shadows, OpenID was making tremendous progress to become the defacto protocol used for end-user authentication on the web. OpenID got on people’s radar with an onslaught With higher profile adoptions on services like Yahoo, Plaxo, AOL, WordPress and even VeriSign. It also helped that OpenID wasn’t from Microsoft 🙂
It is only natural for there to be an eventual consolidation and convergence in the user identity space. It just doesn’t make sense from a user’s perspective to have different credentials all representing the same person. What user’s really care about is convenience with the ability to control privacy of any information that is disclosed. If you look at the history of the consumer credit card market, it isn’t a coincidence that there are 3 credit card types that make up the lion’s share of the market – Visa, Mastercard and American Express. More than that increases complexity for Merchants, and in itself will squeeze out the least popular cards (e.g. Diner’s Club and Discover).
Extending that example to the digital identity space, it also doesn’t scale to “internet size” to have the endless identity providers that we have seen. In order to scale reliably, it only makes sense to have a smaller set of authorities be entrusted to assert claims over a group of users. In the real world, this is equivalent to how driver’s licenses are issued. There isn’t an adhoc number of authorities that issue driver’s licenses. Imagine what that would be like when you showed your ID at a pub for a beer. In order to “trust” the claims that are asserted by your driver’s license (namely, your age), it would also have to trust the party that issued the license. If the pub blindly trusted any authority, then it would degrade the trust of any claim made in the system since the value of all identities would erode due to forgeries. This is why the Department of Motor Vehicles (DMV) exists in the USA. For each state, there is a single authority granted the power to issue driver’s license and relying parties that need to verify identity claims based on driver’s licenses need to only really trust the state-level DMV. If claims are asserted on an ID issued by another state, relying parties (pubs, bars, etc) will look for a way to validate the legitimacy of the authority (DMV) by looking for a hologram on the driver’s license. This has shown to scale extremely well, and is essentially the same model that Country Passports follow.
The partnership between Windows Live ID and Open ID is great for customers and services alike, because this brings us one big step closer to having broader scale convergence for digital identities. I see in the not-so-distant future a place where there are a handful of extremely trustworthy identity providers that are able to assert very high quality claims about users that they are able to control.
This partnership is the first step towards that magical place. It’s definitely an uphill battle for the remaining identity providers, since issuing identities and having all that information about the users is a very lucrative spot to be in. Each step towards further convergence will be harder to take, until we get to a point that each identity provider is extremely valuable and necessary because there is either a need from a relying party or user level.
I’m excited to see what’s next.