Trevin Chow

I’m really on a roll the past few days with blog posts on digital identity.  My new love is e-commerce with my work on Windows Marketplace, but it’s hard to ignore the recent waves in “big” news in the digital identity world.  Given my expertise in the area, I can’t help but give my 2 cents (or 4 cents ).

After reading all the blogs entries and resulting comments on sites like TechCrunch, there is a lot of confusion on the significance, or lack thereof, of all these recent announcements (Google, Microsoft) around new OpenID providers.

First, let’s define a few terms:

Identity Provider: An Identity Provider is an entity that issues identities and resulting credentials used to authenticate as that identity.  These are almost always an email address and password combination.  Example of this is Microsoft issuing Windows Live IDs (e.g. foo@live.com or bar@hotmail.com) with a password.

Relying Party: A Relying Party is a site or service that accepts assertions of a user’s identity from a specific Identity Provider. This term is always used in conjunction with the name of an identity provider.  For example, a site that is a “Windows Live ID relying party” accept identity assertions from Windows Live ID.

OpenID Provider: An OpenID Provider is an Identity Provider that interoperates with OpenID.  It enables users with identities it has issued to authenticate to services that accept OpenIDs.  It does this by authentication a user’s credentials, then issuing a proof of that authentication (commonly referred to as a service ticket) that the user can present to a service that accepts OpenIDs.

OpenID Relying Party: Refers to a site or service that accepts user identity assertions from an OpenID Provider.

Now that we’ve gotten terminology out of the way here are several myths that are prevalent in many online discussions about digital identities, and in particular, discussions about OpenID:

Myth: Becoming an OpenID provider makes you more “open”.

Fact: By becoming OpenID providers, an identity provider just allows all of its users to access OpenID sites. So technically, they aren’t more open in the traditional sense since they didn’t grant access to it’s services to any more users than it already had.  It just allowed their users to access the services outside of its control, namely, OpenID relying parties like Plaxo.  So in reality, becoming an OpenID provider is really a greedy strategy by (1) letting your users access more, and (2) jumping on the bandwagon to not only ride a good press wave, but also to hopefully encourage more users to use you as an identity provider.

Myth: Becoming a Relying Party disempowers a site’s native identity provider since it no longer hold it’s user information (think Gmail to Google, or Flickr to Yahoo).

Fact: This is not true. In fact, by becoming a relying party, there are very few risks and you still have the ability to hold all the user information accumulated on service usage.  Becoming an OpenID provider or relying party, does not imply that you need to share a user’s profile with any other service.  The only risk in becoming a relying party is if you accept assertions from an identity provider that doesn’t legitimately authenticate the user’s identity.  Imagine accepting identity assertions from an Identity Provider that didn’t use passwords, and all you did was enter an email address to be authenticated.  You wouldn’t be able to trust that the user really was bill@gates.com when the assertion was presented to you

Myth: All the recent OpenID news about these new OpenID providers will solve all the digital identity problems.

Fact: As mentioned the other day, it doesn’t really matter how many OpenID providers there are. The real issue at hand is how many OpenID Relying Parties exist.  Right now, there are very few which makes the utility of OpenID very low and just makes for good PR talking points.  It will be monumental when you see all the Google, Yahoo and Microsoft services becoming OpenID Relying Parties.

Myth: OpenID is more secure than Windows Live ID (or any other identity provider).

Fact: First, this statement doesn’t make sense since OpenID is essentially just a set of protocols, and Windows Live ID is an identity provider.  If the real statement is that an OpenID provider is more secure than a non-OpenID provider, then unfortunately. that is also incorrect.

From the eyes of the consumer, the security of an identity provider really has nothing to do with the underlying protocols that are used.  They just know where to go to authentication and how to authentication. This is why fewer Identity Providers are good because we reduce the risk of phishing scams where users unknowingly give their credentials to a malicious party.

The security of an identity provider is really about the security of the credentials used to assert a user’s identity. The great thing about OpenID is that since it is an open system and since anyone can become an Identity Provider, it paves the way for there to be competition and natural selection to occur among Identity Providers.  With OpenID, we’ve seen the rise some fantastic security solutions that will make a real impact with customers when we have more OpenID relying parties.  For example, investments by VeriSign in 2-factor auth, gives me a lot of hope that other Identity Providers will follow suit.  This will force the entire industry to not only increase the level and expectation of security, but also make it easier to use for the everyday user.

Today will be the day that we remember OpenID becoming the standard for web authentication and single sign-on.

Hot on the heels of Microsoft’s announcement, Google gave the final boost of credibility that OpenID needed by announcing their move to also become an OpenID provider.

Now the 3 big boys of the internet (Microsoft, Yahoo and now Google) are all OpenID providers, OpenID has taken a huge leap towards true convergence for digital identities.

While all these OpenID provider announcement are coming out, in order to make OpenID truly ubiquitous, all these identity providers that also have services (which they all do), need to also become OpenID relying parties. In other words, Yahoo, Google and Microsoft need to all start accepting OpenID authentications for their all services.

Once that happens, we’ll have true digital identity ubiquity all tied together by OpenID.  Here’s to praying that happens sooner than later, so I can cross-off a big pain point in my online world.

Today Yahoo signaled that they aren’t yet down for the count, and are trying to come back with their Open Strategy.  To recap, their Open Strategy consists of 4 pieces:

1. Application platform (YAP)
2. Social Platform (YSP)
3. Query Language (YQL)
4. OAuth Authentication

With YAP and YSP, Yahoo is gets deeper in bed with OpenSocial and at its heart, is the implicit reliance on a rich user profile.  It should then be no surprise that Yahoo also announced a new Yahoo Profile, which includes a new look-and-feel, the ability to create mutual friendships with other Yahoo users and a goal for universal reliance on these profiles for their services.  So far, Yahoo has done a terrible job with the user’s identities creating no added value for using the same identity across all their services.

For any identity provider, the strength of the identities you issues are only as valuable as both the assertions that it makes and the services that accept it.  The newly increased investment in user profiles, along with Yahoo’s previous support of OpenID, places Yahoo in a fantastic spot for increasing value for its users and all of its underlying services.

Nearly 2 years ago, Bill Gates mentioned in a keynote that Microsoft would support OpenID and gave a broad signal to the industry that we would start seeing convergence in the digital identity space.

My old team, Windows Live ID, just announced today that they are officially becoming an OpenID provider.  In plain terms, this means you will soon be able to use your Windows Live ID to sign into any OpenID relying party.  This partnership is great for every party involved.  Microsoft benefits from increasing utility of Windows Live ID at sites and services that usually shun anything from Redmond.  OpenID benefits from another boost in credibility as well as exposing OpenID relying parties to over 400M Windows Live ID users.

The last few years has seen a lot of movement in the Identity 2.0 space.  Windows Live ID opened up through their Web Authentication and Card space, Facebook launched Facebook Connect, and in the not-so-reclusive shadows, OpenID was making tremendous progress to become the defacto protocol used for end-user authentication on the web. OpenID got on people’s radar with an onslaught With higher profile adoptions on services like Yahoo, Plaxo, AOL, Wordpress and even VeriSign.  It also helped that OpenID wasn’t from Microsoft

It is only natural for there to be an eventual consolidation and convergence in the user identity space.  It just doesn’t make sense from a user’s perspective to have different credentials all representing the same person.  What user’s really care about is convenience with the ability to control privacy of any information that is disclosed.  If you look at the history of the consumer credit card market, it isn’t a coincidence that there are 3 credit card types that make up the lion’s share of the market – Visa, Mastercard and American Express.  More than that increases complexity for Merchants, and in itself will squeeze out the least popular cards (e.g. Diner’s Club and Discover).

Extending that example to the digital identity space, it also doesn’t scale to “internet size” to have the endless identity providers that we have seen.  In order to scale reliably, it only  makes sense to have a smaller set of authorities be entrusted to assert claims over a group of users.  In the real world, this is equivalent to how driver’s licenses are issued.  There isn’t an adhoc number of authorities that issue driver’s licenses. Imagine what that would be like when you showed your ID at a pub for a beer.  In order to “trust” the claims that are asserted by your driver’s license (namely, your age), it would also have to trust the party that issued the license.  If the pub blindly trusted any authority, then it would degrade the trust of any claim made in the system since the value of all identities would erode due to forgeries.  This is why the Department of Motor Vehicles (DMV) exists in the USA.  For each state, there is a single authority granted the power to issue driver’s license and relying parties that need to verify identity claims based on driver’s licenses need to only really trust the state-level DMV.  If claims are asserted on an ID issued by another state, relying parties (pubs, bars, etc) will look for  a way to validate the legitimacy of the authority (DMV) by looking for a hologram on the driver’s license.  This has shown to scale extremely well, and is essentially the same model that Country Passports follow.

The partnership between Windows Live ID and Open ID is great for customers and services alike, because this brings us one big step closer to having broader scale convergence for digital identities.  I see in the not-so-distant future a place where there are a handful of extremely trustworthy identity providers that are able to assert very high quality claims about users that they are able to control.

This partnership is the first step towards that magical place.  It’s definitely an uphill battle for the remaining identity providers, since issuing identities and having all that information about the users is a very lucrative spot to be in.  Each step towards further convergence will be harder to take, until we get to a point that each identity provider is extremely valuable and necessary because there is either a need from a relying party or user level.

I’m excited to see what’s next.

There has been a ton of talk lately on OpenID, especially since it has seemingly gained inroads with a lot of major industry players such as Microsoft, Verisign and AOL. Heck, even Digg is planning on supporting it.

Michael Arrington of TechCrunch recently said:

It’s definitely time to declare OpenID a winner and the hope for a single-sign on world a reality.

When you read commentary by supporters of OpenID and the resulting press you can’t help by get the impression that it’s the savior of the internet and finally solves the authentication problems for users on the web. Some of the stated advantages:

1. De-centralized — you don’t have have to trust a single authority like Google or Microsoft.
2. Tiered authentication — websites that require stronger authentication can get users to sign in with a strong credential. It’s built into the protocol.
3. URL-based — you can keep your email address private and it saves you time when trying out new sites and services (you already know your ID is unique since no one else is using your URL identifier)
4. Multiple identities made easy — you can have multiple identities by using different URLs

The list goes on and on… When I read the above list, you can call me skeptical to say the least.

Read the rest of this entry »