On Identity Business Models or Lack Thereof


Martin Kuppinger, leading analyst of all things digital identity, based in Munich, Germany, called earlier this week for a conversation about business models for identity product and service companies.

A good reason to ponder what we’ve learned in the past year or so about those business models or, more correctly, lack thereof. Here are my thoughts:

On the identity provider side:

  • It’s been conclusively established that there is no business model for a standalone hosted identity provider. Many companies have tried, with nothing to show for it. FreeYourID is the latest to give up. With MyLID.net, we had one of the first ones at NetMesh, but stopped investing in it years ago. Seems we did the right thing there. There is no indication that some newcomer could suddenly make it work either.
  • White-labeled hosted identity provider. Some companies tried that, and at some point it looked like there was a “there” there, but the vast majority of identity providers on the internet are homegrown. Major companies (say, banks) that should want to be identity providers so far have shown no inclination to want what we would want them to want. There are no indications that this will change any time soon.
  • Authentication provider (i.e. a minimalistic identity provider that only wraps a standard identity protocol, like OpenID, around strong authentication, like a smart card). This could work for vendors in the strong authentication business, but so far there is no existence proof. I don’t think anybody has really tried, so it’s too early to tell.
  • Identity provider as part of a larger product that does not focus on identity per se. This approach has been very successful. Examples: Amazon is an identity provider of their customers for the merchants on their site. Facebook Connect. Downside: it’s not a new business opportunity, only an add-on to an existing business.
  • Identity provider software. Long-established, moderately successful, dominated by enterprise software companies like Oracle, Sun, IBM etc. Not a new business opportunity either. No evidence that it works for sites outside of the corporate firewall though.

On the relying party side:

  • Relying party software kits. There is a range of open-source libraries with many customer complaints against them. They prove just how hard it is to productize such a kit, and there is no evidence that anybody would license such software. Does not look like a business opportunity.
  • Relying party functionality as part of a larger product tends to be in high demand. However, that’s just another feature of an existing product, and thus not a business opportunity except perhaps for being acquired real quick by the vendor of the product.
  • Relying party functionality as-a-service is an interesting idea that has been around for a few years with little uptake. However, that may be changing slowly. A number of business questions will have to be sorted out before there is any chance of major uptake. And: can sufficient revenue be generated from it? Nobody knows.
  • Strategy or technical consulting related to accepting identities. That opportunity certainly exists, and we’ve helped a few customers there and earned a few dollars. However, it remains to be seen whether there is a mainstream market for it, not just a few early adopters.

Value-added services:

Many people have ideas for value-added services that could be sold once sufficiently many users used internet identities at enough sites. The trouble is that the transaction volume for OpenID (or any other identity technology on the internet) is still far too low to make this viable.

So the verdict here is: perhaps in the future.

 

So what’s an analyst, or conference organizer, or entrepreneur, or venture capitalist to do? My take:

Hang in there, keep the burn rate low, make no major moves, would be my advice. (Believe it or not, sometimes I’m being asked about my advice on this.) All the signs are pointing in the right direction, the latest being Google’s major OpenID push. Let’s not confuse being majorly annoyed how long this is all taking (speaking about myself here) with something being fundamentally wrong (because there isn’t).

Sooner or later, at least the value-added services opportunity will emerge. Perhaps others. But so far it has not yet.

P.S. of course I appreciate your comments, particularly if you disagree ;-)


6 responses to “On Identity Business Models or Lack Thereof”

  1. Chris Messina pointed me to this article after a post I wrote yesterday. I think you are suming up very well why this problem is so hard to solve. The underlying issue (imo) is that there isn’t a user demand. Users either don’t know or care, and it is therefore hard to get them to use a standalone hosted identity provider and pay for it.
    I can only see this work if the focus is on creating a community of users that are willing to help innovate, use and spread the word around such services. The technology is not the biggest bottleneck right now, it’s the naiveness of the user.

  2. You wrote a protocol, and unlike plumbing equipment, it doesn’t cost anything to manufacture additional protocol handlers, it just takes development time.

    You can make money by finding people who are willing to pay for additional improvement in these areas – new implementations of OpenID.

    If companies like Google are implementing OpenID, it’s a sign that others are probably willing to pay for the same thing.

    It’s a very limited field, and it isn’t exactly something to build a company around.