Alexander van Elsas left a comment on my post “On Identity Business Models or Lack Thereof” that I feel I have to respond to. It is not the first time I have heard a comment along these lines, so this is more a response to “everybody”, not specifically just to him. He writes:
…The underlying issue (imo) is that there isn’t a user demand. Users either don’t know or care, and it is therefore hard to get them to use a standalone hosted identity provider and pay for it.
…The technology is not the biggest bottleneck right now, it’s the naiveness of the user.
Pardon me, but this very much sounds like the old “our software is great, if it wasn’t for those darned users”. To which the equally old, and always-correct answer is: “No, the user is never the problem. As vendors, we either solve a problem for our users, in which case they pay us, or we don’t. If users don’t use our ‘solution’, we either don’t solve an actual problem, or we don’t explain well enough how we solve the problem, or our solution is simply not good enough for the user.”
At this point, it is very clear that consumer identity providers do not solve a problem for users that is commensurate with paying money. (I would go further and say that the product category “consumer identity provider” is most likely never going to be able to get many users paying for it.)
To quote Pip Coburn: “People are only willing to change when the pain of their current situation outweighs the perceived pain of trying something new.” We are not there yet in identity land, even if we’d all like to be there.
3 responses to “The “Lack Of User Demand” for Internet Identity”
So if the problem is the business model, what’s the value of an internet identity? Right now our primary identity is our email, and the web site I’m evolving right now is basing all of its identity on that: No passwords, just links you get emailed which encode identity and authorization information in them.
We usually pay for our email, although often that’s bundled in with something else, and these days its often provided for free from Google.
Here’s the thing about Facebook: Yeah, there’s lots of issues with privacy control and what-have-you: Nobody cares. Here’s the other thing: The people that do care are often asking for far stricter controls than we had back in the days of paper. I was recently appointed to a local town committee, I checked the “sure, publish all my contact info” box, announced my appointment on Facebook, and had a friend comment “holy cow, they let everything about you hang out there, didn’t they?” Well, yeah, but so did the freakin’ white pages, back in the day.
So if we want to get people to take their social identity more seriously, we “…need to change the very nature of business models on the web”, but if Facebook starts charging then users will just abandon it for the next site: Some time ago I paid for a Classmates.com account for a year, found a few people, dropped that account, followed them on MySpace, now Facebook (because few of them care enough about their online identities to devote their own domain to them).
It’s not about changing the business model, it’s about changing the value proposition for the end-users. Which is Johannes’s point: what do the users get out of better control of their identity? The only place I really care is banking, healthcare and finance, and getting those people to institute a reasonable distributed identity system is im-freakin’-possible: These are the sites that are still whining when I use punctuation in my passwords.
I guess I’m not sure what my thesis is here except that OpenID didn’t solve the simple problem (says “flutterby.net/User:DanLyk…” responding to “vanelsas.wordpress.com/”), and so won’t be the solution going forward.
Facebook appears to solve the problem well enough, and will probably be the preferred solution until they try to charge users, at which point the users will abandon those identities and go elsewhere, because if I’m commenting on your blog you probably know who I am, and if that blog’s going to shift URLs, as even high profile ones have done fairly often (Doc Searles and Robert Scoble come to mind) then the particular identifier attached to the user commenting really doesn’t matter. My blog’s been around over a decade, when users, even ones I don’t know, forget their passwords and create new identities I pick up on it fairly quickly, and when I offer to merge their accounts they say “naw, don’t bother”.
And banking will continue to use my email address and my mother’s maiden name, and some relatively insecure password which, in a particularly well admin’d system, will actually distinguish between upper and lower case…
Johannes, I didn’t make that comment from a perspective of a software builder, but from the perspective of current practice. There are over 300M active users on Facebook, and if you start counting the nr of users in other social networks, we can probably easily double that nr.
To a Facebook user, his identity, and control over this identity lies within the (hard to grasp) privacy controls of Facebook. The one question no one can ever answer me is “Where is that one switch that protects me from Facebook?”.
We, our friends, our interactions, all the data that flows, are commercially exploited by these companies. And in most cases people don’t care, or simply don’t understand. Identity has been solved to an acceptable level for them. That is not so much a failure of identity software companies, as it is a success for Facebook.
If we are to change this than we can’t just change technology. We need to change the very nature of business models on the web.
As you know I’m an early adopter, but the necessity of some sort of better identity system was only apparent when someone cracked an account because I’d used the same password in two places. Really, a three tiered password system will, for the most part, get around that (although having been burned once I’m now trying to be quite a bit harsher about passwords).
I see the future as Facebook Connect for forums and blog comments, and individual user names and passwords for financial institutions. Maybe Twitter or one or two other sites will gain traction in this.
OpenID got way too mired in committee processes and became overly complex for what it is, to be reasonable for relying parties to assume that they can implement it cleanly, and in its core specification doesn’t include enough to be a decent solution for weblog comments (witness my user name here…).