The Death Of User-Centric Identity — for now


Around 2005/2006, there were about four major lines of thought on user-centric identity with a few variations. We can quibble about the exact numbers and times, but in broad strokes — which is what this post is all about — that seems about right.

  • The Kim Cameron / Microsoft / CardSpace / Identity meta-system line of thought. In this view, major brands (like banks, associations…) would issue “electronic cards” with various pieces of identity information on them. A piece of software on the user’s device, called an “identity selector”, would allow the user to select which card to present to a web site in order to convey just the necessary amount of identity information to complete a transaction. By default, sites would have no ability to conspire tracking the user across sites. The vision was always very tightly coupled to the WS-* stack of protocols.
    • A more ambitious version was presented by Paul Trevithick / Parity / Azigo. In this version, cards would be the metaphor for any kind of person-to-person and person-to-machine data exchange, just as in Snow Crash. Unlike in Kim’s version, the data “on” the card could be dynamic and open-ended. Brands were far less important: anybody could issue and receive cards just as easily as passing notes.
  • The Dick Hardt / Sxip line of thought. Here, users would have one or more trusted sites on the web that would push identity data as part of the user’s login process to any site the user visited, with the user having the final say on which data to convey. Originally it was conceived as a hierarchical, DNS-like system, the vision later became decentralized. Additions enabled updated identity information to flow upstream or downstream after the initial exchange. A browser plugin would make the user experience simpler.
  • The Drummond Reed / Cordance / XRI / XDI / i-names line of thought. This line of thought started several years earlier than any of the others. It envisioned a DNS-like system (XRIs and i-names) to supplant DNS. In the pure form, users would have an identifier (an i-name with the characteristic equals sign in front) that would be unique on the web and could be used for identification. With the identifier, a rich set of services would be associated that could be dynamically discovered. The set of services would include identity-related services such as single-sign-on, but also broader data exchange services, using a new set of protocols called XDI.
  • My own, the Johannes Ernst / NetMesh / Light-Weight Identity (LID) line of thought. Here, users would claim a place on the web as their own (like their blog or personal website), and point everybody to that place on the web when they needed to find out any information about the user. Identity, and other information, could be pulled from that place on the web by others, but only if approved by the owner who’d be in complete control of that site.
    • The Brad Fitzpatrick / David Recordon / Six Apart / OpenID V1 version that followed the “point to user’s home site” architecture but dropped all parts other than authentication, focusing on the special case of blog commenting. This was the first vision of user-centric identity that got actual traction in the marketplace.

Well, here we are in 2011, and it is time to acknowledge that none of these original visions have worked out. Cardspace has been canceled. The rest of the proposals was, sort of, merged into what became OpenID. When we did this merger, we were all hoping that OpenID would end up being the sum of all (good) parts. Unfortunately, it became the opposite: an oddity not true to any of the visions, and far, very far, from being an aggregate of the best. Worse, its evolution has disintegrated into multiple incompatible architectures all of which have plenty of trees, but no forest. None of the original visionaries are actively involved in it any more, and it shows.

Here’s an example: current OpenID implementation practice is to use non-correlatable identifiers as the URLs that I envisioned for LID, in order to get CardSpace-like privacy features. But then, the first piece of information that is typically pushed to sites, Sxip-style, is the user’s e-mail address — a perfectly correlatable identifier if there ever was one. The identity push features in OpenID 2, from their roots in Sxip, are unused beyond a few like name and e-mail address; instead, any meaningful data exchange is performed using OAuth, an (incompatible) branch-off which is much closer in architecture to XDI and LID than to either Sxip or Cardspace, without any of the sophisticated query and privacy features envisioned in either, and without any aspirations whatsoever to be user-centric.

And because we totally, disastrously, failed in keeping the cats herded that like nothing better than to come up with a 5%-better version of some aspect of some obscure protocol oblivious to recognize that this splits the market and makes either version un-implementable, you can now chose between some power set of incompatible ways of implementing all of it, none of which ever has an even remote chance of really working on a mass scale.

The result: the top Quora answer on OpenID has 457 positive votes on “OpenID was doomed the day it launched”. Answer #6, with 25 votes, is the first positive response, and rather defensive at that. While the OpenID Foundation prods on, I have to say — and mind you, I was one of its co-founders — I have not the slightest clue what it is trying to do at this point in 2011. The most recent board meeting minutes sound very much like a typical management meeting would have been at Nokia if they hadn’t had the wits to bring in a new “The Platform is Burning” CEO.

The clear winner: Facebook. To their credit, they first hired the right people out of the identity world. Then, they thought hard how to turn user-centric identity into a product that mere mortals can understand — and that increases the Facebook stock price. That it has, literally by billions. Users’ lives have become better on the net as a result, but make no mistake: the primary beneficiary has been Facebook and its shareholders. There is nothing user-centric in Facebook’s implementation of identity. At least nothing that any of the above visionaries would recognize as part of their vision. Facebook-centric is the best way of calling it.

(To be clear, I have no problem with what Facebook did on this subject. In a competitive market, they should be held in check by competitive forces. Sadly, its competitors’ forces seem to have been exhausted by being asleep at the wheel to an extent I have a hard time grasping.)

So, for now user-centric identity is dead in the sense that it has been losing market share and mind share at a furious rate, with no white knight in sight. It was fun while the ride lasted. It will come back up for sure, with new visions by (likely) new visionaries. Decentralization, user-centricity, like democracy, does not ever die, it just disappears from sight for a while.

So join me: “User-centric identity is dead, long live its second coming when it does!”

,

11 responses to “The Death Of User-Centric Identity — for now”

  1. You and I and the rest of the early user-centric folks invented stuff that failed indeed. We got some things right and other wrong. There are lots of reasons why. UX, lack of perceived end-user value, the tension between doing something simple and narrow vs. something more complex and universal, ecosystem & business issues, etc. What can we make of all this failure and the rise of Facebook? Well to me, what’s really going on here is that we’re in the middle of a messy process of finding out the real requirements for success. We didn’t really understand the requirements in those early days. But users will eventually wind up in a position of increased control. It’s inevitable. That’s what keeps me going. And I think that’s why you added “–for now” to your headline. -PaulT.

  2. We are making great progress – we now know dozens of things which don’t work! And I’m not merely being flippant. OAuth was a qualified success; definitely a compromise, but it is an improvement over what came before. And it provides a good substrate to build on. I can say that many had aspirations for allowing it to be user centric as well, and the result allows but does not require (or to be honest, encourage) user centricity. There are critical missing pieces (discovery) and new platforms (clients) that need better support.

    Solving user experience problems in a user centric way IMHO requires support from email providers and from clients of all kinds. Fortunately those entities are already in a good position to provide identity to those who don’t want to exchange public key fingerprints at parties — users already trust them to install code on their devices, after all. You don’t get much more trusted than that, especially if you enable autoupdate.

  3. I can’t fault your memory of history, but there’s one shortcoming that you overlook. Not one of those projects was about human-centered identity, only the much narrower ‘user-centric identity’, as the term is used by software developers talking about the Internet. The four projects you mention devoted themselves to a variety of techno-centric problems, with different degrees of emphasis:

    1. allowing a single set of logon credentials to be used by multiple systems;
    2. retrieving data about a user account so that it need not be rekeyed;
    3. relating a network node to a person (in the legal sense of ‘person’);
    4. obtaining reliable, non-repudiable evidence that a promise will be honoured;
    5. allowing data about a user account or person to be aggregated across mutiple systems;
    6. establishing ‘sameness’ or persistence over time, so that data need not be re-checked.

    I think it’s a mistake to say that human centered identity is dead. Some projects have made stumbling progress. We have learned a lot about what doesn’t work, and something about what does. But not enough attention has been paid to the difference between a person and an account, or a person and a promise. The principles of a ‘federated’ model have been at best, neglected, at worst, actively frustrated. The needs of the wider world have been treated as a subset of those of Silicon Valley. We can do better.

    I’m not even convinced that Facebook has got it right. As Cory Doctorow said recently, a good way to look at Facebook is as a Skinner Box for teaching teenagers to under-value their privacy. Their solution is entirely Facebook-centric and convenience driven. That could create a mass of very malleable consumers, it could create universal low expectations of websites, or it could define Facebook as a place you want to move away from when you need something better or different. I believe the future will be much more human-centered than the recent past.

  4. […] Johannes Ernst’s Blog » The Death Of User-Centric Identity — for now "The clear winner: Facebook. To their credit, they first hired the right people out of the identity world. Then, they thought hard how to turn user-centric identity into a product that mere mortals can understand — and that increases the Facebook stock price. That it has, literally by billions. Users’ lives have become better on the net as a result, but make no mistake: the primary beneficiary has been Facebook and its shareholders. There is nothing user-centric in Facebook’s implementation of identity. At least nothing that any of the above visionaries would recognize as part of their vision. Facebook-centric is the best way of calling it." (tags: identity openid facebook usercentric) […]

  5. that you reference only the top quora vote getters is symptomatic of the problem. as jon stewart said last night about fox news, ratings doesn’t equal quality and the better answers are those that received the fewest votes, including david recordon’s who only got 9 votes. i also like the guy’s answer who only got 2 votes in which he asked where is openid’s apache? (or might i add mosaic).

    facebook has dumbed us down by tricking us into measuring our progress by winner take all metrics. if we don’t let the conversation be dominated by those metrics, than we can hear from real people, we won’t let our decisions be tainted by survivorship bias.

  6. Heh – my XRI i-name above *should* read ‘=fen’ — yet another reason XRI died.

    However, I remain a fan of the dream as envisioned by XRI. It was a protocol that could enable 100% privacy and true user-centric identity, where there would only be one real copy of my name, address, etc. and others would be granted (perhaps onion-routed) links to this. Thus all friends/orgs/etc. that I wanted to have access to this info would always be current (when I moved I would just change my address in a single location) and I would have complete control over who had access to my data, controlling the ability to sever ties whenever I chose.

    XRI extended URLs but was not intended to “supplant DNS” though it could operate free of DNS (e.g. on Freenet-style DHTs).

    If and when an identity system rises from these ashes, I would hope that it is free and open source, decentralized and not dependent on any single protocol (like DNS), provides complete security when desired (as I should be the only one that has control over my “super profile” consisting of the sum of all my online interactions) and yet support transactional transparency (again, when desired).

    In my view, the eventual solution is indicative of the problem. Facebook won as they saw how to make money from it and the others lost because they were all trying to server two masters: big business and individuals. The True Identity System will be a grass-roots, underground system that starts in small communities needing secure transactions and reputation management. Reputation is the key, and it can’t be bestowed by an untrusted, faceless megacorp. When such communities start looking for an identity system, I suggest they check out XRI. Until then, [Like].

  7. I don’t accept the premise that there is one winner in any identity ‘war’. The very best idea in modern identity theory is that we each exercise a plurality of identities. There is no one-size-fits-all identity solution; there can be no one winner!

    And I wouldn’t resign myself to Facebook Connect just yet. It’s nothing more than an unverified nickname, convenient for logging on to websites that don’t care who you are. Facebook Connect has nothing to offer in serious transactions like banking, e-health, online government service delivery. And it’s nowhere near delivering useful verified anonymity.

    I fear that we’re not tackling the real reasons for the failure of all those lines of thought. They all start out with the truth of identity plurality but then go their separate ways, trying to re-engineer the way that we obtain and then work with our digital identities. By introducing Identity Providers and the like in between Services and Customers, the new models fundamentally change the way people would transact, introducing untold legal complexities.

    Why don’t we acknowledge most of the perfectly good identities we already have and put our efforts into better preserving them online?