I've been hearing a lot in the past week about OpenID, the free authentication protocol. And by "a lot," I mean it's been mentioned on a few blogs, including in Lee Lefever's always-useful plain English.
In simple terms, OpenID provides a framework to centralize authentication by associating a person with a unique Internet address. Just as every web site and networked device has a unique address, a person now can too. Using that address, a person can log on to a web site that uses the OpenID protocol by providing their unique address. The web site points the person back to their own address, where they authenticate and are sent back to the site they want to log on to. The benefit here is needing only one set of credentials to log on to many sites.
In addition, OpenID enables people to specify which pieces of their personal information are shared.
Having said that, at least one VP of Engineering of a major community platform has "never heard of it." And there's plenty on the blogosphere about all the unsolved issues with it. Digg, however, has announced it will adopt OpenID--but the truth is, despite Digg's popularity (sic) and power in the social networking world, it remains a niche player on the Web as a whole. Nonetheless, the leading edge seems to be paying attention. And adoption by one major player could create a tipping point.
So, though declarations of a revolution in universal online identity management might be a little premature, it does seem that OpenID opens the door (ahem) to broadly-useful advances in identity management across the Web.
It's no surprise to see something like this emerging. The problem of identity has been getting bigger and broader for several years now, as more people do more stuff online, as personalization has become more important, and as participation has become the norm. Most folks use just a single set of credentials for everything. I sat next to a woman on the airplane recently who keeps a spreadsheet with all her credentials on her PDA. Yikes!
But there's another issue I haven't heard talked-about yet. As Lee describes it:
In more Plain English, it's a standard that enables Internet users to have an online identity (username, photo, profile info, etc.) that is constant for every website to which they belong. OpenID is not owned by anyone and everyone has equal access to it. One password, one login, one identity for each person.
That's putting it pretty clearly, and for me Lee's description highlights exactly where OpenID in and of itself doesn't provide the answer. From my perspective, multiplicity of identities isn't the problem, and creating a single universal identity isn't the solution.
We quite appropriately have many identities online, each suited to its context. I have identities for several personal and professional blogs, for several online communities, and on several platforms. I reveal different information about myself in each. I have relationships with an untold number of online businesses I've interacted with, and these relationships are invisible to each other. They have to be. Paypal, for example, has information about me that I wouldn't prefer to share with the world, and at work I log on to networks with sensitive competitive information. In a backcountry skiing community I have one persona, and in an information architecture community I have another. Rightly so.
Managing all these identities is the problem. And... widespread adoption of OpenID could be the first really promising step toward solving it.
Here's a picture of what we have today, illustrating some of why we need to have multiple identities:
And here's a picture of where we may be headed as syndication, portability, and personalization become more ingrained in the Web experience:
To realize the notion of a person-centric web, we need tools to centralize and manage identity. Human beings will be a primary object type on the Web, with explicit and behavioral metadata attached as the aggregate result of all Web activity. OpenID will underlie a new class of identity systems that make it easier for people to interact with the Web more securely, with appropriate levels of trust, and with more connection to the things they care about.
Boo-yeah!
But wait. Who controls that metadata? It's tempting to say OpenID provides the architecture to support a democratizing movement toward user control. In truth, I believe ownership of personal metadata will be negotiated as part of usage agreements, because behavioral metadata especially, in the context of e-commerce for example, constitutes competitive advantage for online sellers. Would Amazon share your purchase history with Borders? No, but you might want them to. That negotiation, and the sharing and hiding of personal metadata, will soon become a critical facet of our digital lives.
I'm sooo interested to see how all this plays out. To touch on a couple of things. Like you example about multiple identities, Ooen ID does have the ability for a single person to have multiple "personas" as they call it. My description was a little misleading in that respect.
Something else that is interesting is how the OpenID framework, as I understand it, will enable what they call "attributes". Your eBay seller rating is an example. If eBay (or any owner of such data) wants to play along, they can create an OpenID attribute for the seller rating data. Once this attribute is created, it becomes portable and linked to an OpenID user, enabling it be displayed as part of their profile.
Again, lost of issues still, but the potential is really exciting. Have you seen Jyte? www.jyte.com. It's an Open ID enabled site that traffics in "claims", like "Manchester United was better than Arsenal in 2005" - and then put it up for votes. Another could be personal - like "Ryan Turner is good at darts". If these votes bear positive (or promotional) fruit, they can become part of your personal (and portable via Open ID) reputation. It's one example of the sites we'll see that build on the idea of personal, portable reputation.
Posted by: Lee LeFever | March 03, 2007 at 04:07 PM
In order for authorization to be supported, the folks in the OpenID community would need to have the desire of moving past the basics of identity. Likewise, the features of an identity selector (e.g. Cardspace) will need to change. IMHO it seems no one really cares to talk deeper about authorization as it may require too much work on their parts...
Posted by: James | March 05, 2007 at 03:27 AM
Great comments, thanks. You know, there's something I'm very uncomfortable with about the notion of portable reputation. I haven't yet really put my finger on it, but it has something to do with the sense that identity online needs to be more context-sensitive than identity offline. You need to have more control of your metadata. At the same time, I certainly appreciate the opportunity to increase accountability for online behavior.
OpenID, and identity systems built on top of it, can certainly provide a new way to raise the threshold of entry for participation where a lot of accountability is required. And that's a good thing, when you have a community with a high trust requirement.
James, to your point, I really do believe we're already moving past the basics of identity--i.e., attached to you is not only the things you tell the world about you, but also all the things you do and say online. (See Anil Batra's blog for details about behavioral targeting and personalization.) For me, structuring stocks and flows (content and channels) around all this personal metadata is the information architecture of the future.
So much to talk about. As this new blog gets up and running I really appreciate you joining the conversation.
Posted by: Ryan | March 06, 2007 at 08:56 AM
I just can't find my notes on it, but I read a post about anti-phishing solutions in the OpenID context, and the author's point was that an important part of all this is going to be Client-side Software to help users more completely manage their claimed on-line identities.
I have yet to digest this post more fully, but it seems to me that "managing all our identities" would absolutely call for such client-side software (so the lady on the plane with the spreadsheet of all her credentials may be on the right track!).
Posted by: Rene Ylanan | March 07, 2007 at 01:02 AM