All these technology and information-flow and money issues in the Federation Conversation are real, they matter. But none of them matter as much as trust. For flavor, here’s commenter Dewald Reynecke: “I don't trust Facebook/Google as far as I can throw them — I simply do not want to outsource my identity to an advertising company.”
Everybody has to trust somebody sometimes. But the Internet and the world are scary places; mistrust is a healthy component of sanity.
And it’s complicated, because it isn’t just people trusting (or not) Identity Providers (IDPs) and the apps using them. The apps and IDPs have trust decisions to make, too.
Your checklist · As in, how are you going to decide whom to trust?
It’s complicated because there aren’t any pure IDPs. Last time I saw numbers, the four biggest were Facebook, Google, Twitter, and Yahoo; each built its IDP service to support its mainline business. And because of the mainline businesses, each already knows a lot about you.
Which isn’t necessarily bad. What’s bad are surprises; anyone can lose your trust instantly and irrevocably by sharing the wrong things in the wrong way, when you weren’t expecting it. When it happens enough times, you can lose the trust of whole populations.
Mr Reynacke, quoted above, distrusts IDPs specifically because they’re advertising companies. Fair enough, few people love the advertising biz; but I think he’s in a minority in taking it that far.
I personally would love there to be a first-rate standalone IDP that didn’t do anything else, pure identity-as-a-service. If I could think of a business model I’d do a startup in a heartbeat. But I can’t because I suspect most people wouldn’t pay; they’re just fine with getting one-click IDP sign-in magically paid for with someone else’s ad dollars.
Also, I’ve occasionally thought that this is the sort of thing that a government department should offer as a service for citizens; but that was B.S. (Before Snowden).
So when you make your checklist for a trustworthy IDP, I suspect only a few would put “not an advertising company” on it. Here’s my list:
Hasn’t abused my trust in the past.
Has a simple business reason for wanting to be an IDP.
Has a decent business and is apt to be around for a while.
Is technically competent and hasn’t been embarrassingly hacked recently.
Is smooth and fast — gets me signed in with hardly any clicks, and no confusion.
And another question: Is the trust checklist any different for the apps using the IDPs to get you signed in? (Not for me.)
The apps · I generally don’t believe in the old OpenID dream that anyone could show up at any app and say “Here’s my IDP, trust it.” Because it’s hard to convince lawyers and policy people that that’s a sane idea. (Disclosure: I’m sort of with the lawyers here.) So I suspect that we’re looking at apps having IDP whitelists. If you’re a developer, you might be making one soon for your app.
I suspect that an app’s trust checklist for IDPs looks a little different:
Is generally trusted, rather than feared or scorned. (Which is to say, includes the individual’s checklist above by reference.)
Has good signin-approval rates. (Which means, among other things, “Is generally trusted...”)
Is willing to give me valuable information about my users. (But without forfeiting their trust along the way, which means transparency and ethical defaults.)
The IDPs · We have to exercise our trust muscle, too. In particular, we have to decide whether to trust apps. Since people don’t read approval screens, we know that apps will usually get the information they ask for. Some will ask for too much, then abuse it.
And so we probably have to pretend it’s our responsibility even if we and everyone else was playing by the rules. Thus a good IDP has to be looking at approval rates and a bunch of other diagnostics, and deal with loss-of-trust situations. [Have I mentioned that being an IDP is expensive?]
Trust isn’t free · It’s not even cheap. You shouldn’t be too eager to give it, but paranoia isn’t a quality-of-life booster either.
I’ll tell you who I don’t trust. I totally don’t trust all the millions of apps out there to take good care of getting me signed in old-school, with yet another password for each. What a goofy idea.