Here’s the weird thing about this identity gig: There’s no enemy. So who can we blame for our failures?
Over the years, for each of the things I’ve cared about, usually there’s been an Adversary, a big strong scary one. I’ve championed Unix against VMS, the Internet against the OSI stack, Linux against Windows, descriptive markup against Adobe, REST against WS-*, agile against waterfall, dynamic typing against the statically-typed incumbents, Android against locked-down app ecosystems, and so on.
But, in the world of Identity, who’s the bad guy? I mean, seriously, is there anyone who thinks the current username/password miasma is worth defending? Or who doesn’t think privacy and security are big deals?
There are still big operators out there whose actions give me severe heartburn: Apple, Oracle, and more. But are they identity bad guys? I don’t think so.
I suppose you could point a finger at Facebook if you don’t like their privacy attitude (and I don’t); but as far as I know, they’re not getting in the way of anyone trying to improve the big picture.
If there’s no enemy, we ought to be waltzing to victory, right? We’re not; If you’re in the Internet tribe and want to know who to blame, go look in the nearest mirror. So far, we’ve failed to ship things that combine being secure & private with being easy enough to deploy and use. That’s all.
Contributions
Comment feed for ongoing:
From: Nelson Minar (Oct 25 2012, at 09:57)
Are you forgetting the sad history of Microsoft Passport? They had a coherent plan for solving online identity going back to 1999. The main reason it failed is no other company was about to trust Microsoft with customer login data and customer relationships.
I fear the same problem faces any new centralized effort to solve identity. No one's going to trust Google, or Facebook, or Twitter, or even little ol' Yahoo with login. Which is how we got to federated systems like OpenID and their associated complexity. I agree there's room for cooperation in designing a federated system, but then politics make it so slow to accomplish anything. Facebook didn't wait around, hence Facebook Connect.
[link]
From: Joseph Scott (Oct 25 2012, at 09:58)
"we’ve failed to ship things that combine being secure & private with being easy enough to deploy and use"
The enemy is finding this combination. When the user experience for these new identity approaches end up being worse that what we have now there is very little motivation to deploy them.
[link]
From: Blaine Cook (Oct 25 2012, at 09:59)
Agreed.
In fairness, though, to those of us who've tried to advocate for simple, usable systems, the standards process so far has resulted in horrible things.
The community that works on these things needs to reach out to a wider community of people, and learn to cooperate. I feel like I went into the standards process with an open and eager mind, and I now just get angry any time I think about it.
Usability, real implementations from a wide variety of implementors, and simplicity need to factor into the standards process, not just "security" and the ability to endlessly reply to endless mailing list threads.
[link]
From: tom jones (Oct 25 2012, at 10:07)
you can't honestly say Facebook is not a closest thing to an enemy in this case? would you even have this job (the identity one, not the google one) if google wasn't scared that Facebook is becoming the de-facto identity provider for the internet?
even +, the biggest, most ambitious project in google's (recent) history is said to "provide identity, first and foremost" by Eric Schmidt [1].
so instead of me looking at my mirror, maybe you should call up both your and facebook bosses and get *them* to look at their mirror, and then agree to work toward a common goal?
[1] http://news.softpedia.com/news/Eric-Schmidt-Sees-Google-as-an-Identity-Provider-Making-Real-Names-Necessary-219095.shtml
[link]
From: Charles (Oct 25 2012, at 10:17)
I wonder if we should look at the "Conclusion" section here for insight into why username/password is still dominant:
http://www.tbray.org/ongoing/When/200x/2004/01/14/TPSM-8020
[link]
From: Zack (Oct 25 2012, at 10:27)
The problem is making it easy enough to use (by developers and "users"), while simultaneously making it hard to screw up.
The problem with the current username/passwords is they fail at both of these goals. More of the blame can probably fall on developers, as their errors have greater security implications, and they should know better by now.
Rather than looking for something to define progress as a reaction to, it probably would be better to focus on making drop-in replacements so easy for developers to use that it would be stupid to implement even a trivial username/password system.
[link]
From: Chris Selwyn (Oct 25 2012, at 10:40)
My recollection is that as soon as anyone proposes setting up such an identity system, everyone else suspects their motives and don't trust them.
They automatically become "the enemy".
It does not seem to be a matter of technology... There have been many technological propositions from many really clever people on how to solve the problem.
It's a matter of trust... How does one group get to be sufficently trusted by the Internet at large that we are happy to have them keep our invidual identities securely and confidentially?
If we can't trust one group, then we have to go with a federated system with all of the complexity that entails. Then users have a choice as two which group to choose to trust with their identity. It is still a really difficult question to ask given that most people don't understand the pros and cons of individual offerings.
Given a choice that they don't have to make, because the current system of lots of usernames/passwords for each site is familiar and (sort of) works, I suspect that most people will choose to not make the choice.
[link]
From: Andy Steingruebl (Oct 25 2012, at 10:45)
I suggest the recent analysis from Susan Landau and Tyler Moore points to the economics of it being the problem/enemy :)
http://www.uic.edu/htbin/cgiwrap/bin/ojs/index.php/fm/article/view/4254/3340
[link]
From: pjz (Oct 25 2012, at 11:40)
I disagree - the enemy is those who think that centralized identity (be it Facebook, Passport, or G+) is Good Enough (somehow they only seem to think this when they're the centralizer). We shouldn't stand for it, and I think OpenID and OAuth are steps along the right path - we just need to go farther.
[link]
From: Simon Gauld (Oct 25 2012, at 12:26)
Can we agree (or just plain define) what is actually 'wrong' with the username/password approach?. I mean in terms of - what is wrong to a nontechnical/normal person about using their username and password.
At least so the various problems can be laid out bare and agreed upon.
It seems to me the current crop of x-auth or 1password style 'strong' passwords are really just pushing the goalposts around.
So rather than a technology focused approach, what is it we are actually trying to solve.
I tend to use nontechnical family members as test cases for software and in this case I struggle to describe the problem to them - as their understanding (probably led down the path by me) ends up in "ok, so give all my passwords to google/twitter/facebook) and then click the various OK I agree buttons for any given app", so google/facebook/twitter has my password now. So we are still at that bit.
[link]
From: Marek Wiesel (Oct 25 2012, at 12:59)
I like the username/password system! It's decentralised and the user is in control:
- It's easy to create throwaway or anonymous accounts
- You can choose password complexity to suit the application
- It's hard for anyone to tie your online identities together if you don't want them to
If it's a headache managing all the username/password combinations then that's a problem that's quite easy to solve with technology (I keep them encrypted on a wiki page).
[link]
From: len (Oct 26 2012, at 10:10)
http://www.tbray.org/ongoing/When/200x/2004/01/14/TPSM-8020
What Charles said.
How many of those losers are still standing?
Your problem with this laudatory blog to your own successes, Tim, is you are a winner take all personality in an enough to get by is good enough world which was good enough advice when you applied it to your own favorites and not good enough when you aren't winning.
Find a mirror.
[link]
From: Rafael (Oct 27 2012, at 01:11)
Identity isn't a technological challenge (though it is a Massive one).
It is about trust. Otherwise none of us would have windows in our houses.
In our subset, no technological solution will suffice.
Every lock has its locksmith. G
[link]
From: peterb (Oct 28 2012, at 06:38)
As a customer, I think it's an implausible argument that any company - be it Google, Facebook, or anyone else - that makes its money primarily from selling my identity to advertisers can or should be trusted with managing my identity.
So if your question is "How can you not trust us?" realize that you're in the position of the used car salesman asking whether I think he's lying when he swears the previous owner was a little old lady from Peoria.
[link]
From: Daniel Smith (Oct 28 2012, at 18:04)
Identity meets all the criteria for a "Wicked Problem". You have an intersection of social, technical and financial concerns that make resolution of the issue problematic.
Lets look at Identity Providers:
Facebook don't have either sufficient trust from their users (due to advertising practices) or sufficiently robust information about their users.
Google have the same issues as Facebook but sightly less so.
Apple have about 200M credit cards but have a sufficiently large "anybody but" base that they're a non-starter.
Microsoft have similar issues to Apple.
Outside the tech industry we have Government (and you thought people had privacy issues with Facebook!) and Financial Institutions (not the most loved or trusted of people).
The cases where Identity has been successful is when a person is representing an Institution and leverages an existing contractual relationship aka Shibboleth.
What this probably tells us is there is no "Grand Theory of Everything" for Identity. It's always going to be messy and untidy -- just like the social strata it represents.
[link]
From: Hex (Oct 29 2012, at 03:42)
Google's contribution to just-getting-along would be a lot greater if it stopped trying to tell people what it thinks their identity should be. (#nymwars.)
Until that attitude problem is fixed, no matter what technical solution it offers, Google will not be a trusted provider.
[link]
From: Eddie (Oct 31 2012, at 04:27)
This is not for one artificial person (corporation) to solve for the planet, despite Eric Schmidt and friends wanting to do so. Please leave it alone Google, we don't need you data mining everyone to death.
[link]
From: Matěj Cepl (Dec 03 2012, at 02:44)
As to the employee of a company which (in bad with others; I don't claim a racket, just common disdain for others) killed OpenID, I would suggest a mirror as a good tool to find the enemy of privacy on the Internet.
[link]