July 6th, 2006

Identity 1.x: Microsoft Live ID and Google Accounts

Posted by Dion Hinchcliffe @ 11:35 am

Categories: Convergence, Encouraging Unintended Uses, Lightweight Service Models, Mashups, Products, Radical Decentralization, Small Pieces, Loosely Joined, Web 2.0, Web services

Tags:

Many digital identity and Web 2.0 watchers have been tracking Microsoft and Google’s recent efforts to achieve leadership in the potentially high-stakes world of Web-based identity.  The goal: To provide a single, common user credential that is trusted, secure, and widely supported across the Web and within enterprises.  The advantages and disadvantages of each firms’ approach highlights an area of Web 2.0 that is very much in flux and without a clear outcome.  Specifically, I’m talking about Microsoft’s Live ID and Google Accounts. I won’t rehash here the excellent recent industry commentary except to refer you to the informative coverage from Eric Norlin, Dick Hardt, and Dare Obasanjo. 

At the heart of these efforts is the fact that the Web is fundamentally lacking in an intrinsic identity mechanism; a single standard identity system for users to unambiguously identify who they are to entities they would like to prove it to. 

This means users still have to log in using a different set of credentials to every Web site they visit that doesn’t support one of the federated identity systems available today.  This world of fragmented logins also has a lot of implications for the growing remix world of Web 2.0 mashups. These sites use remote Web services that require logins to access a user’s information on the remote Web site.  The power and utility of these mashups are limited where there is no safe way to pass identity along to these others sites without providing a long list of user IDs and passwords.

Weak identity systems have further led to difficulties in making democratized e-commerce safe, such as auction sites where both parties are almost completely unknown to each other or anyone else.  The blogosphere itself can also be used a reference for problems of this type with a well-publicized situation a few months back at the Washington Post highlighting the issue:  Namely that when it really counts, there’s no generally accepted way to identify who a user really is without resorting to onerous methods that are either 1) rife with privacy problems or 2) too complex and time-consuming and also kill the level of participation. 

And users themselves have to remember and maintain an increasingly long list of user IDs and passwords to gain access to their online software and information.

This has led to the notion of Identity 2.0, an open, standards-based, yet fundamentally decentralized identity model.  Identity 2.0 describes the concept of an ID that can be trusted and used anywhere and requires no centralized consultation with the ID authority that issues the credential.  Interestingly however, Microsoft and Google latest identity approaches come within various distances of this ideal, but do not achieve it at this time.

For its part, Google Accounts takes an interesting approach that is strangely reminiscent of Microsoft’s original Passport usage model.  In contrast to the Identity 2.0 ideal of a single roaming ID for the Web that’s usable and verifiable on the spot, Google has taken the centralized ID verification route.  The Google Accounts (a great diagram of how it works on this page) redirects all users to a Google controlled Web-page for login, and forcing everyone involved to cede all control (and privacy) of the verification process to a 3rd party. 

From a consumption scenario standpoint, this also means Google Accounts does not work well with the increasingly widespread Web services integration model that Web 2.0 software and mashups are making more common, at least without making users visit the Google Accounts page before using their mashup.

For their part, Microsoft’ Live ID, an extensive revised and improved version of their Passport product, actually gets a lot more of the details right by providing an open system that allows other identity systems to plug in and provides an SDK that allows rich programmatic integration.  Unfortunately, in this author’s humbe opinion, Microsoft’s approach is also beginning to run the risk of becoming complex enough to hinder it’s own adoption.  This is something that newer, lighter weight approaches like Sxip Identity are consciously avoiding though lacking the market dominance needed to foster wide adoption.

In fact, it appears difficult to see how any of these approaches will become widespread any time soon.  It’s the classic problem of reaching a tipping point: Users that are willing and interesting in using Web-based identity management systems just won’t get enough return on investment, nor will many Web sites be interesting in being tied to Microsoft or Google to verify their user’s identity.

Interesting however, the some of the big challenges with Web identity aren’t technical at all.  One real issue with Web identity is a lack of a formally recognized yet impartial identification authority.  Currently Microsoft and Google, which issue and control their the credentials, both require fairly low bars to issuing an identity.  This makes the digital identities relatively weak ones that are tied primarily to an e-mail address and not a real person.  That’s because unlike federal and state identification like passports and drivers licenses, current online identity styesms have no requirement to provide concrete evidence of one’s real-world identity. 

All of this basically limits some of the important benefits that Web identity could offer; though we get single sign-on and some other nice features, there’s no real movement forward in making online IDs substantially more credible and trustable by allowing identites to have strong real-world traceability back to the people they represent.

And while anonymity and privacy should always remain available to Web users, for some of the interesting new things to happen in the Web 2.0 world, stronger, better online IDs will be an important step forward.  The open and underlying challenge is how to do this on a global scale in a fair and equitable manner.  Because in end, like many problems in software, it’s not a technical burden at all but logistical and political one involving people.

Is weak online identity really a overall benefit or disadvantage to Web users?