I believe that Identity is one of the biggest end-user challenges at large on the Internet (and in IT) today. Let’s be more specific: The concept of Identity in IT is not well understood by the end-user community, and as such presents one of the greatest challenges that we as an Industry are faced with today.
Identity in Information Technology (IT) is a massive topic – it’s too big to put all the issues in just one post. However, it’s an important one so I’m going to break it off into little, bite-sized chunks. Today’s post will serve as a primer, while subsequent posts will get deeper into the more specific topics regarding Identity.
Your Identities and You
Here’s an easy analogy: Take the common phone number. Everybody knows how the phone number system works, right? Country codes, area codes, international dialing. Long distance, monthly tariffs, metering. Okay, maybe everybody doesn’t know it to a great level of detail, but everybody knows how to use the system to make calls. It’s easy. Further, it’s fairly ingrained in everyone’s psyche that a person has one number for “home” (a.k.a. “the landline” which rings for “the entire family”), another which is their mobile (which rings only for themselves), another for work (which might be a direct dial or an extension), one for fax (which is usually for work but might be for home, etc). People understand how they are to represent themselves whenever they receive or use the phone attached to a certain number. In other words, they understand the required “identity”. For example, we might answer our home phone with a friendly family greeting, but I might answer my work phone with a more professionally-oriented message.
This concept applies – or should – online as well. Simply put – your Facebook profile and your LinkedIn profile should never be linked to each other. I’ll leave it at that for now, and will expand on it more in a later post…
Identity versus Login
One of the concepts people tend to fail to grasp is the difference between Identity and Login. It’s not just the end-user community – many service providers fail to disassociate the two. This raises many problems which most of us simply accept, though I believe we shouldn’t. What happens on the end-user side is that people will get a new email address, and then go around to all their services and create new logins based on that new address instead of updating their existing identities. On the service provider side, alot of the time “the good names are taken”, so you create a login name like, oh, I dunno, “smd2008″ – which becomes your handle/nickname – or your brand/identity.
Solving at least the service provider problem presents a bit of a catch-22. While I can “download WordPress” and host it on my own system, which then allows me to create any login name I want, I also break away from the WordPress community (in other words, it’s very “anti-social” – I can’t, for instance, download my own copy of Twitter or Facebook to create my own private group of users).
Federation is really the key to this puzzle – or part of the key. Single login for multiple services. That said, WordPress is Federated (OpenID). I just don’t like how they’ve done identity. Anyway, we’re too deep into this for this post. Moving on…
SSO and Federation
For the uninitiated, SSO stands for Single Sign-On, and what it does is make all of your applications work with the same username/password. You login once in the morning, then not again for the rest of the day, regardless of what application you switch to.
Federation does almost the same thing, however you have to login to each application separately. You still get to use the exact same credentials, even to the point of only having to change your password in one place (which SSO can do too). The advantage of Federation is that it works across service providers, assuming all of your service providers support the same federation provider.
Federation is key as we move into cloud services and outsourcing applications, but is very much a work in progress. There’s certainly no real standard for federation, though OpenID is close as a brand, and Shibboleth as a technology, at least within the research and education (R&E) community. If you listen to any of the discussion surrounding work on Federation, you can hear that the people involved are still very much in discovery mode about what works and what doesn’t from the end-user’s perspective.
Both are important in IT architecture and strategy, which is what my $work is all about. But are they important to you? Matt Hartley asks that question, and I think the relevant answer is, “they will be”. And if you’ve ever been frustrated by trying to keep track of all of your website credentials (think of all the banking sites, corporate sites, and services sites that you have login/password for), then the answer should be “they should be”.
So I’m a bit over my quota on the SSO and Federation topic, and likely near the end of my rope on the whole Identity 101 thing. It’s not the most engaging post in the world, however it serves as a primer for discussions that will follow.
One theme that I will bring up from time to time is how Information Technology compares to Telecommunications Technology (TT), and to be more precise, how simple TT is compared to IT. The “average user” understands TT well enough that they don’t need help using it. The same is not true with IT, but it is my belief that IT should be as simple or easier to use than TT.
You can see an example above in my paragraph about the phone number system, which brings me to the moral of the Identity 101 story: Identity and authentication is a mess of a system (if you can even call it a system) which leads to confusion and a lack of understanding in the end user community, contributing to the perception that, “IT is complicated”. It’s quite a challenge we have on our hands to un-complicate it.
Thanks for your comment Grok,
Some federation services try to accomplish what you’re looking for. Microsoft Live and Google both run their authentication as federation services and make it (the authentication service) available to third-party sites. Some sites may ask for additional information, but many only require that authentication token (or integer in your example). There are also plugins for Firefox and IE that allow you to automatically fill out sign-up forms with personal information, but I can hear you already – this really doesn’t solve the issue.
Try using your Google ID, Microsoft Live ID, or your OpenID (if you have either – and if not I recommend you try them) on the next site you sign up for that supports them. I’d be interested in hearing of your experience back here in the comments.
By: smd2008 on April 18, 2009
at 7:55 am
The thing that concerns me with the web and identity is how easy it is to tie all kinds of activities together.
It would be nice to have a mutually trusted third party vouch for a maintained unique anonymous identity on my behalf — so that I could use one account at various service providers without revealing anything about me.
Service providers don’t NEED any information about me, they just need to know I’m the same me as yesterday so they can match me up to my integer record ID in their user table.
Share that integer all you want baby!
By: Grok on April 17, 2009
at 9:13 pm