About The Blog

Debate at the intersection of business, technology and culture in the world of digital identity, both commercial and government, a blog born from the Digital Identity Forum in London and sponsored by Consult Hyperion

Advertisers

Technorati

  • Add to
Technorati Favorites

License

  • Creative Commons

    Attribution Non-Commercial Share Alike

    This work is licensed under a Creative Commons Attribution - Noncommercial - Share Alike 2.0 UK: England & Wales License.

    Please note that by replying in this Forum you agree to license your comments in the same way. Your comments may be edited and used but will always be attributed.

« Not magic bullets, but bullets nonetheless | Main | It all comes back to liability »

The sorry state of id and authentication

By Dave Birch posted Mar 9 2011 at 8:03 PM

I had a problem with my PayPal account: I used it in China, and it got blocked as the result of some kind of fraud screening.

I ended up having to promise the guys at Bike Beijing that I will sort this out when I get back to the UK and then send them their money.

[From Digital Money: Holding court]

They still haven't got their money. In order to unblock the account, you had to log in to your account and then have a code sent via your home telephone number. I clicked, the phone rang, I punched in the number and hung up. Nothing. I clicked again, the phone rang, I punched in the number and waited. Nothing. I clicked again, the phone rang, I punched in the number. After a while, I got an e-mail telling me that the authentication process had failed and so PayPal would send a letter containing some kind of code to my home address and that I could then use this code to unblock my account. It mentioned that the letter might takes six weeks to arrive.

So the nice guys at Bike Beijing still don't have their money and I'm still embarrassed.

Now, all the time that this nonsense about codes and letters was going on, I had on my desk a Barclays' PINSentry (which I can't even use to log on to Barclaycard, let alone PayPal) and a O2 mobile phone (I've been with O2 for two decades and have a billing relationship with them - their system knew that I was in China) and a keyring OTP generator that we used for our corporate VPN. Any one of these could provide a better solution then messing about typing in code numbers, but they all sit in their own silos and don't provide the kind of general-purpose services that they should.

What should have happened, of course, is that I should have been able to log in to PayPal using OpenID and then logged in to a 2FA OpenID using my (say) PINSentry. So now PayPal knows that I have been 2FA logged in from an "acceptable" source (ie, Barclays Bank) and we could move on. So why doesn't this happen? Is it because OpenID has failed?

But if OpenID is a failure, it’s one of the web’s most successful failures. OpenID is available on more than 50,000 websites. There are over a billion OpenID enabled URLs on the web thanks to providers like Google, Yahoo and AOL. Yet, for most people, trying to log in to every website using OpenID remains a difficult task, which means that while thousands of websites support it, hardly anyone uses OpenID.

[From OpenID: The Web’s Most Successful Failure | Webmonkey | Wired.com]

It can't be that. OpenID has plenty of support, and even the US government got behind it.

Who would have predicted say, 5 years ago, that you would some day be able to use commercial identities on government websites? Evidently, this raises questions about privacy and security but if these initiatives can garner enough public support, government validation of open identity frameworks could be a boon for the ecosystem of the open, distributed web. Plus, it can make dealing with the government a lot easier for you, too.

[From US Government To Embrace OpenID, Courtesy Of Google, Yahoo, PayPal Et Al.]

It's not about the technology. I make no judgement as to whether OpenID is the best technology or not (although it does actually exist, which is a good start), but the truth is that it simply doesn't matter whether it is or it isn't.

The unresolved business and legal challenges implicit in federated identity are to blame for the under-delivery of OpenID

[From OpenID, Successful Failures And New Federated Identity Options | Forrester Blogs]

Indeed they are. So the problem isn't really anything to do with OpenID, or any other framework that might come along in cyberspace, but the legal framework that it has to sit inside. This is where we need the breakthrough. We need potential identity providers (eg, Barclays, O2) to be able to set up OpenID responders for their customers inside a well-known and well-understood legal framework. Now, you can do this contractually (as IdenTrust has done), but to scale to the open web, we need something more than that, perhaps an equivalent of the "creative commons" licences that are used for content but for credentials.

Even then, would someone like PayPal rely on them? Or would it only rely on identities from regulated financial institutions in the EU? Or only such institutions that met some minimum authentication standard? We're a long way from fixing my Chinese problem, despite having all of the technology needed to do so.

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00d8341c4fd753ef0147e31b2a13970b

Listed below are links to weblogs that reference The sorry state of id and authentication:

Comments

Dave, I share your frustration - this kind of broken nonsense drives us all nuts.

And yet ... the apparent logic of being able to re-use all manner of existing identifiers is not soundly based. So you have a PINSentry, a long-standing billing relationship with a telco, your employer's OTP token, and I gather at least one OpenID as well. But "they all sit in their own silos and don't provide the kind of general-purpose services that they should".

With respect, who says they should be so re-used? Your bank, telco and employer don't. What you're asking them to do is make representations about you to a second party (PayPal) with whom they have no contract.

Clearly you know this the real problem. You want "potential identity providers (eg, Barclays, O2) to be able to set up OpenID responders for their customers inside a well-known and well-understood legal framework" and you canvass the possibility of IdenTrust-style contracts or new "creative commons licences used for credentials".

CC licenses wouldn't ever be enough. Absent new laws to make this kind of grand identity federation happen, we will still need new contracts -- brand new contracts of an unusual form -- struck between all the parties. It's complicated by the fact that banks & telcos don't naturally see themselves as "identity providers", not in the open anyway. To energise them, they need new business models. Worse still, their lawyers will have never dealt with these sorts of multi-party Internet-scale contracts before. It's an intractable task.

Silos are inevitable evolved results of the way businesses manage their risks; the way a business knows its customers defines hard risk management boundaries that take years to set up and which cannot be easily modified. Identity silos aren't all bad; they might be rigid but they create transparency and certainty. If Bike Beijing were in the Visa or MasterCard silo, you'd be home and dry by now.

Cheers, Steve Wilson, Lockstep.

The comments to this entry are closed.