picking an identity provider should be like picking a bank or credit card provider: as a fourth-party service provider that advocates for your interest, since you’re their customer!
Personally, I’m not a fan of the introduction of this term for the new party around the table. I like to think that a “third party” working on the user’s behalf fits the bill just fine. Following an object-oriented mindset, the third party can adopt the properties relating to it’s responsibility in a transaction without being locked between two others (necessitating a fourth).
What I do like, however, is the concept Chris clarifies later:
Instead of agreeing to terms of service that disclaim all responsibility to you, the customer, I hope that competition in the identity space will lead providers to actually take responsibility for their services — charging good money for doing so. If your account gets hacked — no problem! — your identity provider can put back the pieces and make things right again! You could even take out online identity insurance in case your identity is ever stolen — so you can always get back to your life and recover your data without the hassle and interruption when it happens today.
To unpack this a bit, I see a compelling use case for identity providers emerging, possibly piggy-backing on the PCI Security work. So far, the first quote about picking an IdP is falling on deaf ears as users don’t really think about their choice. They use what they use and that’s about as far as it goes. What users need is a compelling reason to think in terms of choice, and the model Chris suggests might be it.
I spent some time helping to build an affinity card system with MBNA a couple years ago, and that process was telling. As it relates to this discussion, I can easily see that they would jump on the opportunity to capture a market like this. All that needs to happen is for someone to write up a clear business plan around the concept. In fact, I’ll bet there’s an MBA student out there somewhere looking for their thesis.
In a nutshell, here’s what I think this looks like:
Credit Card Company (C3) sets up a new product based on it’s current card-based account system.
C3 then advertises the new product to it’s existing customers (ID validation fees waived as an incentive)
Users now have a reason to choose C3 as their IdP for all high value applications (and might as well use them for everything else, too).
C3 still has to convince it’s customers (and attract new ones) to see value in paying for a secure IdP. I don’t believe this is too far away from happening organically, so now’s the time for a C3 to start working on the product line.
Further, it’s distinctly possible that Id end points are going to force the issue by requiring verified identity assurance and security beyond what your run-of-the-mill OP can provide. Hence services like MyID.is (which has it’s own issues, of course, but that’s the direction). If a C3 gets in the game, I have a feeling they’ll be able to build a more effective federation of trust, even when used in an anonymous context.
Reason to Choose an Identity Provider
Buried in a post about OpenID user experience by Chris Messina is a concise bit of advice for users:
The “fourth-party” reference is to an article titled “Get ready for ‘fourth party’ services” by Doc Searls in the Linux Journal.
Personally, I’m not a fan of the introduction of this term for the new party around the table. I like to think that a “third party” working on the user’s behalf fits the bill just fine. Following an object-oriented mindset, the third party can adopt the properties relating to it’s responsibility in a transaction without being locked between two others (necessitating a fourth).
What I do like, however, is the concept Chris clarifies later:
To unpack this a bit, I see a compelling use case for identity providers emerging, possibly piggy-backing on the PCI Security work. So far, the first quote about picking an IdP is falling on deaf ears as users don’t really think about their choice. They use what they use and that’s about as far as it goes. What users need is a compelling reason to think in terms of choice, and the model Chris suggests might be it.
I spent some time helping to build an affinity card system with MBNA a couple years ago, and that process was telling. As it relates to this discussion, I can easily see that they would jump on the opportunity to capture a market like this. All that needs to happen is for someone to write up a clear business plan around the concept. In fact, I’ll bet there’s an MBA student out there somewhere looking for their thesis.
In a nutshell, here’s what I think this looks like:
C3 still has to convince it’s customers (and attract new ones) to see value in paying for a secure IdP. I don’t believe this is too far away from happening organically, so now’s the time for a C3 to start working on the product line.
Further, it’s distinctly possible that Id end points are going to force the issue by requiring verified identity assurance and security beyond what your run-of-the-mill OP can provide. Hence services like MyID.is (which has it’s own issues, of course, but that’s the direction). If a C3 gets in the game, I have a feeling they’ll be able to build a more effective federation of trust, even when used in an anonymous context.