Identity, Authentication, and Provisioning Them Online
Christina jotted down some thoughts on indentity on a flight to SF and I read them this morning. In her post, she references Ev's excellent post on the same topic from a while back. So I went on a bike ride as the sun rose over the east end of long island and thought a bit about all of this.
Before going on, I'd like to emphasize that these thoughts are mine and mine only. Nobody has seen this post before publishing other than me, including my partners and our portfolio companies. It does not represent the opinions of any company I and/or our firm are involved in.
I don't have a single online identity. I have many. They are rich, representative, and different from each other.
And many many more.
I apologize to all the services out there (in and out of our portfolio) that I left off this list.
I believe that OpenID is on the right track. In the OpenID scheme:
The term OpenID may also refer to an ID as specified in the OpenID standard; these IDs take the form of a unique URL, and are managed by some 'OpenID provider' that handles authentication.
OpenID has two important concepts in it. The first is identity. The second is authentication. The two are totally different but they have become comingled on the web because the leading third party authentication services, Facebook, Twitter, and Google, are combining the two in interesting ways.
When you build a web and/or mobile app and you want to make it easy for the user to share data between your app and one of these big three web services, you provide for one button authentication to them. Everyone who uses the web and mobile apps is now familiar with "login with Facebook", "login with Twitter" or "login with Google". We use them all the time. They make things easier on us.
These authentication services provide some notion of identity as well. But only your identity in their service. Not your entire identity.
So back to OpenID for a minute. I really like the idea that a URL can be an ID. But I don't like the idea that one URL is your ID. I like the idea that a list of URLs makes up your ID. I started my list at the beginning of this post. It is not complete by any means, but it is a good start.
So what I want is a layer that sits on top of all these services, aggregates up all of my URLs (identities), and then provides authentication in the same way that Facebook, Twitter, and Google do today.
And I'd like this layer to be able to provision to web services exactly the same data that you can get (and give) by authenticating directly with the social platforms. And, of course, I'd like to control what data gets provisioned to what apps.
Many have taken a stab at this over the past few years. It is a big opportunity and a big problem. But none (including OpenID) have gotten the kind of traction that Facebook, Twitter, and Google have. I believe there are several reasons for that. First, you need a brand that users recognize (and trust??) to be able to do this. Second, the authentication experience needs to be simple, easy, and not geeky in the least. And third, you need the cooperation of Facebook, Twitter, and Google to do this well and it is in their interests to be the providers of authentication and identity on the Internet so getting that cooperation has been tough.
The good news is it is becoming increasingly clear that no one web service will control our identity online. The success of Google+, Tumblr, Foursquare, Instagram, etc, etc in the past year has shown that users want more social platforms in their lives, not less. Or at least that some users want different social platforms than the ones that have been leading the way for the past decade.
So maybe the big three can get together and cooperate on building this authentication layer on top of their services and promoting is as an indepedent way to authenticate and provision identity and related data to web and mobile services. I'd love to see that happen and I suspect the Internet would be a better place because of it.