Business Value of the Identity Metasystem

For as many years as I can remember, I've been handing out this little pearl of wisdom:

The secret to life is perspective.

The main point, of course, is that ultimate happiness (life's true goal) is easily achieved - if not by accomplishing some measurable goal then by re-evaluating one's perception and understanding of the goal and making adjustments as necessary. I'm not saying it's OK to set the bar lower in order to make goals reachable. I'm saying that often what we perceive to be an important and worthy goal does not hold up under closer scrutiny. And a realignment of the importance of things will often help you see the positive aspects of a situation as outweighing the negative. I'm certain that I wasn't the first to achieve this realization, but I arrived at it when I was young and its truth has been consistently reinforced as I navigate through life.

How does it relate to identity management?

Well, it's analogous to the concept of context-based identity. Woven throughout the fabric of the Identity Management blogosphere is the notion of user-centric identity, the concept of context-based identity and the questions of who owns identity and what defines a system user's identity. In the real world, identity is contextual -- Your identity differs depending on the perspective of the viewer. Sometimes it's because you intended to shape that perspective but other times it's the viewer or the situation itself that shapes the light in which your identity is cast.

People necessarily present some unique subset of our overall identity superset each time we interact with the world. Even those we most love and trust will see only partial aspects of our identity. We don't expose our Las Vegas selves to our children. And we may not expose our caring, nurturing side at our monthly poker game. We all have friends to whom we expose aspects of our identity that we don't expose to others. Do you share your Star Trek convention identity with the people you work with? Or your girls-night-out identity with your local bank teller? Identity is extremely driven by context and perspective.

This is even more true in the world of systems and applications. Our electronic identity, as it's used in practice, is another small subset of your total identity. Often, your identity for any given application consists of authentication credentials and some application-specific identity information. The context boundary seems most often to be at the application but may also be driven by access method (phone vs. Web), geography (home vs. at work) or some other factor. The real problem that we (the Identity Management community) are trying to solve is: how to effectively and efficiently deliver the appropriate identity context to wherever it's needed in order to enable secure and easy interactions between people and computers (or any combination thereof).

So when the question of User-Centric identity comes up, I wonder about how any one entity could hold all (or even most) of its own identity information. Identity, being subject to perspective, is only half-owned by the one being identified. The other half is owned by the viewer of the identity and/or the situational context. Young children see their parents as super heros. Most of those parents (I realize not all) wouldn't hold super hero to be part of their identity if they were holding all the cards. The child needs to maintain some aspect of the parent's identity. In the same way, a financial services company defines and re-defines a customer's profile based on the customer's progress, the company's special knowledge and the performance of the economy. Surely, a consumer can not own those aspects of their own identity. So what are we really talking about when we discuss user-centric identity? Authentication? Authentication plus some basic profile information (age, citizenship, contact info)? Something more?

Bob Blakley recent posted a blog entry titled The Meta-Identity System in which he makes the case for Identity Oracles rather than Identity Providers. His points are important. In fact, it hadn't even occurred to me that anyone would choose to implement an identity provider that actually sends identity data rather than identity metadata. Bob's point is that identity providers in the Identity Metasystem ought to provide answers to basic questions rather than shipping real identity information. e.g. Am I over 21? rather than What is my birth date? But this information still seems very generic. The receiving application will still own relatively half of the user's identity (as regards to the user's interaction with this particular system). The user really only owns the portion of her identity that is non-specific to the application (or not context-restrained).

So is this entire user-centricity effort really about minimizing the effort to enroll in various sites by duplicating name, email, address and credit card? To make this huge undertaking worthwhile, I believe there needs to be more value to it. If it's only to simplify enrollment and authentication, then it's really just Microsoft Passport 2.0 but with your own choice of identity provider. Is simplified enrollment and authentication really the goal of user-centric identity solutions?

I realize that the concept that identity is contextual is not new -- it's even part of the original identity metasystem concept. And the metasystem also acknowledges that existing identity systems are not replaced by the metasystem -- they still own part of the identity. So, it's not asking us to give the entire identity to the user. I just want to be clear about what we stand to gain. Is it:

• Fewer sets of credentials for users to manage?
• Consistent user experience? (Are enrollment and authentication activities really confusing people with complex interfaces?)
• Greater degree of user control over their identity? (really?)
• Facilitate use of existing identities across boundaries? (like federation?)
• New market opportunities? (examples?)

It sounds a lot like an authority-neutral Microsoft Passport. I'm unfortunately somewhat behind the eight ball on user-centric identity. From my perspective, it's been a debate about how to build the next generation Internet identity infrastructure and I've been pretty focused on the current generation. But I'm starting to give it some thought. I'm playing catch-up and I'm wondering: What am I not getting? Am I just underestimating the frustration associated with multiple sets of credentials? Maybe it's because I use a Digital Persona system don't worry much about multiple usernames and passwords. Enlighten me. What will drive the world to invest in an identity metasystem?

Don't get me wrong. I do get it to some degree. I realize the Internet experience will be better for everyone if we tackle the issue of the many identifiers that connect us one-by-one into systems and applications. I just don't know if I've seen a business driver that's big enough to drive an effort as big as a global identity metasystem. So clue me in. Is it just about making the world a better place? If so, this is a bigger story than I suspected.