User-Centric Identity is far from Dead – It is just getting started

A week ago Johannes wrote a post about how User-Centric Identity was dead. I totally disagree. All of the technologies that were in the mix at the beginning of the community in 2005-6 that he lists are “dead” but many innovations that have come out of the community are very much alive and new efforts that go “beyond identity” and include personal data.

I knew that the founding technologies described as fulfilling the vision of user-centric ID were dead – this was the case when the word on the street after the MIT-ISOC-W3C workshop in early December was “OpenID and Information Cards as we know them are dead” because focus and attention moving towards Webfinger and Identity in the Browser (or other agents).

I have presented about user-centric ID to executives several times this year; when I do mention OpenID and Information Cards as a starting point for potential technologies that realize some aspects of the goal of user-centric identity and how they represent two different kinds of doing identity IDENTIFIER & CLAIMS based. However, I quickly shift to talking about the issues surrounding their adoption failures and move on to discuss successful technologies OAuth and XRD.

I often call XRD the most successful technology coming out of the community. It evolved with the hard work of Eran Hammer-Lahav within the XRI technical committee at OASIS.  Yadis (yet another distributed identity system – the interim name that soon became OpenIDv2) found that XRI had a discovery format called XRDS and chose to use it – then it was found to be to complicated so Eran proposed XRD-Simple, this then became XRD and was standardized as its own specification.

XRD provides machine readable end point service discovery – it creates a practical way to find and connect services that users want to link together.  Both OpenID and OAuth use XRD endpoints to signal their existence. It doesn’t just work for these protocols, it enables all kinds of endpoints to now be discovered – can the endpoint accept phone calls?, Instant Messages or texts or is it someone’s Calendar or Photo service. I think we will see a lot of innovation around this standard.

OAuth is very elegant in its simplicity and how it supports end users connecting their accounts together and supporting data sharing between services.

The reason this got adoption was because of the huge risk not adopting it presented to large web companies. People were giving their user-name and passwords to new services to extract their data – like a contact list or photos from existing services they used. The proliferation of this anti-pattern (people giving user-name and password to third party services) was a danger because it would mean that people would regularly give away these to things to any service who asked… and increase the risk of phishing.

OAuth created a way for individuals to manage which services can access their data on a per-application basis. The tokens that connect services stay the same and are not affected by users changing their passwords.

Portable Contacts or PoCo is a standard that was born at the Data Sharing Summit (a branch of the IIW community that Marc Canter fostered and I helped with)  when Joseph Smarr and two guys from MSFT – Angus and Inder got to white boarding what they could do “now” before we got to a web of interlinked user-managed address books in the cloud.

How do we move our contacts around simply and easily between services? They stewarded this via an open process of spec writing and meetings and within 6 months it became a “standard”.

User Centric Identity was never about these particular technologies but making real some key ideas that I think are represented by the IIW “identity dog” logo that is an allusion to the New Yorker cartoon “On the Internet, nobody knows you’re a dog”.

* Freedom to be who you want to be online – the right to anonymity and pseudonymity.

* The ability to share more specific validated information about yourself.

* The ability to curate the information about yourself found online.

The challenge of fulfilling these design criteria in the following ways is a big one and I am not surprised we haven’t figured it out yet.

  1. open standards based
  2. the scale of the internet + other digital systems
  3. that people find usable
  4. that they understand
  5. that is secure
  6. it requires emergence of new social behavior
  7. and changes business models & norms

The future is not just in “identity”, but the data we all are generating. It is essential to create the tools and infrastructure that supports people being able to aggregate and integrate their own data. To create market and business opportunities that are aligned with end-user rights and interests to not have massive dossiers formed about them without their consent, knowledge or access to them.

With the value of data just being understood and the emergence of Google and Facebook’s market power being based on amassing personal information, the race is on to create alternatives that are user-centric. The World Economic Forum just wrote a report about this where this was the central recommendation.

The range of companies and trade associations in the Banking, Telco, Web, Advertising and Cable industries interested in this emerging space is really stunning. There are over 20 startups with different takes on how to innovate and where to make money. All of this innovation can align with end user interests.  With the Personal Data Ecosystem Consortium we are committed to proactively fostering collaboration and synergies in the emerging market while simultaneously learning from some of the mistakes learned to date with other “user-centric” technologies.  I think the biggest lesson for me and where much of my energy is focused is on the business models that will make these technologies adoptable. Without business justification, no technology, no matter how good, makes sense.

I don’t think that any of us who gathered at other peoples events like DIDW and Burton Group Catalyst in 2005 and then at our own little 80 person IIW in Berkeley in Fall imagined that the WEF would write such a report.

So I say Johannes – user-centric identity is not dead but just beginning or perhaps this is the “rising again” that you mention.

We shall see how Personal Data 2.0 on April 7th and IIW #12 May 3-5 unfold and if indeed there are new visionaries showing up with new ideas and technologies. I think there will be.



  1. says

    Nice post. A couple of things: Keep up the great work;

    I’d reframe your point about how technology no matter how good makes no sense without business justification… to say that any technology in the marketplace needs to work for business purposes or it won’t fly in the market. Still there are always going to be all kinds of technologies that are really powerful outside the marketplace, which you of course know well.

    Also, I’d say that your point that the future is not just in identity is excellent and what I think you’re starting to flesh out is the awareness that users in virtual space are actually on the path to becoming legally established, protected, empowered entities as all entities on the ‘net must be to flourish.
    hope you’re doing well…..

Leave a Reply

Your email address will not be published. Required fields are marked *