Open Identity: the end of childhood, the age of assurance
This week is the week of the OpenID summit in Mountain View, California. We are all hoping that 2010 will be another pivotal year for open identity. There seems to be a combination of market forces that are making federated identity more attractive. In fact, we are hearing new compelling use cases for federation. A first example is cloud access and identity management. As enterprises shift their IT infrastructure and information to the cloud (as in IAAS, PAAS and SAAS applications), CIOs need to federate corporate identities with cloud service providers. For cloud resources, the corporate directory becomes the identity providers and the cloud services are the relying parties (and if you don't have a directory or don't want to use it for federation, Google is in the pole position to be your OP). Another interesting vertical ripe for federation is healthcare. Now that the Obama bill for healthcare has passed, one should expect a revival of health information networks (remember the RHIOs). Finally, payment, the mother of al federation, online payment, is seeing a lot of innovation too. From mobile to social games, to high assurance open identity networks led by modern payment systems such as PayPal, Amazon or Facebook could sway consumers, curb fraud and shift merchant liability where Verified by Visa has fumbled to-date.
So, what do the trusted cloud initiative, Obama's new health care bill, and next generation online payment have in common? They all require federation and stronger forms of authentication to enable trust and protect against fraud. These transactions are complex and risky. They are complex because they involve multiple independent, sometime competing organizations. Federation is needed. These transactions are also too risky because the current Internet authentication system based on name and password is too weak. High assurance identity is needed. As government and vertical industries worldwide come to the realization that their cyber security and business agenda require them to enable high assurance online transactions, federation and strong authentication will converge into new compelling trust infrastructures deployed across vertical markets.
The need for high assurance federation may provide a much needed boon for open identity technologies such as OpenID and OAuth. The point is that the adoption of a new identity management model on the Internet by consumers may require much more than single sign on, attributes exchange and authorization. As Dick Hardt put it many times, these traditional identity features are only vitamins. Most people won't go for vitamins alone. Consumers want enablement. Facebook figured that one a long time ago but tying friends discovery and activity streams to Facebook Connect. So, what is Open Identity's mojo then? I dare to suggest that the opportunity for open identity is new transaction enablement. If open identity networks can enable complex and risky transactions that are not possible online today, massive adoption will follow and altering the digital identity experience becomes palatable.
Of course, it is a security guy talking but let us consider the business model too. The business of security and trust is well understood. Credit bureaus, security companies and VISA/Mastercard have clear and compelling transactional business models. Transactional revenue model are also more compelling than advertising. The profit margins for standing in the middle of transactions as neutral third-party and enable high assurance are fairly high. Compare the addressable market to the currently minuscule market size of open identity as it stands today. Whether you look at it from a product, deployment or economic standpoint, I continue to believe that the future of open identity on the Internet rapidly is intimately linked to high assurance identity.