Identity as a service

Here's a killer Web 2.0 app that I wish someone would roll out. In all the discussions about Internet identity (at IIW2005, for example, which various people are blogging), I see all kinds of grand plans and schemes for addressing the total universe of digital identity, but never any simple, practical, cost-effective solutions to problems people have today.

That's the trouble when technologists try and solve a problem; they always try and come up with the perfect blueprint. But take a look at Phil Windley's list of the things people at the IIW event either agree or disagree on, and all the disagreements center on questions of grand architecture (identifier and messaging formats, degrees of decentralization and control), while all the areas of agreement are to do with what users want to see implemented (issues of usage and deployment). So why not just implement stuff and let the needs of the market determine which architecture's gonna win?

One of the things that's becoming evident as organizations deploy service-oriented architectures is that identity management (access control, user authorizations) has to be implemented as a service. Anything else rapidly becomes too unwieldy to maintain and manage as the number of discrete application services increases.

What's true within a single enterprise infrastructure surely holds true even more in the WorldWide Web. But at the moment, each separate service provider (Google, Amazon.com, eBay, Yahoo!, etc) either has their own identity management stack — if not several — or else it has none at all (eg, every site that publishes an RSS feed).

Of course, all those digital identity entrepreneurs and visionaries out there have been chasing the big-money opportunity of building a system that's such an improvement on what the big guys are using that all of them will instantly flock to the same universally shared system. But they've forgotten where disruptive technologies actually come from in reality. No one's been looking out for the long tail: the websites and services for whom anything is going to be an improvement on the "none at all" they've currently got.

Web 2.0 survives for the moment mainly because the money left over from Web 1.0 hasn't run out yet. A lot of the innovation is being funded from reserves that people built up during the boom. VCs have gotten excited enough to cast off their inhibitions and put a bit more money back in the pot. Google Adsense and a few other advertising and affiliate programs are helping some sites eke out a bit more staying power. But sometime soon, Web 2.0 is going to have to start paying its way. The lesson of the dot-com boom reminds us that it can't keep going for ever just on ad revenues and VC funding.

That's why identity as a service is the killer app. Not as a service offered in its own right to individuals, but as a service to websites and providers that have no workable identity management infrastructure of their own to offer their users. Restricting access on a named-user basis to individual URLs — RSS feeds, screencasts, PDF files or web service URIs — is the key that would enable such sites to realize value from those assets. At present it's not a viable option because of the cost and/or hassle of maintaining their own secure identity management system. But if the site owner could sign up to a third-party identity service, and have an embedded sign-up process that meant the service provider would take care of allocating rights to the user profile and then authorizing access to the relevant URLs — perhaps with options to measure or limit usage over a certain period — it opens up a whole new world of possibilities. Make it cheap enough — no more than a dollar a month per ID — and at a stroke the fabled thousand flowers would bloom as businesses found new ways to monetize information flows and online services by restricting them to named users, whether they be employees, customers or even other websites and service aggregators.

If such an identity services offering did become successful, then it would of course quickly gain enough market presence to begin offering single sign-on and federated identity services, thus consolidating its early beachhead, and then perhaps appealing to businesses that might want a cheaper, simpler, easier means of policing remote user access to intranet or extranet resources.

I would gladly beta test such a service if anything of this nature is under development. And if it's not, let's bring it on — the future of Web 2.0 could be riding on it.

posted by Phil Wainewright 4:02 PM (GMT) | comments | link