In my previous post I introduced a concept of user-centric identity for online applications. Here I would like to introduce a solution to the problem that is already pretty much adopted by the industry: the OpenID standard. But let’s start with the question: Why do we care?
Of course it would be great if everybody could just use a one pair of login/password to access every service online. But there is more to that. You have heard this many times before already: to be successful in the online economy of today you first must win the battle for user’s attention. The reason for Google being so successful is that they can place the ads in the context of what the user is doing, increasing the chances that she is actually interested in what the ad has to say. Google algorithmically analyzes the content that the user reads or searches for, assuming that it has something to do with her interests.
Facebook takes the model further by trying to identify a user’s interest not only from the immediate context but also from her profile, social interactions, Facebook “likes,” etc. The way it evolves, it is becoming more important to listen to what the user herself says her interests or intentions are as opposed to some algorithm trying to guess those intentions.
Here is where user-centric identity comes into play. There are plenty of online services around that offer users the possibility to assert their preferences, interests and intentions. We may tailor our communication with the user according to her preferences if she chooses to share them with us. But in order to make use of these self-asserted profiles we need to be able to request and access them. And for that we need a user identity system that is global – very much like the mechanism that we use for identifying the online services themselves: the URL. This blog is uniquely identified by http://solutions.wolterskluwer.com/blog/. There is no reason why the author of this post couldn’t be uniquely identified as http://www.google.com/profiles/107432091873669187899 (except, maybe, that it would be nice to be able to memorize my own identifier).
The idea behind OpenID is that the user creates her one and only profile with the identity provider of her choosing. She receives an OpenID login name (not necessarily like one in my Google profile above, more like janedoe.openid.myprovider.org), sets her password and, perhaps, provides some other attributes such as email address, preferences, etc. With this OpenID login name she can sign in to any OpenID-enabled website. Instead of requesting a password, the website redirects the user to the login page of the identity provider who requests and validates the password. If the password is right, the identity provider sends back the approval to the site that initiated authentication. Ideally, there is one and only one digital “handle” of the individual in the whole Web (some might choose to have more than one identity but that’s different story).