Late last week, it was found that Twitter had implemented some new security methods. Twitter had been talking about OAuth support for some time, so this was not an unexpected development. However, with many blog posts, sometimes the conversation around it gets interesting. On FriendFeed, there was a comment from Frode Stenstrom that triggered some thought:
The race is on as to who will become de-facto identity service standard. The one company that holds the most identities will have a lot of power. The good thing is the competition between many players. Anyone remember the old Microsoft Passport everyone hated? This is all about trust, and competititve services will have to improve security so that more people will choose their service…
Obviously, having a defacto standard as supplied by one provider would be a bad thing. Generally speaking, all single points of failure are a bad thing. If this one provider had a problem, then how would we authenticate to our services. Granted, I am not an expert on OpenID and we have Chris Messina for that. However, the basic idea of OpenID is to be open:
OpenID is an open, decentralized, free framework for user-centric digital identity.
OpenID is decentralized so that many of your existing internet accounts may already be capable of being used as an OpenID. However, what if that provider goes down for a day, or worse for a week or longer? There needs to be some level of interoperability to this as well. What I mean is that if I use WordPress.com as my OpenID provider for most sites, what happens if their OpenID service is down? Can I login using a Technorati account? Right now I get the idea that it is not possible. I will be able to login using Technorati as my OpenID provider, but it will be seen as a different user.
This is where the idea of a federated identity becomes important. I am not sure if “federated identity” is the right term, so feel free to bash my terminology in the comments. The idea is that there needs to be some distributed concept of what an identity is. As I stated earlier, I have accounts with WordPress and Technorati. So, how do we know that these are the same person? How can we reliably link these together, as well as the several other accounts that I have?
Most people may answer that OpenSocial and other social graph technologies (like FOAF and XFN) may be the answer, but they are currently separate from identity services like OpenID. OAuth is closer to being a bridge between these technologies, but it is more of a permission-based model compared to the identification model that OpenID provides. I think OpenID and OAuth should really be merged into one standard since we really need both. Taking baby steps with security and identity services will make them more difficult to adopt. Creating one solution with many implementations will benefit everyone.
So, consider this a plea to the folks working on OpenID, OAuth, OpenSocial, FOAF, XFN and anything else security related, to get in a room and figure out what is the best thing to do for the users. I know everyone wants to own the identity, but that is probably bad for the user.