How many identity systems do we need?

Last night I met Dan Pritchett, technical fellow at eBay. He told me that eBay alone has 21 identity systems.

So, if you wanted to use every part of eBay’s empire, like Skype, PayPal, StumbleUpon, etc, you’d need to sign in 21 different times.

Needless to say he, and others at eBay, are working on solving that problem.

Why did I meet up with Dan Pritchett? Because of a speech by Tim Berners Lee, the guy who invented the Web. No, Al Gore didn’t do that. Heh.

Anyway, we’ll have the videos of Tim’s talk up tomorrow. He’s thinking a lot about how to take the Web further and is working on Web research — but I’ll just let you read his blog to learn more about that. CNET has a report up of the talk he gave.

One thing I noticed is that during the talk he spent a lot of time talking about social behaviors of people. He’s clearly been studying the blog world and the social networking worlds and had a good answer to my question about what Facebook should look like in five years.

Another thing I noticed? It’s really great to be able to hear from smart people directly without having to go through intermediaries or filters anymore.

Anyway, back to the headline. How many identity systems and social networks do we need? How are we going to join them all together? I know I’m on Twitter, Flickr, YouTube, Yelp, Upcoming, etc. etc. etc. — I wish they all talked with each other and all used the same sign on. Memorizing passwords is a real PITA.

Good luck to eBay and others in the efforts to join their systems together. That’s going to be some tough engineering (and political) work.

See ya tomorrow with the videos.

Comments

  1. There is, of course, a downside to tying all of them together. When that happens the security boundaries are enlarged a great deal, and a penetration is much more damaging.

    I’m not sure there is a good answer here, though.

  2. There is, of course, a downside to tying all of them together. When that happens the security boundaries are enlarged a great deal, and a penetration is much more damaging.

    I’m not sure there is a good answer here, though.

  3. There is an industry wave at the moment that wants to solve the very problem you have given an example of with eBay. Its called Master Data Management (MDM) and is currently top of the Gartner hype cycle.

    It may not be cool, it may not be fashionable, but tying together data from multiple databases is a problem that data integration pros have been wrestling with for decades. MDM is just the latest moniker to be applied to it.

    I guess what I’m saying is don’t presume that these bastions of consumer web-based tech-dom have a right to be able to speak authoratively about this just because their representatives have the word “fellow” in their title. There’s plenty of bricks and mortar people that understand this problem better than anyone (I’m not claiming to be one of them by the way).

    -JamieT

  4. There is an industry wave at the moment that wants to solve the very problem you have given an example of with eBay. Its called Master Data Management (MDM) and is currently top of the Gartner hype cycle.

    It may not be cool, it may not be fashionable, but tying together data from multiple databases is a problem that data integration pros have been wrestling with for decades. MDM is just the latest moniker to be applied to it.

    I guess what I’m saying is don’t presume that these bastions of consumer web-based tech-dom have a right to be able to speak authoratively about this just because their representatives have the word “fellow” in their title. There’s plenty of bricks and mortar people that understand this problem better than anyone (I’m not claiming to be one of them by the way).

    -JamieT

  5. Have you seen any viable solutions for integrating logins? I was thinking about this with some friends recently on a much smaller scale — various tools like MediaWiki, etc., on the same server, http://forums.seds.org/showthread.php?t=2644 — but I’m woefully ignorant about how to do it. It would be interesting to see how it’s done on a larger scale and extend the principles to our small one. Just a lookup table of some sort? Or is it a much larger problem than that? (I realize you’re not a database troubleshooter, but maybe you have some philosophical points)

    Fortunately I’ve got an uncommon enough last name and have been on the net long enough that I don’t have many different login names, but passwords is a different story… PITA, yes.

  6. Have you seen any viable solutions for integrating logins? I was thinking about this with some friends recently on a much smaller scale — various tools like MediaWiki, etc., on the same server, http://forums.seds.org/showthread.php?t=2644 — but I’m woefully ignorant about how to do it. It would be interesting to see how it’s done on a larger scale and extend the principles to our small one. Just a lookup table of some sort? Or is it a much larger problem than that? (I realize you’re not a database troubleshooter, but maybe you have some philosophical points)

    Fortunately I’ve got an uncommon enough last name and have been on the net long enough that I don’t have many different login names, but passwords is a different story… PITA, yes.

  7. Microsoft tried doing this a several years ago and it didn’t go so far for many reasons.

    Yes, we do need a Single Signon technology. But I think the biggest problem is do we trust a single entity to create the technology?

  8. Microsoft tried doing this a several years ago and it didn’t go so far for many reasons.

    Yes, we do need a Single Signon technology. But I think the biggest problem is do we trust a single entity to create the technology?

  9. If memorizing passwords was all that was at stake there are a number of small program that spit out urls, user names and passwords that you can use. They certainly make life a lot easier if you are traveling between different applications.

    Of course, that is not all that is at stake. We would like the various applications to be able to work together, and we want Doc Searl’s VRM!

  10. If memorizing passwords was all that was at stake there are a number of small program that spit out urls, user names and passwords that you can use. They certainly make life a lot easier if you are traveling between different applications.

    Of course, that is not all that is at stake. We would like the various applications to be able to work together, and we want Doc Searl’s VRM!

  11. As someone already mentioned, the problem has already been solved in the form of OpenID. Seriously. Why isn’t everyone using it? Google needs to pick it up or something; it seems like a natural addition to Gmail. I mean, they’ve already got Jabber integrated.

  12. As someone already mentioned, the problem has already been solved in the form of OpenID. Seriously. Why isn’t everyone using it? Google needs to pick it up or something; it seems like a natural addition to Gmail. I mean, they’ve already got Jabber integrated.

  13. OpenID solves the single sign-on issue but, interestingly, not necessarily the multiple identity issue.

    I like to use the example of the bike store. I have two bike stores because I have two modes in which I ride bicycles.

    When I’m riding a mountain bike, I want something that’s easy to fix on the trail if something goes wrong, and doesn’t cost too much when I shear a derailleur off on a rock or something. When I’m riding a road bike, I want smooth shifting, light weight, it can be delicate but it must never ever skip a beat when I’m in a paceline 6″ from someone’s wheel at 30MPH, and damn the cost.

    I’ve got a favorite bike store where I’ve bought several mountain bikes and lots of replacement parts and some amount of service over the years. I bought a road bike used, took it into them, and because they were used to dealing with me in my mountain biking identity.

    I know they can do pampered, but they can’t handle my two identities, they’re used to dealing with me in the “Yeah, I know the frame’s got a crack in it, when it gets bigger I’ll replace it” mode, not the “there’s an occasional skip when I go from 5th to 6th under load, does that mean I need to replace the cluster?” mode.

    So I go to another bike store with my road bike.

    If they had the ability to maintain an identity with me that was associated with which bike I brought in, rather than with knowing me and my face, they’d get both sets of business.

  14. OpenID solves the single sign-on issue but, interestingly, not necessarily the multiple identity issue.

    I like to use the example of the bike store. I have two bike stores because I have two modes in which I ride bicycles.

    When I’m riding a mountain bike, I want something that’s easy to fix on the trail if something goes wrong, and doesn’t cost too much when I shear a derailleur off on a rock or something. When I’m riding a road bike, I want smooth shifting, light weight, it can be delicate but it must never ever skip a beat when I’m in a paceline 6″ from someone’s wheel at 30MPH, and damn the cost.

    I’ve got a favorite bike store where I’ve bought several mountain bikes and lots of replacement parts and some amount of service over the years. I bought a road bike used, took it into them, and because they were used to dealing with me in my mountain biking identity.

    I know they can do pampered, but they can’t handle my two identities, they’re used to dealing with me in the “Yeah, I know the frame’s got a crack in it, when it gets bigger I’ll replace it” mode, not the “there’s an occasional skip when I go from 5th to 6th under load, does that mean I need to replace the cluster?” mode.

    So I go to another bike store with my road bike.

    If they had the ability to maintain an identity with me that was associated with which bike I brought in, rather than with knowing me and my face, they’d get both sets of business.

  15. Hi mate, usually I say hello on Facebook, but here’s my 2 cents worth. I have been experimenting with a surrogate signon system that links a master keychain to a specific PC (ie using the 5,490,216 patent) and then managing automated signon by updating logon scripts using AOI (army of Indians)… its looking promising… we are expanding the idea to allow automated cycling of passwords and using long passwords as part of the initiative… I started working on this as a reaction to Schneier’s password management tool which shouted promise but squeeked practicality… anyway that’s my idea. Hope you are well. Ric

  16. Hi mate, usually I say hello on Facebook, but here’s my 2 cents worth. I have been experimenting with a surrogate signon system that links a master keychain to a specific PC (ie using the 5,490,216 patent) and then managing automated signon by updating logon scripts using AOI (army of Indians)… its looking promising… we are expanding the idea to allow automated cycling of passwords and using long passwords as part of the initiative… I started working on this as a reaction to Schneier’s password management tool which shouted promise but squeeked practicality… anyway that’s my idea. Hope you are well. Ric

  17. I would never use an external provider’s OpenID URL as the primary mechanism for identifying and authenticating users on my Website. Here is why:

    1. The relationship with my customers is my most important asset. I would never let other companies control such an important part of this relationship without clear service level agreements (SLA) in place.

    2. My Website’s registration and login experience has to be drop dead simple or I will loose customers. Having to redirect to an external OpenID provider and their disparate UI is cumbersome and visually jarring.

    3. Without SLA’s, OpenID providers can: experience performance problems and server outages, go out of business, be bought by my competitors, start charging me for authentication services, etc.

    4. Since I will be storing customer information anyways (e.g. their orders, preference, etc.) the incremental cost of storing authentication information is small compared to the risks described above.

  18. I would never use an external provider’s OpenID URL as the primary mechanism for identifying and authenticating users on my Website. Here is why:

    1. The relationship with my customers is my most important asset. I would never let other companies control such an important part of this relationship without clear service level agreements (SLA) in place.

    2. My Website’s registration and login experience has to be drop dead simple or I will loose customers. Having to redirect to an external OpenID provider and their disparate UI is cumbersome and visually jarring.

    3. Without SLA’s, OpenID providers can: experience performance problems and server outages, go out of business, be bought by my competitors, start charging me for authentication services, etc.

    4. Since I will be storing customer information anyways (e.g. their orders, preference, etc.) the incremental cost of storing authentication information is small compared to the risks described above.

  19. Scoble, you are doing an outstanding job for the Bush administration and the paranoia world they are creating.

    Congratulations. No, really.

  20. Scoble, you are doing an outstanding job for the Bush administration and the paranoia world they are creating.

    Congratulations. No, really.

  21. I *love* everyone saying OpenID is going to solve this all. It’s a lot easier to find OpenID providers than folk that will *use* the OpenID.

  22. I *love* everyone saying OpenID is going to solve this all. It’s a lot easier to find OpenID providers than folk that will *use* the OpenID.