Emerging Technology Briefs: Identity

February 27, 2002

Rael Dornfest

Emerging Technology Briefs, developed by O'Reilly Research, offer a single-page summary of recent developments in a technology topic that we have been following. O'Reilly Research also publishes full-length industry reports, including the 2001 P2P Networking Overview and the upcoming Web Services Report.

WHAT Online identity may be likened to an amalgam of your online preferences, national identity number, driver's license, library card, and credit card(s). Identity is to person as telephone number is to telephone and the domain name system (DNS) is to computers. Identity is expected to serve as a "skeleton key," unlocking purchasing ability, membership, and tailored experience on the Internet. Today's Internet may be likened to a vast neighborhood of speakeasies, its citizens boggled by the plethora of usernames and passwords they're forced to juggle. Ideally, users would pass through a single sign-on point to assume their online identity. Identity is pseudonymous; there is no guarantee of a real one-to-one relationship between online and actual identity. Although the concept of a single sign-on identity promises users a new level of convenience, two major areas of concern are security and privacy. With a single point of failure, security is paramount; if compromised, so too is the individual's online identity and associated personal and financial information. Privacy advocates are concerned about how one controls access to and interaction with one's online identity. The holy grail is a unified, decentralized, simple-yet-flexible, secure, pseudonym-centric identity, membership, and preferences fabric for the Internet.
WHO The major players in the identity arena are Microsoft, the Liberty Alliance, and AOL Time Warner.

Microsoft is well ahead of the game with its Microsoft .NET Passport single sign-on and associated online wallet system -- and more is in the works. Passport made its debut in July 1999 and was quickly rolled out across the Microsoft Network (MSN) and Microsoft's other properties. Passport is now accepted at a growing number of partner sites. Microsoft claims (as of August 2001) 165 million Passport accounts.

The Liberty Alliance promises an open, distributed single sign-on solution built upon a "federation of trust" rather than a single, centralized identity provider. Liberty sports a membership representing computing (Sun, HP, Sony, Cisco), banking (Bank of America, American Express, Mastercard, Visa), content (AOL Time Warner, RealNetworks), telecom (Nokia, NTT DoCoMo, France Telecom), and a cross-industry swath (United Airlines, General Motors) of heavy-hitters. At this point, the Liberty Alliance is strategic, not technological; lofty name aside, Liberty doesn't have anything in hand (as in, specifications or implementations) to speak of.

AOL's ScreenName service, while rather similar to Passport, is more localized in its focus on unifying identity and access across AOL, Time Warner, Netscape, and CompuServe properties. Conspicuously absent from the initial Liberty roster, AOL was purportedly hard at work on a yet-to-materialize Passport-killer code-named Magic Carpet. AOL has since become a founding member of the Alliance, extending an invitation to rival Microsoft.

Oracle, the Jabber Identity Project, and a few other companies are exploring online identity systems, but have nowhere near the mindshare or customer access of the big two.
WHY Online identity promises consumers convenience and control over their interactions with online destinations and with other consumers. For vendors, an identity system provides clearly-identified marketing "targets" with open online wallets. Identity providers are the real winners, poised to collect partnership fees and/or a percentage of each transaction.
HOW The success of an identity system hinges on uptake. While smaller companies may come up with superior systems, garnering the millions of users already held by the likes of AOL and Microsoft makes for a daunting bootstrapping problem. With concerns in the industry about the possibility of one entity controlling online identity, federation, the loosely-coupled yet trusted interoperability between identity systems across domains and organizations (think of the way credit card and bank accounts can be distinct but effectively linked) is the direction in which everyone is headed. Microsoft has announced the eventual federation of Passport. Liberty plans federation from the start.
WHEN Microsoft Passport is in operation today, albeit as a single sign-on and virtual wallet solution only; deployment of a federated, more complete identity and preferences system is expected in 2002. AOL's 31 million subscribers (as of November 2001) and Time Warner's broad subscriber/viewer base provide a powerful bootstrap for ScreenName. Liberty is little more than a shot across Microsoft's bow, an attempt to keep Passport honest (and open). We expect the emergence of a clear leader (whether player or standard remains to be seen) as more far-reaching solutions are introduced in 2002-2003.
OPINION The only viable path for online identity is paved with openness, accepted standards, and a loosely-coupled federation of trust. The development of competing identity systems with no interoperability serves only to fatten the identity providers and move the problem-space out -- a zero-sum game of trading in My Yahoo!, My E*trade, and my library card for My Passport, My Magic Carpet, and My Liberty.