Assessing the Digital Identity Ecosystem
At the recent TechVision Chrysalis Conference, I kicked off the “Identity Legends” panel by giving a short presentation on my assessment of the digital identity landscape, in terms of both the enterprise identity management problem and the broader (and largely theoretical) identity ecosystem for the Internet. (I was on that panel with Bob Blakley of Citi, Ian Glazer of SalesForce, Eve Maler of ForgeRock, and Doug Simmons of TechVision. It was a blast.)
The section of my presentation (which you can get here) on the broader identity ecosystem was, in fact, a set of slides I put together about nine years ago. I created them after a conversation I had with Bob Blakley as part of my work on a research project in 2010. That project never went anywhere, so I put the slides aside and forgot about them. But when Gary Rowe asked me to participate in the panel, I decided to drag the deck out, present it as I wrote it nine years ago, and ask the panel to discuss how much things have changed in those nine years.
I started by asking a question:
What are the critical elements that either encourage or inhibit a robust ecosystem for third-party credentials?
We need to take a more holistic look at these elements, rather than drilling down on just one or two, my thinking went. I was also motivated by the fundamental belief—which I still hold—that this isn’t primarily a technology problem. As technologists, we focus on technology. We invent many technical standards, but there are other factors, and viewing those factors more holistically may broaden our understanding of what’s possible.
So here’s the list of factors I came up with back in 2010:
Technical standards: While I think there has been an over-focus on technology, technical standards are obviously necessary.
Operational and quality (assurance) standards that establish a framework independent auditors can use: We can think of this as “governance.” I generally put “trust frameworks” in this category as well.
Perceived--and real--strength in the face of formidable bad actors committing fraud and theft: User confidence in the integrity of any system is about both perception and reality.
Ease of use: The identity system must be usable by ordinary people, not just the identerati.
Back doors into credential systems mandated by federal agencies in the name of fighting crime (the FBI) and national security (the NSA): Overall confidence in any system will degrade if it’s intentionally compromised, and distrust of government continues to undermine many systems.
Coherent privacy policy and law (or lack thereof): In 2010, it was the lack thereof.
The potential for disintermediation: Companies fight for relationships with their customers, and worry (either rationally or irrationally) that relying on third parties for credentials will lead to disintermediation.
The perceived and real risks associated with data retention policies and the subsequent mining of said data: This wasn’t nearly the issue in 2010 that it is today.
Cost (who pays for what): No one I know believes a large number of people will pay for the privilege of receiving a digital identity credential. So it’s unclear how the ecosystem can develop and thrive.
Legal and policy frameworks that establish a reasonable system for liability management: If you attest to someone’s identity or a claim about them, and you’re wrong, can you get sued? Or perhaps more realistically, at least in the United States, how many different entities will sue you?
No-cost, risk-free credentials issued by governments: As long as anyone needing to verify identity can rely on a driver’s license, passport, or other government documents without fear of being sued, how will digital credentials ever gain traction?
I put these factors into a radar chart so I could score and view the results. As the graphic below shows, I also created bands moving from prohibitive—something actively blocking progress—through inhibitive (discouraging progress) to neutral, conducive, and incentive.
Finally, I came up with what a simple scoring system from 0 to 5, with increments in tenths, as follows:
0 – 1: Prohibitive
1.1 – 2 Inhibitive
2.1 – 3: Neutral
3.1 – 4 Conducive
4.1 – 5: Incentive
I graded the factors, plugged in the values, and here are the results as I saw them, circa 2010:
As I joked with the panel, the results made me think that early retirement was an even better idea than I had first realized. While it’s tempting, I won’t delve deeply into the reasons for each grade from nine years ago, as that’s ancient history. In my next post, I’ll discuss current the current outlook, having now given some context for the discussion.