As Bob Blakely has pointed out, a user can't own much, if any, of his identity information. In many cases, he must create accounts with some credential-issuing entity (banks, credit cards, various government agencies among others) before he is issued credentials, and that involves sharing some identity information. And often, a user will share whatever information a company requires, simply in order to gain access to a service she desires. Once identity information is shared, it's certainly no longer "owned" - if it ever was exactly. But it seems to me that people like to feel that they have a little control over how this information is presented, and that technology can help.
What's in your wallet?
When I look in my wallet, I see lots of cards - credit card, bank card, driving license, frequent flier membership cards. Quite a stack. Oh, and then there are those thin green bills (sadly all too few) My entire wallet is full of credentials and identity assertions!
But now look at my laptop. I have a bunch of credentials there too - some in my "keychain", and some in the web browser "password manager". There are probably others that I'm forgetting.
That's pretty user-centric isn't it - a whole mess of stuff sitting around that I barely remember exists, and would have no idea how to recreate should my laptop die or be stolen. Yes, I do backup (probably not often enough), but still - ever tried to recreate all of your account logins even after a successful data restore? Do you also photocopy all of the important cards in your wallet?
The wallet seems a pretty useful metaphor here - a container for assertions you've received from assertion issuers. You pull things out of your wallet to either show or give to companies from whom you wish to get service. But wallets have baggage.
Where is your wallet?
Today, I'm pretty sure that the contents of my wallet are sitting here on my desk. Oh, but then there are those credentials sitting in my laptop in various places. Of course, there are also those identity details I registered with various places online - did I even give them the right information? I bet that I couldn't reproduce the same answers to their identifying questions if someone asked me the same questions again! So on second thoughts, I think the contents of my "virtual" wallet (which includes the contents of my physical wallet) is actually distributed in several places, some that I don't even remember. Oh dear. And some of that information is only useful for transactions conducted with exactly one company in exactly one context (yes, sometimes I really do lie about my age).
Not just a problem for users...
What must those web-sites and corporations be thinking - users that lie when I ask them important identifying questions? People who don't know where their identity information is? And, as a service provider, I'm holding personal account data for thousands of customers. A security problem waiting to happen? A thousand customer support calls because of a lost password?! Well, be patient - a solution might be coming. Perhaps it really is possible to get the information you need about your customers, without making them create accounts and hold their identity information with you? And if your customers hold this data wherever they feel it should be held, perhaps you are less likely to be held (legally) liable when identity data goes missing?
User-centric Identity - here today?
It seems to me that we have a user-centric (with a little 'u') system already. A system that devolves responsibility for maintaining a limited set of identity information to the user, without giving him or her the technology to properly manage it; a system that sometimes causes a user to lie because he doesn't want some online store to know everything about him, and a system that causes service providers to retain large amounts of sensitive information in their control, subject to theft and improper use.
We will soon do better - systems that allow a user to properly manage all of her identity information, regardless of where the information is actually maintained. Perhaps the wallet of the future can do a little more than my beaten-up old fake leather model can manage today?
No comments:
Post a Comment