Identity and authentication for the web is not in a good state
I had a problem with my PayPal account: I used it in China, and it got blocked as the result of some kind of fraud screening.
I ended up having to promise the guys at Bike Beijing that I will sort this out when I get back to the UK and then send them their money.
[From Digital Money: Holding court]
They still haven’t got their money. In order to unblock the account, you had to log in to your account and then have a code sent via your home telephone number. I clicked, the phone rang, I punched in the number and hung up. Nothing. I clicked again, the phone rang, I punched in the number and waited. Nothing. I clicked again, the phone rang, I punched in the number. After a while, I got an e-mail telling me that the authentication process had failed and so PayPal would send a letter containing some kind of code to my home address and that I could then use this code to unblock my account. It mentioned that the letter might takes six weeks to arrive.
So the nice guys at Bike Beijing still don’t have their money and I’m still embarrassed.
Now, all the time that this nonsense about codes and letters was going on, I had on my desk a Barclays’ PINSentry (which I can’t even use to log on to Barclaycard, let alone PayPal) and a O2 mobile phone (I’ve been with O2 for two decades and have a billing relationship with them - their system knew that I was in China) and a keyring OTP generator that we used for our corporate VPN. Any one of these could provide a better solution then messing about typing in code numbers, but they all sit in their own silos and don’t provide the kind of general-purpose services that they should.
What should have happened, of course, is that I should have been able to log in to PayPal using OpenID and then logged in to a 2FA OpenID using my (say) PINSentry. So now PayPal knows that I have been 2FA logged in from an “acceptable” source (ie, Barclays Bank) and we could move on. So why doesn’t this happen? Is it because OpenID has failed?
But if OpenID is a failure, it’s one of the web’s most successful failures. OpenID is available on more than 50,000 websites. There are over a billion OpenID enabled URLs on the web thanks to providers like Google, Yahoo and AOL. Yet, for most people, trying to log in to every website using OpenID remains a difficult task, which means that while thousands of websites support it, hardly anyone uses OpenID.
It can’t be that. OpenID has plenty of support, and even the US government got behind it.
Who would have predicted say, 5 years ago, that you would some day be able to use commercial identities on government websites? Evidently, this raises questions about privacy and security but if these initiatives can garner enough public support, government validation of open identity frameworks could be a boon for the ecosystem of the open, distributed web. Plus, it can make dealing with the government a lot easier for you, too.
It’s not about the technology. I make no judgement as to whether OpenID is the best technology or not (although it does actually exist, which is a good start), but the truth is that it simply doesn’t matter whether it is or it isn’t.
The unresolved business and legal challenges implicit in federated identity are to blame for the under-delivery of OpenID
Indeed they are. So the problem isn’t really anything to do with OpenID, or any other framework that might come along in cyberspace, but the legal framework that it has to sit inside. This is where we need the breakthrough. We need potential identity providers (eg, Barclays, O2) to be able to set up OpenID responders for their customers inside a well-known and well-understood legal framework. Now, you can do this contractually (as IdenTrust has done), but to scale to the open web, we need something more than that, perhaps an equivalent of the “creative commons” licences that are used for content but for credentials.
Even then, would someone like PayPal rely on them? Or would it only rely on identities from regulated financial institutions in the EU? Or only such institutions that met some minimum authentication standard? We’re a long way from fixing my Chinese problem, despite having all of the technology needed to do so.
These are personal opinions and should not be misunderstood as representing the opinions of
Consult Hyperion or any of its clients or suppliers
The English language version of this work is licensed under Creative Commons Attribution-ShareAlike 3.0 Unported License. If you wish to acquire the rights to make a foreign language translation of the work, please contact Consult Hyperion.
Please note that by replying in this Forum your comments become the property of Consult Hyperion and you assign all rights in your comment to us. Your comments may be edited for length and used online and in print but will always be attributed.
Meet us at:
- May 2013
- April 2013
- March 2013
- February 2013
- January 2013
- December 2012
- November 2012
- October 2012
- September 2012
- August 2012
- July 2012
- June 2012
- May 2012
- April 2012
- March 2012
- February 2012
- January 2012
- December 2011
- November 2011
- October 2011
- September 2011
- August 2011
- July 2011
- June 2011
- May 2011
- April 2011
- March 2011
- February 2011
- January 2011
- December 2010