I signed up to do a talk called “Beyond Passwords” at ApacheCon US 2006, which took place in Austin last week. I had originally intended to talk rather blandly about current standards efforts. But in the end I took a much more contrarian approach and examined the promises of Identity 2.0, how policies and implementation progress are likely to affect the real benefits, and the risks or threats. It is a skeptical guide to a potential relying party — a Web service that is considering relying on some 3rd-party to authenticate and identify its users — on how to evaluate the benefits and the costs.

I’ve seen a number of benefits tossed about as the eventual promise of Identity 2.0. At the same time there are systems touted as “Identity 2.0” available today that a relying party can install, register for and use to delegate identification. So it seemed reasonable to compare the promises with the reality available today. I considered six suggested benefits of Identity 2.0 from the point of view of the relying party:

  1. No need to maintain passwords
  2. No need to obtain or verify email addresses for user accounts
  3. Easier user enrollment (more users enroll, rather than be turned away by effort or privacy concerns)
  4. Reduce comment spam and other undesirable content by identifying contributors more easily
  5. Get user profile information from the identity provider
  6. Better mashups

I found that except for the first, which is trivially true, these six promises aren’t all easily or even possibly met today. There’s more detail in the presentation of course, but the general thread is to consider what policies identity providers are likely to actually have (e.g. anti-spam policies) and what features haven’t yet been implemented (sharing profile information). The policies of the relying party are also important: the downside of not needing to get an email address to enroll a user means that there’s no email address available for advertising or for rate-limiting usage of the service, and less trust in the new user. Finally, I hope somebody will explain to me how Identity 2.0 does or will allow better mashups, because I can see all kinds of privacy and access control barriers.

The second part of the presentation considered whether phishing or pharming was going to be a real problem in distributed identity systems over the Web. I concluded that it was. Identity 2.0 systems that exist today all habituate the user to being redirected, within one browser window, from the relying party to their identity provider and back. I expect it will therefore be even easier than with email to catch the user at a time when they’re unsuspicious, capture the password, and then return them to completing their original goal without a hint of having compromised their identity. Anti-phishing approaches will help somewhat, but we have very little success with anti-phishing without involving new browser software which has barely been deployed yet. In the long run we’ll need upgraded browsers with GUIs that were designed to help users identify their Web service providers accurately, combined with protocol upgrades that make technical attacks more difficult as well.

My conclusion isn’t that Identity 2.0 is all crap or that nobody should pay any attention to it :) Although I play a skeptic I’m actually optimistic that eventually we’ll work a lot of this stuff out. I try to support and promote standards work where I think it has a good chance of reducing the technical risks and improving the user’s ability to tell whether they’re really talking to their identity provider or other Web service provider. I just hope that the risks are understood and that understanding helps us to step carefully forward.