I’ve been thinking. Even though us fans of user-centric identity like to think of it all being in the hands of individual users, it seems to me that in practice many users will delegate management of their identity data to a third party. They’ll do this for a variety of reasons, the main one being convenience, though the need to be always on may be a driver in the end, too.
So this leads to an interesting question: when I first arrive at a site, how does it know who I’ve chosen to be my IdP? When I turn up at Unicorns-R-Us, how do they know that they should go to Amazon to verify that I’m logged in and that I’m the same guy as shopped there last time?
This question is, of course, the question of IdP discovery, and although we’re not worrying about it much right now (at least in the user-centric world – I know Liberty has worried about it forever), I predict that we’ll be worrying about it a lot, Real Soon Now.
But why is it an issue? There seem to be all sorts of obvious options…
1. The OpenID approach: you (the user) give a URL to Unicorns-R-Us, and at that URL can be found further information about your identity. Clunky and weird for the average user.
2. Cookies. The first time you visit Unicorns-R-Us some miracle occurs that informs them I am an Amazon user and they set a cookie so they’ll always know in future. Two problems here, the first being that we still have that first encounter to solve and the second being that this works fine until you switch to my laptop and then you’re screwed.
3. Client-side component. This works well, and solves the first encounter problem, but still suffers from the issue of me switching to a machine without the component installed – or with it installed, but not yet initialised. Will I know how to initialise it, since that’s probably something I’d only do once a year or so? It can’t be too easy, or that’s clearly a security risk.
I’m starting to run out of ideas here, and so far none of them have worked really well. I suspect that in the end we’ll end up with the OpenID approach (“ask the user”) but with something more friendly than a URL and with a flow that often requires no effort on the part of the user. But its an interesting question that I don’t have a good answer to – and a good answer is key to a user-centric identity world.
I predict that figuring out standards and a good user experience around this problem will be one of the major pieces of the user-centric identity puzzle over the next couple of years.