The Steady State Theory of the Identity Universe

Over the last year I have been looking at the question of large scale consumer identity systems, and how to bootstrap them. What struck me really early as I was considering this problem was how many conversations I had with smart people that ran something like this…

“As an IDP, millions of people will beat a path to your door to get an identity because you will provide transparent access to tens of thousands of Internet sites they will want to visit. Identity Technology xyz is astonishing and lightweight and will create huge opportunities.”

“The identity attributes you provide will enable consumers to have a really slick user experience. They will not have to logon, or run through those painful registration pages. They will be able to control their information release and privacy – you will put them back in control, and provide them safety, privacy and security”

At which point my next question would be… “Why are all these relying parties signing up to make use of new Identity Technology xyz?” Two things I came to recognize.

First, no one outside of the “Identeratii” knew what a relying party was. In fact, it is pretty clear that consumers do not know what an identity is, and would not know an Identity Provider if it bit them on the nose – more about terminology and how to talk to the world in another blog posting

Second, I came to recognize the withering and pitying look that smart people would give me that said – “You poor schmuck, you are clearly not very bright, I will try to tell you this once so pay attention.”

The answer generally went something like this.

“Relying Parties (I call them merchants or service providers mostly) will leap to implement new Identity Technology xyz because it will mean…
a) frictionless interactions with their consumers
b) massive reduction in user management overheads
c) password reset cost and overhead elimination
d) avoidance of nasty privacy and information management compliance issues
e) elimination of authentication systems
f) sharing of consumer information for the consumers good
g) better management of state
h) … (insert favorite technology value prop here)

Now, I have been dealing with identity for around 20 years now, and I have seen quite a few technologies come and go. Plus, working at PayPal is pretty instructive about engagement with merchants and service providers. So I would answer, “So you are telling a merchant that you have less than 1% of the internet identified at a trust level they can use, who might possibly come to their site and get these advantages?!?” Blank look. “So they still have to keep all the old stuff and add new stuff?!?”

At PayPal we can demonstrate a significant % increase in the amount of top line revenue that will accrue to any merchant that puts in our payment mechanisms – with hard data to prove it. Do you know how hard it is for us to get a service provider or merchant to modify their site or make a change in how the interfaces are handled?

Just to be clear, I believe in all the benefits described above for consumers and merchants. It is clear that there are different market segments that have higher or lower trust requirements and transaction values (no, not just $$$ – value) will have different answers to these questions. But for e-commerce, finance, health care and a bunch of other higher value transactions, we need to show some real business benefits.

So what is going on here? I looked around for an analogue to describe what appears to be happening in the identity space at the moment, and this seemed to fit the available data – at least in my world.

I am an amateur astronomer. Several times I have had the privilege of spending a week or more at professional observatories, pretending to be a real astronomer. One of the most memorable conversations I remember hearing (over breakfast at 5 in the afternoon) was a discussion between two astrophysicists arguing about what happened to the universe 2 billionths of a second after the Big Bang. Almost everything was different in those first moments from the universe we observe today after everything had a chance to settle down. This seems to be the same for the universe of consumer identity today.

The problem is that the value propositions we espouse, only really make sense after large scale consumer identity has been in place for at least 5 years. I call this the “Steady State Theory of the Identity Universe”. We can easily describe the benefits in the steady state because there is enough network scale to make them work at that point. The really hard problem we have is that we are in bootstrapping mode and we are in relative terms only about “2 billionths of a second after the consumer identity big bang”.

There are several different models that make sense for getting from “here” (just after the big bang) to “there” (the steady state model).

One approach is to take a bounded identity community and show that you have a sufficiently high leverage point from your consumer identity space that you can show much better value than a few percent overlap with the service providers you are addressing. This bounding could be geographic, interest or community – anything that gives you a focused group to work with.

Another is to create a closed system, where you are in control of the consumers, identity provider and the relying parties (in a perfect world all three). In this way you can implement a set of progressive service types that add value over time. This is a little like the “store credit cards” you get from a Macys etc that provide value in their own environment.

Another is to tap into the enthusiasm of technologists who want to adopt the latest coolest thing – yes, we all know who we are…

Yet another is to provide an ecosystem where the value from the small number of consumers, is so appreciably high, that the relying party will really, really want to interact with them. If this can be tied directly to fraud/risk reduction, or increased revenue then this is a potential winner.

At PayPal we have been thinking about how do we show value to the various players (there are probably at least 4) in an identity ecosystem, and what are the success criteria. One of the more interesting challenges is how do you decouple the value propositions so you do not have to show value to all participants at the same time (I hear another blog posting).

I am sure there are different “correct” answers in any of the bootstrapping models. And clearly the answer varies by technology, market, community and business segment. What I want to focus on here is that irrespective of which is your favorite hobby horse, talking to relying parties, consumers and identity providers about value propositions that will not be realized until we are operating in the “Steady State of the Identity Universe” will not actually help (yes, I do know how technology evangelism works). What we need to focus on is how to bootstrap these models.

In general my contention has been for a long while, that we have no shortage of technologies. The real issue is how build business and service models that will let us get to where we want to go.

Sheesh – who knew this was going to be so hard

I had great intentions (am I in hell yet?) about discussing my thoughts and findings as I worked through the various issues relating to consumer identity

My excuses are that a) proprietary and strategic value to my employer, and b) actually realizing I ought to shut up and test a bunch of thoughts … have resulted in me not actually wanting to say anything in a blog context for quite a while

Well, I think I have some thoughts that are worth sharing (or at least debating), so I am hoping to get them written down.

The discussion my thoughts have been generating recently has been fun and engaging, so it looks like at least some people think I may have some interesting ideas – as always you will all make up your own mind :)