Unfortunately, there has been a tremendous amount of time, energy and money spent within the past five years by well intentioned visionaries who like myself, saw an opportunity to enable end-user control over digital identity, but were not able to capitalize on the opportunity.
While I owe my involvement in the identity industry to a similar personal passion – to see that end-users are ultimately in control over their digital identity, I’ve come to appreciate the timing of the opportunity, and the phases in which the industry will likely evolve.
Understanding the nuances of the progression of adoption of identity related technologies is likely the secret ingredient of any winning strategy for vendors in the identity space, and in the spirit of being true to my other passion — open source & open strategies — I’m going to lay out my ideas here in an open manner.
To begin, let’s start with a bit of background. Back in March of 2002, I published an essay which put forth the notion that there were in fact three tiers of identity. For simplicity, I’ll summarize the three tiers of identity below:
Tier 1: Personal (My) Identity – A T1 identity is your true and personal digital identity and is owned and controlled entirely by you, for your sole benefit. T1 identities are both timeless & unconditional and can exist for people as well as for devices and/or programs or objects, with the exception that a device or program T1 identity operates only as an AGENT of a personal (human) T1 (every object is owned and/or controlled by someone). We refer to object T1’s as ‘T1a’.
Tier 2: Corporate (Our) Identity – A T2 (corporate) identity refers to our digital identities that are assigned to us by corporations (e.g. our ‘customer accounts’). Nearly all of the existing digital identities are T2 identities — our title (assigned to us by our employer), our cell phone number (assigned to us by our mobile phone operator), our United Mileage Plus number (assigned to us by United Airlines), our social security number (assigned to us by the Government), our credit card number (assigned to us by our credit card companies) and the list goes on and on. T2 identities are both conditional & temporarily assigned and they can be revoked by either us or the company which issued them – thus you can think of them as ‘our’ identity.
Tier 3: Marketing (Their) Identity – A T3 identity is an abstracted identity in that it identifies us through our demographics and other reputation like attributes, but does not need to do so in a 1:1 manner. T3 identities speak to the way in which companies aggregate us into different marketing buckets for the purposes of advertising or communicating with us. For example, we’re either a ‘frequent buyer’ or a ‘one time customer’ etc. T3’s are typically based upon our behavior in our interactions with business. The entire CRM market caters to T3 identities.
Where I and others who share a passion for the subject have steered the discussion towards enabling an infrastructure in support of the T1 identity, the fact is, neither end-users nor the world around us is ready for this infrastructure at this time, and many companies have both tried and failed to develop market share for technologies which supported the notion of a T1 identity.
The problem with attempting to build support for T1 infrastructure (e.g. personal identity servers or even P2P based identity clients) at this time is to do so would leave that infrastructure isolated and misunderstood from existing corporate infrastructure (corporate systems do not yet speak the language of identity), and as such, would lack real utility in practical every day use. Any T1 infrastructure built and deployed in Phase I (see below) of the industries development is likely to receive only limited adoption, while lacking mainstream appeal.
The purpose of this essay is to introduce the notion that there might in fact be at least two intermediate phases which MUST take place before the world is prepared in all respects to absorb and indeed ‘enable’ the true utility of a T1 identity. These steps, or phases, and a brief description of their characteristics follow:
Phase I: Federation of T2 Identity
The first phase of digital identity infrastructure adoption will be characterized by a ‘linking’ of existing identity systems. What is now referred to within the industry as ‘identity federation’, companies are now beginning to figure out the language of connecting or linking their existing T2 identity databases or LDAP directory repositories, authentication systems, authorization systems and user management systems. This is a critical first step towards the broader notions of a ‘universal’ digital identity infrastructure, because it represents a small, incremental improvement over the way in which things are currently done, and does not require a ‘rip and replace’ strategy for corporations who are looking to gain incremental utility from their existing IT investments.
Enterprise interest in the Liberty Alliance Project and the work being done by only validate the fact that this is in fact a logical starting point for corporations to focus.
The reason Phase I is so important is not that it allows corporations to maintain some semblance of security while dealing with the inevitability of their disappearing firewall, but that in the process of federating, companies will define the common language (protocol) of identity interchange, a language which MUST be installed and understood by all enterprise applications PRIOR to the T1 identity having any real world utility.
The advantages of Phase I from an enterprise perspective are that they allow corporations to take a logical, useful but incremental first step. It also allows them to engage partners in more meaningful interactions while providing conveniences to end-users through things like single sign-on.
The disadvantage of T2 Identity Linking (identity federation) is that there is a tremendous amount of redundancy in maintaining accurate information across N databases (for the same individual) and this redundancy is an extremely inefficient way to do things. That said, customer databases have been and will continue to be viewed as both sacred and highly protected informational assets, and not something companies will be willing to give up anytime in the near future.
Phase II: Transition and Equilibrium
One characteristic that we are entering Phase II will be that consumers will become much more aware that they have a digital identity and that they are being used by corporations. At this point, end-users will begin to desire or in some cases even demand (e.g. legislation) to have more control over the use and access to their digital identity profile and attribute data. As a result of this awareness and in fact real demand, there will be a renewed interest to build-out T1 Identity Infrastructure, the difference being that this time, the T1 infrastructure will be built using the pre-installed language of identity invested in so heavily by corporations in Phase I (a key distinction in terms of the potential for success of T1). Because both T1 and T2 now co-exist in Phase II, equilibrium will likely emerge with respect to ‘who controls what aspects of your data’.
Note that Phase II may or may not actually be a transition Phase. It might indeed be a final state. Indeed, it is quite possible that the evolution of identity infrastructure never progresses beyond Phase II and I don’t believe that this as actually a bad thing. The co-existence of T1 and T2 systems could work provided a fair and balanced equilibrium with respect to control is reached between the needs and desires of the individual and the requirements of businesses to communicate with and service their customers. The only reason I can envision the world progressing in it’s evolution beyond Phase II and towards Phase III would be because of external pressures such as legislation or the efficiencies gained in Phase III through the elimination of redundant information would outweigh enterprises concerns that ‘fair use’ (Phil Becker) would in some way break or cease to exist.
Phase III: The True T1 Emerges
In Phase III, T1 has evolved to the point where companies begin to rely upon the integrity of the T1 (maintained by the individual) and query the T1 to update their T2’s. When (and if) this occurs, T2’s as we know them today will likely forever change. It will be as if the T1 becomes the ‘master’ and T2 the ‘copy’.
The advantage of Phase III from the consumer or end-user perspective is that finally, they will be in complete control over their digital identity. From a corporate point of view, the advantage to them will be that the need to maintain a redundant copy of an end-users account information and the costs associated with maintaining that data (ensuring that is current and accurate) will be eliminated. Personally, I do believe that provided ‘fair use’ is accommodated, Phase III offers the most advantages to both the individual and the corporation.
Once again, I’m not sure that the world ever evolves as far as a Phase III, but I do believe that Phase I and II are precursors for even the possibility of a Phase III as described within.