I spent a bunch of time last night and this morning noodling on Evan Williams’ post Five Easy Pieces of Online Identity where he talks about what people often mean when they talk about “online identity”. His list has the following five entries
Question Answered: Do you have permission?*
Offline Equivalent: Picture ID or keys, depending on method.
Question Answered: Who are you?
Offline equivalent: Business card. (Also: Clothes, bumper stickers, and everything else one chooses to show people who they are.
3) Communication Question Answered: How do I reach you?
Offline Equivalent: Phone number.
Question Answered: What do you prefer?
Offline Equivalent: Your coffee shop starting your drink when you walk in the door.
Question Answered: How do others regard you?
Offline Equivalent: Word of mouth/references, credit agencies.
I think Ev’s post is a really good start to answering the question why would one would want to identify a user in an application or website. Specifically, what does a user get from being asked to log-in or register to your application or website? Secondarily, it also provides the framework for deciding if or when you should use your own identity system or should leverage someone else’s such as Facebook Connect.
Ev misuses the term authentication in his post which is a little confusing since he seems to do it knowingly. All five entries on his list are all facets of what you get when you identify or in some cases authenticate a user. For identification, you may simply need an identifier such as an email address or URL. For example, if I give you the URL to my Facebook profile, you get to see how I’ve chosen to represent myself to the world (e.g. my profile picture is a family shot which tells you something about me), you can contact me if you’re in the right network on Facebook and you can even make some personalization decisions by looking at the music and TV I’ve liked. Authentication is a more nuanced version of identification because it means you’ve proved that I’m actually the person who “owns” http://www.facebook.com/Carnage4Life not just someone who knows that URL (or email address or other identifier).
The first thing to do is update Ev’s list
- Authentication – who are you?
- Authorization – do you have permission?
- Representation – how do I want others to view me?
- Communication – how do I reach you?
- Personalization – what do you prefer?
- Reputation – how do others regard you?
- Commerce – how are you going to pay for this? (e.g. credit cards, putting a meal on your hotel room bill when eating at the hotel restaurant, etc)
- Social – who are your friends?
The first change on the list is already explained. Asking who I am is an intrinsic aspect of all of the other items on the list.
The second change is obvious in retrospect. There are a broad class of websites and applications that need to identify a user so that the user can pay for a virtual or physical good or service. The biggest player in the identity and payment space on the open web is obviously Paypal with minor competition from Google Checkout and Amazon Payments. There are also specific ecosystems where payment is a fundamental aspect of identity such as Facebook Credits which is part of the Facebook platform ecosystem, the 200 million iTunes accounts with credit cards that are a part of the iOS ecosystem or Microsoft Points which are the coin of the realm in the XBox Live ecosystem.
The third addition is also a surprising omission from Ev’s list given that this has been the primary way distributed identity has actually become popular on the Web. Unsurprisingly, the key player in this space is Facebook which provides widgets such as the recommendations plugin which allows sites like Engadget show me what articles on their site my friends liked
This list is pertinent to web developers from multiple perspectives. First of all it’s a checklist that determines whether your application or website needs a user identity system. When you do determine that you do meet some of the requirements in the checklist, it also sharpens your focus on when you let identity get out of the way for your users. Sites like Yelp and Reddit are good examples of sites that need user identity for personalization, reputation and communication but users can get value without using features that rely on those capabilities. However neither site does a good job of explaining to users that they can get this functionality if they create an identity on the site. On the other hand, I think Quora does a particularly awful of running this check list when you hit the front page of the site since you don’t even get to see any content without creating an account.
The list is also useful as a way to decide which aspects of your site or application’s identity requirements you want to maintain in-house versus outsource. Do you want to rely on Facebook’s social graph or have a friend list that is native to your site? Will you accept credit cards or just utilize Paypal or Amazon Payments? And so on. Finally the list is useful for entrepreneurs as a way to segment the various use cases in the industry and see opportunities where things can be improved. Some people like to call game over for innovation in identity on the web given the Facebook juggernaut but it is clear when you look at that list that there are parts of the identity space where they haven’t made much traction such as reputation and payments.
Now Playing: Rihanna - Love the Way You Lie, Part II (featuring Eminem)