Interesting debate taking place in the blogosphere between two of my former colleagues from MSFT. It started with an article in Wired, titled “Slap in the Facebook” decrying the closed nature of social networking sites and urging Facebook to embrace an open model where users can reference content from other services. Dare wrote a response pointing out that business incentives favor this closed “walled-garden” model because Facebook has no incentive to refer visitors to other websites unless there is some benefit– the idea being that eye-balls/traffic drive revenue for advertising supported websites. The argument goes, allowing users to link to other websites or reference content there amounts to an altruistic (read: foolish) act of driving those coveted eye-balls elsewhere. Kim Cameron came back with a rejoinder arguing that authentication by itself does not constitute a revenue source. Quote:
“Summary: what counts is the ACCOUNT, not the CREDENTIAL.Credentials should be seen as a cost center, and accounts as a profit center.”
Stepping back, there are three issues here:
- Authentication is indeed a cost center. Most companies invest in an identity management systems originate from the requirement to solve a problem that the company itself has. As a concrete example, Amazon asks users to create account so they can purchase books and track their orders. That scenario is directly relevant to their bottom line. It’s difficult to see how allowing users to authenticate some place else with that ID contributes to their business objectives, especially when each instance involves a transaction cost.
- In the language of identity management, relying parties are indeed at the mercy of identity providers. That is to say, if website Foo started accepting users with an identity issued by website Bar, it would be taking on a critical dependency on Bar. Because many scenarios require authentication– if user can not authenticate, nothing else works. This is partly the reason every website decided to invent its own identity management system (most of them mediocre and dubious in security assurance, as expected) contributing to the proliferation of passwords that unfortunate users must remember. It is possible that Bar will at some point decide to hold users hostage by refusing to authenticate anyone to Foo, especially if there is no contractual relationship between them. Cameron argues that the PR repercussions will act as deterrence. It’s not clear if this has prevented companies from breaking interop in the past, as the history of failed attempts at getting instant messaging systems to cooperate shows. This is not entirely unjustified paranoia either: failure of authentication leads to breach of security and the last thing an aspiring website wants to see is to get blamed for someone else’s error. In the public perception, blame is not always allocated fairly.
- Finally there is an interesting irony: everyone wants to see authenticated users coming in, but no one is interested in authenticating their own users to other websites. Even assuming that the concerns in #2 could be addressed and sites would be willing to accept external identities, why would any ID provider spend their own resources in the interest of another website? The common sense answer would be: “because users want this feature.” But this is no different than the deadlock which existed among mobile carriers: everyone wanted to be able to convert users over to their network without changing their cell-phone number, so-called “portability” problem. Yet no company wants to make it easier for users to switch to another carrier, so there is an incentive to raise switching costs by not allowing the customer to keep the number. Any mobile carrier to offer this on their own would be faced with the classic sucker pay-off from game theory. Eventually it was a regulation that mandated portability, by forcing everyone to implement it at the same time.