Since 2007, I have grown great interest on the subject of identities on the web. This was because around 2007 a learned about facebook, saw Google really pushing her identity unification and learned about Cardspace through the release of Microsoft .NET 3. Ever since, I have been really interested in what is going on with these companies and why there are challenging each other so much on this matter.
All the above companies including Twitter are trying to make their users to use their credentials on every other site. Also all these companies are releasing software components that allow sites and applications to provide authentication functionality based on Facebook’s, Google’s and so forth credentials.
If you are interested on why these companies are making this effort and investment then keep reading.
First some introduction. For every security system there are three major key components.
- Authentication. This process is about verifying a user through credentials as a valid identity for a specific system.
- Authorization. This process is about enabling or disabling system’s functionality for every authenticated identity.
- Auditing. This is about keeping track of the user-identity’s actions.
Most people see all three steps from the scope of one specific system. Best case scenario is that the system is compromised from a set of several applications, so Single Sign On would be a good functionality to have. This is what most user’s experienced with Google’s security unification and Microsoft’s upgrade from Passport to Live ID.
The key thing is that all these companies have realized the importance of providing authentication not for one specific system, not even for a set of systems but for every application in the world. Google has branded in our minds the term search. Facebook and Twitter have done it for socializing. Think about how hard Google tried with Wave and is trying now with Google+ to get a portion of facebook and twitter. Think also how hard is Microsoft trying to get a percentage from Google with Bing Services. Isn’t there a why?
Personally I think that in the world of globalization one thing has not yet been conquered or branded. Identities. And this is what is all about. Which company will put on people’s minds the synonym for Identity as their brand name.
All four companies plus Oracle and WordPress, as a fifth and sixth contenders, are currently fighting for the Identity brand by using different tools and different financing. Common denominator is the fact that all companies have provided toolkits that allow other applications to use their credentials as a security system. The difference is the different services they have to offer and how are they financially supporting their involvement on this war.
- Google is using Google Search and Ad Sense to mostly finance them selves. They are using their auditing mechanism to better facilitate their advertisement service. Additionally they are providing a number of services to help you convince to sign up with their identity system. One thing currently missing is the social media sector, where Facebook and Twitter have still the upper hand. Lately Google is also trying to promote their services through the use of Android mobile platform.
- Facebook and Twitter are using their social networks infrastructure to finance their business. Actually they are selling your’s, mine’s and everybody’s audited data to make money.
- Microsoft on the other was a bit late in this story. They are using their in premises products like Windows and Office to mostly finance themselves. Since Balmer took over, Microsoft is showing great interest for the cloud services and by trying to get the previous applications in a SaaS model. Common denominator in all Microsoft’s efforts is forcing the use of Live ID. They even created a mobile operating system to force people to sign up with Live ID and to use Bing services. They are even using Azure Services as a tool to further expand the usage of Live ID.
All these companies have the luxury to invest on this effort by financing it indirectly by the same tools or by existing products. But all of them don’t like user’s to log on to these services with other credentials than their own. Microsoft and Facebook who share stocks are probably the only ones you have joined authentication on their systems. You may have seen this while using Live Messenger. Isn’t this a bit strange for companies that are trying so hard to convince other vendors and companies to use their identities but they do not want use other’s? They even gathered around to standardize the authentication process for their Restfull services.
The important thing you need to understand is that even if you are not using Facebook Identity to log on to an online application, Facebook knows about this indirectly because of the Like and Share buttons. Browsers have the tendency of supplying cookie information for each host for every request and applications have the tendency to audit every request. So even by downloading an image from facebook while reading about a biking blog, Facebook knew about it. And Facebook is just an example
There are all kinds of protocols and token formats that provide for this process. Single Sign On (SSO) is the most known name because it is easy and it is targeting user’s ease. In reality SSO is legally masking what is going on behind the scenes. It is important to remember that Single Sign On is not only working for the application you are interested in but for all the rest also by the mechanism I described above. Most developers are now starting to realize about the tools available for SSO through names like Secure Token Service (STS) and Identity Provider(IP). NET developers will realize this more with a new feature that Visual Studio 11 is making available, which is actually a developer self hosted STS. But still these tools are mostly for in premises solutions but if you understand the mechanism then maybe you can start realizing what is going on.
Most companies want to increase their revenues by auditing what users are doing with their applications. What most of these companies don’t understand is that in order to do this you need the user to be registered with the user. All the companies that are fighting over identities realized at some point in the past, that although this may seem trivial, it is the single most important asset of their enterprise because with that they can audit every application. All companies that don’t realize this or are starting know, unfortunately they either need to start an effort in an already unfair and challenging war or succumb and get into an agreement with them to get a part of their audit data. Google already allows this with Google Analytics.
You cannot audit something without knowing the identity you are auditing for. This is why I personally believe that Identity is turning out to be the single most important asset in all web based companies. If you would compare it with real life, could anything work without government controlled identities? Now think about it for the WWW and you will start understanding the magnitude and significance of having like five companies providing Identities for all e-persons in the world. Think about thecomparison between the number of total goverments in the real world and the number of e-Identity providers on the virtual world. Is it less strange now the fact that until recently, companies thought as open are trying to keep governments like China happy? Besides revenue, would they risk in the long run having one billion out of six start using a different Identity Provider than their own?