Thinking of that Buddhist koan, “If you meet the Buddha on the road, kill him,” I realized it is relevant for identities as well.
If you met your identity, would you recognize it?
When I register at a site I usually use the same username. It helps keep the catalog of things I have to remember to a manageable number. I always get concerned when my choice in username is taken. My first thought is, have I been here before? Did I already register? If so, “who” did I register as? I start scouring through offline emails trying to figure out if I saved the registration notice. 9 times out of 10, I haven’t. The next option is hoping that the Keychain or Password Manager grab the credentials for me. If the site’s login didn’t get prepopulated there’s little chance either repository of has what I need. This leads me to the annoying process of having to register with a different username which I am definitely bound to forget.
The first problem is that recognize my identity based on a login on a site. This is clearly a weak way to link me to the services I want to access on that site.
If you don’t meet your identity, how would you know it?
The following just happened to me. I went to a site to order some software. I know that I’ve used this site before. I know that I have ordered things from them before. But for the life of me cannot remember “who” I registered as. In this case, the site uses email address as identity. The problem is I have multiple email address, some of which changed over time due to takeover, domain changes, etc. I can search my old emails, Keychain, Password Manager, etc, but I am still left with little to go on to figure out who I registered as. In this case, I can try and use a “Forgot your username / password” service, if the site has it. But what if I am mistaken and, in fact, I have never used the site before?
The second problem is that my catalog of registered identities is limited, if it exists at all. Worse yet, that catalog is spread across multiple machines both personal and work issued.
How do you kill your identity?
I know I have registered at dozens of sites over the years. Some, I’m sure, don’t even exist any more. But those that do have some little piece of my identity information on them. At the very least, they contribute to some of the spam that heads my way every day. I just don’t like the idea that I am not in control of the places my identity lives. Now, I grant you, if I was that concerned I would have kept better records about where I registered and “who” I registered as. The problem is five, eight, ten years ago we simply didn’t have the problems we have now. (Amazingly though, the oldest account I can think of that I have, my CDNow account, did morph into my Amazon account. Let’s hear it for good customer identity management on Amazon’s part.)
Quick quiz, how many sites that you frequent let you delete your identity? I think I may have seen one or two in all the sites I have been too. The third problem is there is not a common facility for tracking and deleting an old identity.
And that leaves me where exactly?
I don’t have a reliable and complete catalog of my identities. I don’t have a way to discover my registered identity from a given site. And even if I did have a catalog and could find identities I forgot about, I couldn’t prune old identities I no longer wanted out there.
To some extent this problem has been solved within the enterprise. Identity Management vendors can maintain the catalog of my identities and can prune of identities as necessary. Those solutions, however, will either not work on the Internet-scale or will not be accepted by end users. We tried to building something like this at Access360 with out Access360.net offering, but that flopped horribly and completely. My gut tells me the solution is more along the lines of Identity 2.0. I can’t wait for the Internet Identity Workshop next week to hear people’s thought on problems like these.
Technorati Tag: identity