maandag 2 november 2015

No business case for Identity Providers (part 3)

Would I like to be an identity provider?
Well, of course. I would make sure that my identities were very reliable and reusable. My identities must be trusted in order to make them reusable by different service providers, the government, banks and other websites. This, of course, requires the use of open standards and an auditable governance and trust framework. To achieve this, I need a business model, because someone has to pay for all this. In my opinion there are several models:
  • The citizen/customer pays for his digital identity
  • The citizen/customer gets a digital identity for free, no costs
  • We license a trust framework


Anyone requiring a digital identity by a trustworhy Identity Provider needs to pay for the use of the digital identity. The question is if I, as a consumer, would be willing to pay for a digital identity. If I can't use the identity, I don't want to pay for it: 'What's in it for me?'. This model requires a convincing story: as a consumer I need the assurance of the reuse potential.
If I were an identity provider, would you pay for my digital identity if I could guarantee reuse? If so, how much? That's difficult to calculate. There are many costs attached to running a trustworthy identity management system. Most of theses costs are fixed costs. The more identities I can sell, the lower the management and security costs per identity and thus the lower the price of a digital identity. How about $20 for every identity? And with a periodic renewal every 2 years? Because identities erode.

Zero$ identities

There are different variants of this model.

1) Like I mentioned in an earlier post, the Dutch DigiD is an example of a trustworthy free identity. The identity is free, the costs of the identity are made up for by the identity provider. Because of the use of DigiD, Dutch citizens can perform a lot of G-C transactions online, data entry is moved from the civil service to the citizen. The disadvantage of this model is that the reuse potential is low. The identity can only be used at a fw service provider within the trust framework, like local government and a limited number of legally appointed third parties.

2) Another instance of this model is a company that pays for the costs of identity management and provisioning for it's own customers. Just like the mentioned Digid case, but with a larger reuse objective. All parties in the trust framework abide by the rules of the trust framework and guarantee the conformance to the rules. This means that there should be auditable quality and trust criteria, resulting in some kind of a seal of approval... It looks a lot like the OpenID+ model I wrote about in a previous post.
An identity that can be used often, has a higher value that an identity without reuse potential, hence an identity provider with high reuse value identities will have a better reputation and may be willing to invest in this identity provisioning service. What will this cost? The trust framework will be expensive, so the costs of such an identity will be higher than the costs of the first model, let's say $50 per identity. Investments with a positive Return on Investment, even more if the service will result in frequent customer contact as well, for instance because of periodic renewal of the identity.

Commercial providers of free identities like Facebook, Twitter and LinkedIn, implement this model in some way. The reuse potential of this model is moderate to low, because of the lack of a Trust Framework. Only service providers within the trust framework of the identity provider (think of Blogspot, that enables you to use your Gmail account to logon) offer the reuse potential. Other SP's, who don't require trust, but who just rely on the identification and authentication of a customer, may allow the use of a free account.
What is the business case for identity provisioning for these commercial IdP's? They offer a free digital ID, but who is paying for it? Because when using it, by logging in using open protocols like Oauth, there is no transaction fee for authentication. This is an interesting question. These IdP's seem to gain a lot of money by managing your digital ID in a different way. Managing and securing identities is costly, but their business model has an enormous ROI because of the services they offer by analysing the value of your identity, your profile. Your behavior is valuable…
Is such an identity a good match for all purposes? Obviously not. there is no trust in your digital ID, because, no matter what 'real name' policy, the IdP doesn't really know you, it only knows your profile. And the provider knows every service provider you use, based on your logon.
You could upgrade the value of an untrusted digital ID, by using a third party verification schema. For instance upgrade your twitter account by having it validated by another trust framwork. This of course creates a larger reuse potential (in the other trust framework) with your simple logon feature. But of course, someone will have to pay for the added trust by verification in a third party trust framework. There's no free lunch...

3) The third instance of this model is that an identity provider gives out free identities, but makes service providers, who trust the identity, pay the fee. That could be based on a per per use fee, or in a subscription kind of fee. This creates a high reuse potential, within this trust framework. In this way the service provider doesn't have to pay all costs for identity provisioning, thereby saving a lot of money and limiting compliance risks – if you don't manage identity data, you can't lose them… How much should this cost? Hard to say, but I think that $0.10 per reliable authentication could well be feasible. Or a subscription fee of, let's say, $10 per customer per year?
For IdP's there is a real incentive to create as much reuse potential as possible. The more often an identity is used, the higher the profit. But reuse potential is a result of reliability and reputation, Identity Provisioning is an expensive business model. And if a digital identity is not used often enough, this will result in a financial loss.

Last model...

Let's just create a trust framework and have anyone use it. Both identity providers and service providers pay a license fee and can start using it. The trust framework guarantees reuse and every party can decide their own business model (I wrote about this long ago...). But the trust framework has to be developed, managed and monitored, according to open standards and governed by legal standards. But someone has to pay for this model too. And there is an example, OIXby the Open Identity Foundation.

Lingering business case problems...

There are some other problems for identity providers and service providers. From the business case the main driver for profit is the reuse potential of digital identities. Only if there is any reuse capability, operating an IdP can be affordable. When not, there is no business case. If an identity cannot be reused, it may well be too expensive for the customer, the IdP or the SP.

But there is a strange oxymoron… The better the reuse potential, the less I am inclined to use other identities, the one with the best reuse potential will be my preferred ID. This means that I don't need another IDP. And same is true for other consumers as well. This means that there is limited room for other IDP's. (I know, you may want to use more than one identity, but that's out of scope for this post :) )

Is there a business case for IdP's?

No trust framework, no reuse. No reuse no business case. No business case no digital identities. No digital identities, no trust framework. No trust framework, no reuse, no business case.

I may want to be an Identity Provider, but I don't believe that there is a business case, unless you manage to be  the same league as facebook and friends...

(based on my Dutch language post