Would I like to be an identity provider?
Well, of course. I would make sure that my identities were very reliable and reusable. My identities must be trusted in order to make them reusable by different service providers, the government, banks and other websites. This, of course, requires the use of open standards and an auditable governance and trust framework. To achieve this, I need a business model, because someone has to pay for all this. In my opinion there are several models:
-
The citizen/customer pays for his digital identity
-
The citizen/customer gets a digital identity for free, no costs
-
We license a trust framework
$Identity
Anyone requiring a digital identity by a trustworhy
Identity Provider needs to pay for the use of the digital identity.
The question is if I, as a consumer, would be willing to pay for a
digital identity. If I can't use the identity, I don't want to pay
for it: 'What's in it for me?'. This model requires a convincing
story: as a consumer I need the assurance of the reuse potential.
If I were an identity provider, would you pay for my
digital identity if I could guarantee reuse? If so, how much? That's
difficult to calculate. There are many costs attached to running a
trustworthy identity management system. Most of theses costs are
fixed costs. The more identities I can sell, the lower the management
and security costs per identity and thus the lower the price of a
digital identity. How about $20 for every identity? And with a
periodic renewal every 2 years? Because identities erode.
Zero$ identities
There are different variants of this model.
1) Like I mentioned in an earlier post, the Dutch DigiD is an example of a trustworthy free identity. The identity is free, the costs of the identity are made up for by the identity provider. Because of the use of DigiD, Dutch citizens can perform a lot of G-C transactions online, data entry is moved from the civil service to the citizen. The disadvantage of this model is that the reuse potential is low. The identity can only be used at a fw service provider within the trust framework, like local government and a limited number of legally appointed third parties.
1) Like I mentioned in an earlier post, the Dutch DigiD is an example of a trustworthy free identity. The identity is free, the costs of the identity are made up for by the identity provider. Because of the use of DigiD, Dutch citizens can perform a lot of G-C transactions online, data entry is moved from the civil service to the citizen. The disadvantage of this model is that the reuse potential is low. The identity can only be used at a fw service provider within the trust framework, like local government and a limited number of legally appointed third parties.
2) Another instance of this model is a company that pays for the costs of identity management and provisioning for it's own customers. Just like the mentioned Digid case, but with a larger reuse objective. All parties in the trust framework abide by the rules of the trust framework and guarantee the conformance to the rules. This means that there should be auditable quality and trust criteria, resulting in some kind of a seal of approval... It looks a lot like the OpenID+ model I wrote about in a previous post.
An identity that can be used often, has a higher
value that an identity without reuse potential, hence an identity
provider with high reuse value identities will have a better
reputation and may be willing to invest in this identity provisioning
service. What will this cost? The trust framework will be expensive,
so the costs of such an identity will be higher than the costs of the
first model, let's say $50 per identity. Investments with a positive
Return on Investment, even more if the service will result in
frequent customer contact as well, for instance because of periodic
renewal of the identity.
Commercial providers of free identities like Facebook, Twitter and LinkedIn, implement this model in some way. The reuse potential of this model is moderate to low, because of the lack of a Trust Framework. Only service providers within the trust framework of the identity provider (think of Blogspot, that enables you to use your Gmail account to logon) offer the reuse potential. Other SP's, who don't require trust, but who just rely on the identification and authentication of a customer, may allow the use of a free account.
What is the business case for identity provisioning
for these commercial IdP's? They offer a free digital ID, but who is
paying for it? Because when using it, by logging in using open
protocols like Oauth, there is no transaction fee for authentication.
This is an interesting question. These IdP's seem to gain a lot of
money by managing your digital ID in a different way. Managing and
securing identities is costly, but their business model has an
enormous ROI because of the services they offer by analysing the
value of your identity, your profile. Your behavior is valuable…
Is such an identity a good match for all purposes?
Obviously not. there is no trust in your digital ID, because, no
matter what 'real name' policy, the IdP doesn't really know you, it
only knows your profile. And the provider knows every service
provider you use, based on your logon.
You could upgrade the value of an untrusted digital
ID, by using a third party verification schema. For instance upgrade
your twitter account by having it validated by another trust
framwork. This of course creates a larger reuse potential (in the
other trust framework) with your simple logon feature. But of course,
someone will have to pay for the added trust by verification in a
third party trust framework. There's no free lunch...
3) The third instance of this model is that an identity
provider gives out free identities, but makes service providers, who
trust the identity, pay the fee. That could be based on a per per use
fee, or in a subscription kind of fee. This creates a high reuse
potential, within this trust framework. In this way the service
provider doesn't have to pay all costs for identity provisioning,
thereby saving a lot of money and limiting compliance risks – if
you don't manage identity data, you can't lose them… How much
should this cost? Hard to say, but I think that $0.10 per reliable
authentication could well be feasible. Or a subscription fee of,
let's say, $10 per customer per year?
For IdP's there is a real incentive to create as much
reuse potential as possible. The more often an identity is used, the
higher the profit. But reuse potential is a result of reliability and
reputation, Identity Provisioning is an expensive business model. And
if a digital identity is not used often enough, this will result in a
financial loss.
Last model...
Let's just create a trust framework and have anyone
use it. Both identity providers and service providers pay a license
fee and can start using it. The trust framework guarantees reuse and
every party can decide their own business model
(I wrote about this long ago...).
But the trust framework has to be developed, managed and monitored,
according to open standards and governed by legal standards. But
someone has to pay for this model too. And there is an example, OIXby the Open Identity Foundation.
Lingering business case problems...
There are some other problems for identity providers
and service providers. From the business case the main driver for
profit is the reuse potential of digital identities. Only if there is
any reuse capability, operating an IdP can be affordable. When not,
there is no business case. If an identity cannot be reused, it may
well be too expensive for the customer, the IdP or the SP.
But there is a strange oxymoron… The better the
reuse potential, the less I am inclined to use other identities, the
one with the best reuse potential will be my preferred ID. This means
that I don't need another IDP. And same is true for other consumers as well. This means that there is limited room for other IDP's. (I know, you may want to use more than one identity, but that's out of scope for this post :) )
Is there a business case for IdP's?
No trust framework, no reuse. No reuse no business
case. No business case no digital identities. No digital identities, no
trust framework. No trust framework, no reuse, no business case.
I may want to be an Identity Provider, but I don't believe that there is a business case, unless you manage to be the same league as facebook and friends...
(based on my Dutch language post https://www.cqure.nl/kennisplatform/digidem-4-het-opbrengstenmodel)
I may want to be an Identity Provider, but I don't believe that there is a business case, unless you manage to be the same league as facebook and friends...
(based on my Dutch language post https://www.cqure.nl/kennisplatform/digidem-4-het-opbrengstenmodel)
Geen opmerkingen:
Een reactie posten