A “change in user behavior”

Farhang Kassaei is lead architect for platform and systems at eBay Inc and blogs at Software For All Seasons.  He makes a great point about one key factor that blocked CardSpace deployment:

Having worked on a authentication concept with MSFT for eBay sellers, I had mixed feelings about this [Microsoft's decision not to ship CardSpace 2.0 – Kim]. On one hand I was on the record not supporting the use of CardSpace for eBay sellers (or buyer). On the other hand I am concerned that technical community discounts the significance of Claim Based identity altogether and concludes that “FaceBook Conncet” is all we'll ever need.

There is a good reflection (from an insider's point of view) on Card Space here. (courtesy Gunnar Peterson)   My personal view (and the reason I didn't support the adoption of Card Space at eBay) though centers around the challenges of “Change of Behavior” required by Card Space.

Basically, CardSpace failed b/c it requied uses to change their behavior. See, the “User name and password” protocol (a simple challenge and response) IS a protocol, one where a human being (a normal user) is a participant in. It has taken about 20-30 years (depending on how you count) to train users what to do when they see a “login panel” , the “login panel” contract is so widely understood that despite all of its short coming is the most viable remote authentication protocol we have today. It is flawed, it is costly, it is not secure, but it is a widely understood by users on the other end of the protocol. CardSpace, despite all its advantages, was not understood, would (and did) make people confused, they did not know what to do when the CardSpace screen popped up … a technology whose adoption depends on change of a strongly learned behavior is unlikely to succeed (or at least I didn't think eBay sellers – not the early adopters of technology – would learn and accept it).

It also didn't help that a lot of browsers didn't support it (installing a plug-in does not count), and the fact that developers didn't know how to issue cards (or validate, update or revoke them).

Having said that, I did like the idea of decentralized identity provider and not having any one identity provider to be THE identity provider that everyone else had to rely on (putting user in control of their own identity). Compare this with a world where one identity provider (be it facebook or Google or twitter or anyone else) is the dominant identity provider because it is easy for RPs to embed a simple button  and for users to click on it.

Reading Farhang's post, here's what I find most interesting.  It was never that users decided they didn't want “a change of behavior” around passwords.  Instead it was web properties like eBay (and a thousand others) who came to this conclusion.  Many of the people designing those properties worried that providing users the option of changing their behavior was too dangerous – especially since it was not essential… 

In the history of computing there have actually been plenty of cases where users DID change their behavior – even though at first only a few people could understand or use the new alternatives.  But those “early adopters” were able to try the new inventions on their own.  They didn't need anyone else to approve something or decide they would like it first.  Once convinced, they could show the new ideas to others.

When Visicalc appeared, I don't know how many people in IT would have bet that every accountant in the world would soon be throwing out his pencils and starting to use spreadsheets for things no one can even now believe are possible!  The same is true for a thousand other applications people came to love. 

But because authentication doesn't stand on its own, users never got the chance to start using Information Cards “just because they felt like it”.  They needed web sites to make the same bet they did by implementing Information Card support as an option.  

Web sites didn't want to bet.  They wanted to keep to “the matter at hand” and prevent their users from getting lost or distracted.  The result: a preemptive chill settled over the technology, and we never really got to see what users would make of it.

My conclusion:  regardless of what new features they support, user centric identity solutions need to be built so they work with as many existing web sites as possible.  They can't require buy-in from the all the big web sites in order to be useful. 

I think we should have included a way for Information Cards to support password-based sites.  It was possible.  I personally avoided it because I was worried it would be unreliable and not work at all sites.

Yet a lot of password managers do this, and Dick Hardt's SXIP system combined this approach with support for new protocols.  I think that aspect of his work was probably right.


B.C. to test virtual digital ID card

Here's a story by the Canadian Broadcasting Corporation (CBC) on the British Columbia government's IDM project.  Dick Hardt of sxip played the key and even charismatic role in developing a catalytic relationship between industry and government.

British Columbia will test a virtual ID “card” that enables citizens to connect with the government's online services more safely and easily, a top technology official said.

The government plans to begin tests on an “information card” early in the new year, said Ian Bailey, director of application architecture for the province's Office of the Chief Information Officer.

The cards are in the early stages, and “there's going to be some challenges,” Bailey said.

An information card is not a card at all: it's more like a document delivered to users’ computers which they can then use to access government websites.

It's meant to replace the current method of access, which involves logging on to a site with a name and password, and has a digital signature that can't be changed or reproduced, Bailey said.

“It will give us better privacy protection for individuals,” he said.

Among other attributes, Bailey said using an information card means:

  • The government won't know which sites the user visits.
  • The user is in control of shared information.
  • The cards won't have to reveal users’ birthdates or addresses, or a student's school. Instead, it could simply confirm the user is over 19, a B.C. resident or a student.

He compared using the card to using a driver's licence for identification since, in both cases, the government does not know what the citizen is doing. Continue reading B.C. to test virtual digital ID card

Dave's mother

During one of the hospitality parties at the Burton Group's Catalyst conference I came across the SXIP folks showing their cool new application service “outsourcing appliance” that lets enterprises outsource HR or mail and calendar to companies like Salesforce.com and Google.  When employees are inside the firewall, they can just leverage Active Directory or some other LDAP server or authentication system to automatically create a SAML token that will log them into the service.

One of the requirements SXIP has encountered is for employees to be able to securely access these resources from their homes and hotel rooms without introducing the risk of password leaking. 

After all, most companies don't want employees revealing their enterprise username and password to service suppliers – but also don't want to support a separate username/password outside the firewall…  SXIP's solution:  use Information Cards.  It's a very simple and nice solution.

While looking at what they've done, I met David Huska, the incredibly fast and energetic engineering guy behind the project.  He started telling me about CardSpace and his mother, and I could see he had a great potential CardSpace “elevator pitch” – meaning a way to explain a technology while riding an elevator up a few stories.  So I cut him off, pulled out my phone, and asked him to start again.  Here's what he said:   

Kim:  So you were talking about your mother…

Dave:  What were you saying about my mother, Kim?  Were you talking about my mother?

Kim:  I love your mother.

Dave: Alright.  CardSpace is an analogy my mother gets.  She doesn't understand what I do in a million years, but CardSpace she gets.  She sees the cards.  Everything else stops.  Everything goes away.    She can't do anything else until she chooses a card. 

When she pulls our her purse, she sees her cards.  And with CardSpace, she sees her cards.  She can see what card they want from her.  She can see the information they're looking for from her.  She can decide what she wants to use, or not – what she wants to approve or not. 

It's like being in the supermarket.  She can decide which card she wants to give – and if she wants to.  It makes sense for her.  It's simple.  Its a clean UI.  It's well done. 

Kim:  (Referring to SXIP's cool new system – that supports Information Cards.)  So has your mother actually seen this?

Dave:  Yes, she's seen it running on my test machine.  She said, “Oh this is what you do.  I finally get it.”  And I had to say, “Well, this isn't exactly what I do – it's what another company does.”  But you got her closer to understanding what I do than just about anything else I've ever shown her.  So thank you.

Dave is great – and I love his mother too.  Any thanks should be directed to all the people on the CardSpace team who did all the work and refinement and threat modelling and studies, and who are coming out with a nice update in the very near future.