Grab them eyeballs! Any cred at all!

Want to deeply understand how OpenID would make our lives better on social networks? Check out this piece by Dare Obasanjo, a program manager within Windows Live.  But be prepared to be jolted.  According to Dare, there is indeed a promised land, but we won't be allowed into it.

Dare is responding to Wired's Slap in the Facebook:  It's Time for Social Networks to Open Up.  He talks about the common-sense economics of identity, then asks why “there seem to be more OpenID providers than there are consumers”, concluding:

Why would Facebook implement a feature that reduced their user growth via network effects? Why would MySpace make it easy for sites to extract user profile information from their service? Because openness is great? Yeah…right.

Openness isn’t why Facebook is currently being valued at $6 Billion…

Dare's explanation of how the big web properties see things is spot on.  But are they right? 

Here is Dare's state of the union:

The major online services such as Yahoo! via BBAuth, Microsoft via Passport Windows Live ID, and AOL via OpenID all provide ways for third party sites to accept user credentials from their sites. This increases the value of having an account on these services because it means now that I have a Microsoft Passport Windows Live ID I not only can log-in to various Microsoft properties across MSN and Windows Live but also non-Microsoft sites like Expedia.

I have to ask, “So what?”  Once I'm on Expedia, who clicks my eyeballs and reaps the eyeball tax?  Expedia, not Windows Live. 

This increases the likelihood that I’ll get an account with the service which makes it more likely that I’ll be a regular user of the service which means $$$. 

Is this logical?  It all escapes me.  Suppose I start to log in to Dare's blog using an AOL OpenID.  Does that make money for AOL?  No.  I don't have to give AOL two eyeball seconds.

What would make $$$ for AOL?  To get my pretty eyeballs over there PDQ.  What's the best way to make that happen?  Make it easy!  Acquire new eyeballs! Acquire new eyeballs! Acquire new eyeballs! From anywhere and everywhere! 

The secret?  Auto-create an account on AOL no matter WHAT credential a user employs to get there.  You need this anyway to manage their profile.  Then get the user transparently to great experiences and start ringing up those eyeball seconds.  

When I've talked about these ideas with industry friends in the past, people have said, “But if AOL accepts a Yahoo credential, then it's at Yahoo's mercy.”  This is plain wrong!  If I use a Yahoo credential to get an account on AOL – and Yahoo one day starts barring users from AOL (!), just ride the resulting publicity to get Yahoo's (ex?) users to go to AOL and regain access using their email address – just as they would with a lost password!   In fact the right of AOL to send the user an email in this unlikely case could be written into their privacy policy.

Summary: what counts is the ACCOUNT, not the CREDENTIAL. Credentials should be seen as a cost center, and accounts as a profit center.

The world is standing on its head, my friends.   Some Facebook is going to figure this out and gobble up eyeballs from every nook and cranny of the internet.  That's the one I would invest in if I were a betting man. 

Published by

Kim Cameron

Work on identity.

15 thoughts on “Grab them eyeballs! Any cred at all!”

  1. Don'cha think liability might have something to do with it?

    Facebook and Myspace are currently coping with some serious liability concerns about sexual predators, underage users, etc. Why would they want to accept even more risk by trusting someone else's credentials?

  2. Yes, it appears that one can use a personal card now as a credential to Windows Live ID. But that really is only half way, right? What I really want is a managed card from Windows Live ID that I use to identify myself at relying sites. But that does not seem to be the direction MS is choosing here, instead they provide the proprietary Live ID Web SDK (or whatever it is called) for third party web sites to enable login at those sites with Live ID. But that is contrary to the spirit of the identity meta system, in my opinion: You guys should NOT sites to use very Live ID specific identification code, rather you should get sites to accept Infocards, where Live ID managed cards could be one of many providers accepted. I just can't help it to get the impression that there is a battle raging between the good guys here and the Live ID guys… Sorry…

  3. Actually, is the current user experience of integration of Live ID and CardSpace the final plan? I hope not… If I want to sign in somewhere now with Live ID using an Infocard instead of a password, I have to TWICE select an identity with TWO different identity selectors: First I am presented with my Live ID account list, then I select one, then the Cardspace UI pops up, where I again have to select between my identities and then I am finally in. That is a user experience nightmare and does not make any sense to me at all.

    By the way, this is no beta anymore, right? I accessed this just on a normal Live ID site, so this seems to be the real thing. Or not? Why was there no anouncement anywhere about this?

  4. But why beta test something that doesn't make sense? I really don't get where this is supposed to go… Sorry. And then: If this is a beta and there is still a chance to change it, lets give as much feedback as we can that we don't like the current implementation! That seems the point of a beta.

  5. I'll refrain from a resounding “Damn Straight!” and simply say “Precisely.”

    Summary: what counts is the ACCOUNT, not the CREDENTIAL.

    On the commercial side the relationship is everything – credentials are a facilitator of the relationship, not the relationship itself. The value of the credential is as a broker – not a proxy. The major appeal of OpenID is the same appeal that was/is Shibboleth, you know the first SAML implementation: “Control your own identity!”

    I don't think so. You may mitigate information leakage to third parties (or second) through attribute control. You may mitigate against correlation across accounts to learn even more about you. But in the first case once you've released that information, you're at the mercy of Murphy and data storage; and in the second, Aliased id's and limited attributes, to be effective identity protection mechanisms, require the user to know what they are limiting, why, and what effect it will have on their overall net presence. The reliability of any scheme which requires this level of expertise is certainly questionable.


Comments are closed.