In a comment to my post yesterday, dsr brought up a very good point: trust in identity providers.
Consider — at the moment, the vast majority of users aren’t even thinking about this, but they’re buying into this brave new identity world by default. They don’t care about “unified identity” or anything like that: they’re just enjoying the fact that OpenID and Facebook Connect allow them to remember fewer passwords.
Yet this casual decision, of using your Facebook or LiveJournal or whatever account to log into other systems, may have profound effects down the line. If you use a single identity more and more, across a broad swathe of the Net, it becomes you in some very important ways. The possibility of losing that identity, or losing control of it, becomes ever-more painful and problematic.
Pseudonymity actually makes this much worse. When you are known by your real name, you generally have multiple avenues for getting the word out if an identity goes away — if this email address croaks, you can go to your friends face to face and tell them. But if you are only known to a community through a specific online pseudonym, moving to a new one is kind of problematic, since they don’t have good ways to verify the move.
There is a lot of implicit power being handed to these identity providers. Millions of people are beginning to use their Facebook login as their One True Online Identity. That gives enormous power to Facebook — indeed, it’s probably the one thing that justifies their preposterous stock valuation. And few have given any thought to what it might mean to them if, a few years down the road, Facebook were to start slowly making use of that power.
So — do you trust your identity provider? It’s pretty clear to me that I don’t trust any of the major ones very much — are there lesser-known companies that are structured in ways to make them less likely to be abusive? And which are stable enough? That’s the flip side of the problem: you need to trust your provider to not become evil, but you also need to trust it to keep your identity running.
It does all lead me to wonder if there’s another step yet to come, of a more robust, truly distributed identity system, that would not leave your identity in any single hands. Hmm…