In part one of this series of three posts I attempted to describe the authentication and identity management environment that currently exists within the information industry. Next I’d like to look a bit more closely at the areas of personalisation, usage metrics and usability. These are all areas that hold significant challenges for online identity; issues which have particular bearing on the Web 2.0 services we all accept now as an established feature of mainstream internet use.
Personalisation
The ability to personalise and customise web sites is taken for granted in the Web 2.0 world. We are now used to logging on to services such as Twitter, Facebook and Google and being delivered into environments that we can customise and personalise to our own needs.
The expectations of users within this new world provide problems for identity management, which, as we saw in my last post, has to use an infrastructure that was never designed to cope with such user requirements. The danger is that too inflexible a system might act as a brake, or even a deterrent.
Flexible identity management solutions are critical to the uptake of personalisation services because they lower the barriers to access to new services. Commenting on a blog post must be made as simple as possible, yet in order to preserve my online identity in any comments I make it is essential that I can authenticate myself. The barrier here in many cases is that I don’t want to register yet another username and password with each blog site I visit in order to identify myself. One solution to this is the OpenID protocol which allows me to log into participating third party sites using the identity that I’ve already established using an identity provider such as Google, Yahoo or Flickr. Few publishers have so far adopted the OpenID standard; notably Reed-Elsevier have set up an OpenID identity provider, IDkee; let’s hope OpenID authentication is soon to be implemented for their flagship site Science Direct.
Many current publisher sites provide personalisation features but these functions tend to exist exclusively within the publisher’s own silo. If I store bookmarks or reading lists within one publisher silo, there is no way to share these with my social contacts across the web. If I contribute to a discussion within one publisher platform, that discussion tends to stay behind the paywall of the silo. Why can’t I call up a view that shows my comments across all the publisher sites I use on the web?
Usage metrics
If the multiple identities we all have to maintain within the Web 2.0 world provide problems for users trying to access services, they also cause snarl-ups at the back-end of the process – with the tracking of usage by providers of those services.
Usage metrics are important for publishers. Mainstream web analytics software and techniques tend to focus on general trends and usage patterns because it is not straightforward to reliably identify individual users, but for publishers, identifying institutional users and correctly accounting for their usage is critical in delivering industry reports compliant with the COUNTER standard.
However, the COUNTER model does not even begin to address the complexities that can arise when multiple identities are in play. For example, I might need to express three different levels of identity at the same time:
- My own personal account, for content I have purchased for my own private use.
- My department’s subscription to an information resource (not shared with the rest of the institution)
- My institution’s identity and its subscription rights to an online resource.
In this scenario, when I access a piece of content online in a publisher platform, the access could be accounted for at any one of the three levels above. The COUNTER standards do not currently cover this type of compound identity problem.
The semantic web also presents a serious challenge for usage metrics. Once facts are published in the linked data cloud, measurement of usage becomes impossible: those facts could reside in any system or platform and are no longer under the control of one publisher.
Usage metrics are important for publishers not only as an accounting tool – they also help publishers to improve the usability of their services. And usability is another critical issue bearing on access management.
The Shibboleth protocol was set up as a way of making things easier for users accessing services, and to streamline this question of multiple identities somewhat. However, Shibboleth itself has turned out to have some usability problems.
Usability issues
If Wikipedia required users to login with a personal username and password how much would it affect usage?
This question aside, the federated nature of the Shibboleth single-sign-on system means that in order to log in users first have to confirm where they come from, in order that they can be directed to the correct identity provider. This problem is further compounded by the large number of identity providers in the Shibboleth system (740 in the UK Federation alone). Asking a user to select from a list of 740 places is clearly a significant barrier to usability.
OpenID based systems don’t have the problem of large federations, since anyone, potentially, can set up an identity provider service. The usability challenge here is to pick the simplest list of providers and give the user an alternative way of entering a full OpenID URL if their provider is not on the list. Again, another usability challenge most users would rather not face.
Finally, and not to be forgotten, is the thorny problem of logging users out of a service. In a single-sign-on environment the problems with single log-out are surprisingly complex. It requires coordination between all the sites a user has visited and, combined with the difficulty in educating users that logging out is even necessary, presents another usability challenge.
Conclusion
Identity management plays a key role in the Web 2.0 world and this being so, Web 2.0 tools need to step up to the privacy and security challenges raised by the new software models of the API-driven web. In particular, thought needs to be given to these key issues of personalisation, usage metrics and usability.
I have one further post to deliver on the subject of online identity. This will consider the question of how close we are in reality to delivering on what has been called Online Identity 2.0. And I’ll also be examining a further trio of key issues key for the semantic web: provenance, trust and authenticity.
Share this page
Richard Padley
Managing Director,
Semantico
Another interesting article. Thanks! With regard to OpenID, my perception of this is that it is susceptible to phishing attacks. We (a publisher) would also want to see more widespread adoption before implementing support.
Hi Rob,
The OpenID phishing issue is really only a problem when you visit a site you don’t know or trust. When you log in to such a site, and its a phishing site, its possible to capture the OpenID username and password you use. This type of attack can also take part with the Shibboleth system.
However if you visit any phishing site your username and password can be captured.
As long as users can identify and trust the publisher site they are logging in to, then there is no greater threat of a phishing attack from OpenID.
Given the volume of Google users alone who already have OpenID accounts by default, I would say there is already significant adoption of OpenID.
Open ID usage with web 2.0 is on the increase and I have used it a fair amount, especially through blogs. Identity management and the saving of a person’s identity to be used for other website using the same web 2.0 technology would be beneficial. Saving time when creating new passwords or profiles from website to website would help, although Open ID is not that widely used at present. An issue with the management software could be security and possible unwanted posting.