I am always confused by the term identity as a service. So I thought I will open up a discussion on what it could mean or what it can bring as a change to the current identity ecosystems. Well, look at the current ecosystems...
They are either
Closed - corporate users, partners or customers
Or Open - web 2.0 based week credential sharing for collaboration/blogging community
Or federal - government related (mostly non-web still...)
So Identity can be shared across these ecosystems if we have Identity as a service???
But when I search in the internet for identity as a service, people talk about it with respect to the applications that consume these identities... so, all it might need is a way to interact with the systems in these different types of ecosystems. That is nothing new... it's just about interoperability and common framework. This will eventually lead to more and more specifications. Why are all the leaders in Provisioning and web access management using these words then??? Because they address the larger portion of closed ecosystem... they are happy with doing identity services for the corporates... extending maximum to partners... or to some vendor...
Now what I expected when I began my search for identity as a service was that identity would be a service for organizations, communities like blogs and federal to share identity for the benifit and ease of use for the end user. Like Kim Cameron's famous laws of identity.
It should be acquired by having proper validations... so that the issuer knows that the person applying for it actually exists... (unlike the popular mail providers like google and yahoo, where the person at the other end is not even a person, but a machine :) )
Hmm… I am thinking more in the lines of digital identities again which will lead to another username password in some directory or database… let me stop here…
we can look at actual identities… People acquire it one time and use it till expiry. passports... ration cards... PAN Cards... The beauty of real world identity is that you choose which identity to use... You may want passport to be your age proof, but would want to show address proof from only your driver's license ...
How do we mimic this in the e-world? Where do we start identity creation? If you see off late people are resorting to aspects like national skills registry for validation of your work experience... (Strictly India)... I think registries like that is where the core is when it comes to practicality....
Or let us look at one more aspect... this is very much in lines with Mr. Nilekani's UID thoughts, look at the subscriber base for mobile phones... can't they be tapped as a user base for mobile is becoming essence of your existence in the world these days... What do we need in this case? There are PINs available for mobile SIM Cards... is there a way to tap into this as a credential? A framework through which you can ask a user to use his mobile number and PIN to authenticate.
Ofcourse, this will be a simple authentication, first factor may be...
Club it with your banking credentials as a second factor. Internet banking gateways maybe exposing some methods in future to just do authentication using web services??? You are covering some good number of the worldwide netizens in this case too... and since bank will always try to have the safest way of transacting, it is surely a very strong Second level authentication...
Now for the usage of the acquired identity...
User should be able to use the identity according to his own choices... like not showing passport to get a satellite tv connection... you flash your driver's license then... so maybe a user should be given a choice on what credential he would need to use...
Same factors that I discussed above... telecom PINs for a week authentication... banking for a stronger credential... it could be you’re verified by visa... hmm... too much of pondering...
