TIIME 2015 Session 9: IDPs of last resort: user-centric identity

Convener: Laura Paglione

Abstract: IDPs of last resort: user-centric identity - unique challenges

Tags: Guest IDP, User-centric Identity

Notes

What are IDP's of last resort, what different models are available? What can Orcid deliver and what not, and is ORCID an IDP?

Session Summary:

1. Described several IDPs of "last resort" that are available - several participants are running, designing, building and/or using systems like these

2. Talked about the traits for IDPs of "last resort", particularly that context matters

3. Discussed, "Is ORCID an IDP?"

Main issues discussed

Survey of IDPs of last resort

What is an IDPs of last resort? – Concept of long lived identity, protected network,

There was a situation where an IDP started offering free identities for people who needed them, though after some time some IDPs disappeared.

Sample IDPs of last resort:

• umbrella project in EU

• Social accounts (Yahoo, Google, .net)

• Leif's project (UnitedID)

• Pete's project

• Jim/Scott's project

ORCID is a user centric system which allows the control of information shared with organisations and people while controlling trusted relationships with organisations.

LP: interested in discussion about the user / federations where an institution manages, is related to that person, how does it work. Does it replace the version of it?

Aud: Out guest identity provider is social, we are using social media as last resort.

I.e. Yahoo, in middle income countries / Mali / facilitate deployments with IDPs.

People don't have internet access in Africa, on research side – these are mainly doctors, medical personnel, scientific research staff, laboratory, many of these people are affiliated with local institutions (universities), but even they don’t have that infrastructure ready and we help them do that / also do this research in other parts of Africa.

Q: is this sufficient for your needs?

A: it’s not ideal.

We should obsess less about the fact that we keep multiple IDPs around, the notion that Google/FB are better or worse, for some of users it’s a safety thing, allowing people the choice on what identity they want to go with – I’ve been arguing that instead of trying to pick one you should make a history of your IDPs. We have many guest IDPs of last resort, that doesn't really work in global co-operation. We have no clue about local guest IDPs of last resort and will force user of using only one.

Also: we are focused on the 80/90 percent, for some this question is life threatening / this is what you should expect from unaffiliated, we should produce a list of IDPs of last resort

LP: FB/google identity – is there expectation for switching it?

- It is a common misunderstanding that people expect unification. People are usually not comfortable with using multiple identifiers.

Participant: we should allow the user to make a decision.

If that means we have to provide a little bit of structure around the IDPs, fine.

• Google is not going to give you ECP
• You could have some kind of list that the identity provider
• This IDP is generally available for people who don't have one yet

Other topics?

I wonder if, over time, what’s happening when people have only one loyalty programme.

• This has been discussed for a long time, it never happens. I don't know that people put up with it or whether it’s a choice, I think people are thinking about it more, I also believe that that prediction is helping about.
• Choose not base decisions on the notion that people will surround behind one single loyalty.
• Federation is almost becoming an anti-pattern for people, they want to multiply their identities - no federation is going to give you anything.

Q: wouldn't your biggest worry be the liability of a password store? How am I protecting my password store?

Q: will ORCID be an IDP?

Tricky question, we are just identifier – why is this question coming up?

• Your target audience is exactly the kind of people we are developing that for
• How does it affect the eco-system, when everybody gets linked to everything always?
• You’re basically creating, i.e., foundations where it’s hard to break a relationship - what information can get lost today? What interest does the community have?
• Even when you say ORCID is not an IDP, for me it is
• ORCID provides a persistent identifier for many years; now integrated into many websites
• The term IDP has so much attached, when we say were not – in a way were closer to Google ten years ago, we have password issue for now, it is not well suited for any kind of transaction – information what users controlling is publically accessible, you can log in with ORCID, it can be set up all you get from that is an identifier.

Participant: semantics?

• The assets behave like an IDP, she's telling you what she is capable of taking liability for you say you get a name from ORCID, so what, without authentication.
• ORCID should say: here’s what you should the ORCID name for, here’s what you shouldn’t use it for.

How do you stop people from acting irresponsible? -- You can't!

• As service provider we're thinking about using ORCID, in a few years
• I’d like to have a statement from ORCID that says what ORCID can provide.

I.e., always provide an option, don't force people into a single choice.

Conclusion

Q: What can ORCID deliver? What not?

Q: Is ORCID an IDP?

When people say IDP there's a lot of implied meaning, and ORCID may or may not provide all of the components that people mean. Users can log in to ORCID and ORCID will provide the service with an ORCID identifier, but it isn't suitable for access to resources that require high level security.

Added later after session: InCommon IDPoLR Working Group Final Report (targets IDPofLR for research and scholarship, not general users) is at https://spaces.internet2.edu/display/IDPoLR/IDPoLR+Working+Group+Final+Report