Chaotic User Experience
It is mid 2021 and the forces working on Identity Management appear to be converging on religious wars.
The Happy Present
As the number of web sites grew, clearly users were not happy with the idea of an entire book filled with user names and passwords, all of which were different because no one that held your secrets could be trusted to keep them secrets. What made the situation even worse was the well-meaning security folk that resulted in every web site have a different set of rules about how user names and password were constructed, complexity rules they were called, and complexity was the result for users. Since none of that worked the users were primed for a better solution.
Two systems exist today and each has their own set of adherents and the users seem to have adapted:
- Password managers
- Megalithic social site IDs.
Whenever power is concentrated in one authority, they become corrupt. We know that all power corrupts and absolute power corrupts absolutely, so there should be no surprise that the monopoly power of the dominate social network Identifier Providers has corrupted them. It cannot be otherwise. In a capitalist society this behavior is enforced by the market's demand for continued quarter by quarter growth in profits. Any manager that fails in the one measure is quickly replaced by one that is more inclined to milk any advantage for improved profit margins.
It is at this point that some reformer tacks their 95 theses to the cathedral door demanding change.
When the established powers see defections from their hegemony, they start to take actions that are mild at first, trying to make the case the the existing status is the best one for the users. The defects in the theses posted by the insurgents are shown to be inconsistent and incompatible with the insurgents actual actions. At this point the religious aspects begin to arise. Each side claims to have the "true" religion and the other's arguments are misguided and even "evil". Logic is no longer the dominate mode of discussion. Eventually the heretics are burned at the stake, or, more recently, in the internet blogs.
Thus began the 30 year war in Europe. With the faster pace of technology we can expect that to be compacted into a 3 year war, but it will appear by the participants to be long and hard fought. Only the victorious princes enjoy the result, the troops at the front line and the non-combatants (you and I) all hate war. It is instructive to note that the last great ID war was fought between Microsoft the the Liberty Alliance founded by Sun Microsystems. Neither of them is evident in the front-runners for Identifier Provider of choice in 2020. This is a good example of both partisans in a war failing to achieve their goals.
The insurgents are called before the legal authorities and asked to repent their sins. In W3C parlance this is form of a "formal objection to the director" by the very people who fund the W3C and keep it running. The insurgents are basically free loaders on the existing structure. But some of the minor princes, or companies that are not fully investing in the existing state of affairs defect to the insurgents which gives them hope and a platform to extol their own new religion or "principles". Add MSFT principles here.
So where is the unhappy user in all this? The various religions all purport to be in the business of saving the user's private souls. But do either of combatants actually ask the user what they might prefer? Not yet it seems. None of the use cases from either side actually address the user experience. Every use case is must one more attempt at proving that the writer's religion is the best one.
The net effect of religious wars is just to proliferate the number of choices for the user and divide one side from the other. It is time for this to stop, but religious wars seem to be incapable of seeking unity. Each user will need support for the path they travel. The user doesn't really have time to evaluate the claims from different hucksters sell the advantages of approaches that each asks for total control of the user's attention.
Who can come up with a happy solution? The Greek theater came up with the "Deus Ex Machina", the god that descended from above with a hoist that was cranked by a stage hand. That result is much better than another protracted war where all the users are victimized by one side or the other.
A Better Solution
If we are to avoid the mistakes of the past, it would seem that multiple standards are worse than a single standard. We do have some examples in Identity Management that might help us understand how to avoid another identity standards war.
A bad Example
The writer was a member of the team at Microsoft that made the decision to avoid one Identifier war by adopting the SAML standard. Like any standard with wide support, it turned into a baroque agglomeration of disparate ideas that became grossly complex and unwieldy. It seemed to flourish for a while, but was superseded by a much simpler standard OpenID Connect that was easy for users, thus exposing the fundamental flaw of SAML, it gave no consideration to a good User Experience.