Identity Business Models

From IIW

Session: Tuesday, Session 2, G

Conference: IIW 10 May 17-19, 2009 this is the complete Complete Set of Notes


Convener: Lars

Notes-taker(s): Christie Grabyan

A. Tags for the session - technology discussed/ideas considered:

  • Business Propositions for Identity Providers
  • Liabilities
  • Customer Value Propositions

B. Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

1. Business Propositions for Identity Providers

  • Discussion around is there a business model for identity by itself (i.e. identity as a service)?
  • For a business model to succeed, you don’t have to generate a profit, but you do have to generate revenue in order to be sustainable
  • How do you monetize the value of providing identity?
  • Identity as a service does not seem to provide inherent value. It is identity + some other service that creates the value. What is going to incent the customer/consumer to want to go through the process of allowing increased identity data to be shared, for example? Equifax sells identity to consumers but it is because they provide a value proposition to consumers in the first place.
  • It is agreed amongst the group that a single or universal identity is not an option

The following ideas for business propositions for identity providers were discussed with some evaluation on the level of value or the willingness of an entity to pay for that service:

Business Proposition (Finding business opportunities in the world of identity) Value (is of monetary/business value to a 3rd party) Pay (Would an entity pay for it?)
Access to Customer Base High Low / ?
Identity Verification/Trust High Possible
OpenID Provider Certification High High
Data Sharing (leveraging data associated with one’s identity, i.e. shipping address) High ?
Abandonment High
Trustable Assertions High High
Payments – Avoid PCI High High
Liability Insurance ?
Reputation (for both customer and merchant)
Convenience – standard UI
Consulting Services (around providing identity)
Neutral 3rd party/Broker for identity (i.e. non-profit)
Cross Promotions
Privo – Permission-based Marketing
Traffic Patterns
Authentication as a Service (Multi-Levels)
Trustable Attributes

It was reiterated and discussed that most of these business propositions combine identity *plus* something else (i.e. Payments, Data Sharing). Many of these propositions do not generate direct revenue from identity alone, but they are associated revenue streams that rely on identity. Additionally, some of these propositions are not necessarily identity issues, but they are things to overcome in order to be an identity provider.

Identity providers were discussed and ICAM (Identity Credential Access Management) was mentioned. The US government as a replying party doesn’t pay for it, but IdPs do pay for the ability to be an IDP.

One opinion is that credit card brands and e-commerce sites (VISA/MC/Amex, Amazon, Ebay) are IDPs already in existence that cover the majority of issues/people.

The question was proposed: How do you solve the naming issue between these identities already in existence? Others conflicted with this view to say that naming standards are not the issue, and that identity is more than just authentication.

Also, what is the business value for Amazon/Facebook, etc to share identities? They already have such strong brands. For example, if a customer wants to buy a book from an independent bookseller who also has a presence on Amazon, they are more likely to purchase through Amazon itself than the seller’s own site because of trust in the Amazon brand and the level of assurance it provides consumers.

2. Liability insurance

Questions: What happens if your account gets compromised? Who is responsible for that? (i.e. Amazon eats the cost of a merchant or customer account being compromised; they take on the liability)

Discussed Liabilities:

  • Compromise
  • Brand compromise
  • Loss of control
  • Cost of compliance (HIPAA, SOX, PCI)
  • Identity theft
  • Account portability

3. Customer Value Propositions

  • Fewer Passwords / Ease of Use
  • Data Portability
  • Trust (buying from Amazon vs a small player) / Trust Broker
  • Aggregation of data (i.e. Mint.dom, or aggregate purchase history)
  • Social Reputation
  • Auto-fill forms
  • Social Reputation (i.e. Facebook)
  • Financial Reputation (i.e. use Equifax to prove your financial stability to a bank or landlord)
  • People Discovery (i.e. LinkedIn)
  • Service Discovery
  • Personalized Recommendations
  • Access Control (to use the employee example of de-provisioning)
  • Authentication Convergence
  • Personal Ownership of Data
  • Pseudonymity
  • Outsourcing relationship management (See a supporting paper for this by Bob Blakley at Burton Group at this blog address: http://identityblog.burtongroup.com/bgidps/2009/02/relationship-paper-now-freely-available.html or this download: http://www.burtongroup.com/Guest/Idps/RelationshipLayerWeb.aspx)
  • A-to-Z guarantee

Final discussion was a debate over OIX and whether it can/will solve the IdP problems in the industry or not.