I have or can have a single authentication identity to instagram/facebook and youtube/gmail/google. I might have a separate profile/persona on instagram/facebook or youtube/gmail but the sign in is the same identity. Yes instagram does have its own segregated identity infrastructure, but its identity brand doesnt get reused anywhere but instagram.
This article was about identification and authentication, not necessarily what you do with the services once you are logged in.
I generally don't want to link any of my accounts - especially when I'm paying for the service - to another system. I don't trust Facebook, Google, Twitter, or any other company to act as a centralized place for managing my identity. And given Zuckerberg's statements on the idea of having multiple identities online, I trust Facebook even less than the others.
But you don't have separate identities for Youtube, Gmail, Meet et.c. For a federated internet, you should have the same ID for all federated services so that you can build the same product experience as with Apple or Microsoft or Google.
Your justification for tying everything together, not only a single method of signing on but a single pervasive identity, was just that ... it's a single person using the things. That's not a very good justification. And your example of a Good Thing that comes from it, by way of contesting my claim that youtube and gmail (or g+) are conceptually distinct, used something else entirely, involving email and planes. (And actually I would prefer those things not to be done automatically!)
Doesn't that lead to the problem of having to have multiple identities again?
ATM, I have a FB account that I can use to log in to some sites, a Twitter account, a Google account, a Yahoo account, etc.
With potentially everyone being able to be an Identity Provider, what happens if a site recognizes some providers, but not others? Does Persona ensure that, regardless of Provider, I can use one login on all sites?
Furthermore, how does it protect me from the site gathering and aggregating all kinds of information about me (which, admittedly, they probably already have)? There's usually one overarching, way-behind-the-scenes entity handling the data aggregation for many sites (ie., Facebook) which leads us right back to where we are now.
The problem with merging identities is that people don't want them to be merged.
I want a firewall that separates identities. The identity that I use to connect with my mom and in-laws should be separate from the one I use to post on tech forums. The identity where I share baby pics with my wife's friends should be separate from the identity where I comment on deathmetal videos. If Google requires them to be the same - I'd rather delete some of those identities and stay anonymous/logged-out, not merge them.
The important issue is that we might want different identities for every protocol. Right now, lots of people prefer to have different identities on youtube than on gmail.
The identity discussed elsewhere in the thread seems to be personal identity (the kind you use for deeds and titles.) I'm mostly referring to digital identity (the kind where you manage more than one social media persona and switch between identities contextually.) Where personal identity and digital identity meet, maybe it's helpful to disambiguate which kind of identity we are talking about. Otherwise discussions can be complicated by overlapping use of the word "identity".
I really like the general idea of decentralized identity. Personally I'd prefer to keep my identities on different apps/platforms mostly (99%) separate. It seems to me that giving an adversary a map (especially usernames and email identities) of your online presence is a bad idea especially if they get access to one account and get some private details they may be able to use to socially engineer their way into other accounts.
The thing about a single online Identity is that there should be no way for it to be revoked against the will of the person it identifies. In real life I am who I am, and unless I choose to change that, no-one can legally take my identity from me.
There's been too many horror stories of people being locked out of their Google or Facebook accounts by Google and Facebook, even for the most minor of infractions, and that person immediately also losing access to to all the other services they used 'Sign in with...'
Until this problem is solved, I will never switch to a single online Identity for access, and I certainly will never use my Google or Facebook account to register with third party services.
For the most part. My example was more a bipartite pattern, because I was covering the authentication aspects, not the entire identity structure (which I believe Facebook and LinkedIn would implement as the article outlines). For a system where you don't need to track multiple social identities, and where you interact within that system through your identity on that system, that's probably enough.
Every single form of your identity right now is mediated by a third party.
Your email.
Your Instagram.
Your Twitter.
Your phone number.
Your bank account.
Not only that, but each one is independent of the other. That's 5 different accounts with 5 different providers. Each of them has a vast infrastructure and duplicate copy of everything about you and everything about everything else. Each one of them has an off switch to your identity that they can freely flip on a whim with no recourse available to you.
If you invert that and say that your identity is no longer mediated by any specific entity, or array of entities, it is mediated by a provably neutral public infrastructure that is completely opt in and costs only the amount that is proportional to your usage.
Now the identity resides with the user, not any third party, which means they have full control over it, without having to rely on any one entity that can fail or turn against you.
The only difference is that Google doesn't provide identity verification, only identity validation when you have previous knowledge of a Google account being associated to a user account.
Identity, Single Sign On, and 'information gleaned for marketing' etc. are all different overlapping issues.
Truly there are almost zero situations in which an entity needs to know your real identity. You bank, surely, but you go into the bank to do that.
Single Sign on via Google and FB is now normative because they're ubiquitous and convenient, and of course, FB id's come with a greater possibility of legitimacy, and nice FB pixel marketing data.
I suggest that thre is something that could work, it just needs to be put forward by a credibly entity that for whatever reason feels it's in their interest, whereupon those interests are not entirely conflicted with the individuals right to privacy.
It's not. You seem to have misread the article. moot's saying that it's important "who you share as" not "who you share with". G+ doesn't allow you to have multiple identities, it allows you to share in different contexts with the same identity - which is fundamentally different.
Besides, it's a very bad idea to leave identity management in the hands of a third party anyways, and the last third party I'd trust with my identities are Google and Facebook. Call me paranoid all you want, but identities are something you manage yourself - nobody should be trusted doing it for you.
I absolutely do think that reasonable ordinary people find this situation confusing. As do password managers. IAM identity is not exactly a widespread understood concept. I doubt if most people entirely "get" the distinction. Google (our instance) pretty much forbids crossbinding like this. I've had non google accounts refused as bootstrap identity in ads and gke because they were just used elsewhere on Google for authorising access.
I'm reluctant to delete duplicate Amazon entries in 1password and bitwarden in case I still need them, for some distinct IAM.
So the thing about this is that there is no need to permanently tie identity across all sites and services you used (and provide), rather, the ability to do so when and where you need to do it.
There's nothing requiring a user to use the same identity across every service they interact with, but the option should be there. I wouldn't want my matrix username(s) and my fediverse account(s) tied to my HN username(s), but I might want a github/gitlab/codeberg account tied to a social/messaging account while having different "personas" for different applications. Overall it's a useful tool to have in your belt, so long as it doesn't limit you in other ways.
Having one identity also means putting all your eggs in one basket, which in turn means you'll get banned from all products under the umbrella ownership, should you screw up something. Or get compromised. Or just have bad luck.
I have or can have a single authentication identity to instagram/facebook and youtube/gmail/google. I might have a separate profile/persona on instagram/facebook or youtube/gmail but the sign in is the same identity. Yes instagram does have its own segregated identity infrastructure, but its identity brand doesnt get reused anywhere but instagram.
This article was about identification and authentication, not necessarily what you do with the services once you are logged in.
reply