My post yesterday on Facebook Connect raised a few eyebrows. I had a few discussions with people and a comparison of consumer identity solutions past and present may provide some context. (I have excluded InfoCards as I see them as a strong, enterprise grade solution that is currently too heavy for general consumer use.)

Passport

Microsoft rolled out Passport in 1999. There was much concern that Microsoft would control an essential component of the Internet, and many other industry players rallied around Project Liberty (an apt name) to provide an alternative. Passport was rejected by the broader Internet community, and while Liberty mobilized an industry, the Liberty solutions were also rejected by the Internet community. Why was Passport rejected? If you have seen any of my earlier talks, you have seen a list of points:

• Cost: Quoted price was $10,000 per site. Out of range for small sites.
• Installation: Proprietary code supplied by Microsoft. Big sites using open source were not all that keen to put some proprietary code into a critical part of their infrastructure. Unix code was problematic to install and get running.
• Functionality: SSO, minimal profile at times.
• Centralization: although Microsoft announced in 2001 that enterprises could run their own federated identity servers, it was not an open environment and the perception that the system was Microsoft controlled was firmly entrenched in the market.

In spite of this, a number of sites did integrate support for Passport. Hard to turn down removing some of the friction in getting at the 165M users — even if only a small percentage of them knew they had a Passport account. The Passport user experience was (and is) reasonably straight forward. You see a graphic that the site used Passport, you click on it. You type in your Passport credentials if you don’t have an active session, and voila, you are logged in.

Now re-branded as Live ID, the system is still by far the largest authentication system in the world and permeates most Microsoft web properties.

OpenID

As an author of the OpenID specifications and a promoter of user-centric identity, I clearly have a bias towards OpenID. With no entry fee, open source libraries for all the major web platforms, the promise of rich profile exchange, and no central control: OpenID 2.0 seems to address all the issues of Passport (and Liberty).

But, concerns about Security and Usability abound. Both SREG and AX exist for moving user profile data, with many OPs opting out of providing that functionality. With AOL, Yahoo!, Blogger and now Orange and MySpace being OpenID providers: there is a large install base. Similar to the early days of Passport though, the vast majority of those users don’t know they have an OpenID. But even if they did, using OpenID on a relying parties site is inconsistent, and frankly — typing in a URL is pretty geeky to most users.

Facebook Connect

Facebook has had some tools to leverage the Facebook accounts in the past, but Facebook Connect looks to substantially add more value to a site. Let’s start with the user experience. The user sees the familiar Facebook logo on the site and know they can use their Facebook account. The user clicks on it, goes to Facebook, and then goes back. A pattern the user is familiar with if they have installed a Facebook app.

The relying party has access to a rich set of profile data that includes their social graph. Additionally, the privacy settings the user has already configured about their profile data are used to determine what gets exposed to whom. The site does not need to manage the privacy settings, and nothing new for the user to configure.

From the users point of view, there are hardly any barriers to having a rich experience on a site using Facebook Connect. You get to see the familiar profile photos of all your friends on the other site, the people you have blocked can’t see what you do, and your inner circle of friends get to see deeper information than your casual friends. All with a few clicks of the mouse.

The killer feature though is something that will be hard for other potential platforms to do. Facebook strives to only have real identities. In the participatory web, the enemy has been the lack of accountability. Trolls pollute the conversation,  spammers fill the web with garbage, and promoters try to game the system. Facebook kills off accounts that are not real people. I know. We had an account for Sxipper on Facebook. Sxipper only lived a few weeks. With the rich profile and feed data that a real user has, the barrier to creating what appears to be a legitimate account is very high. For many Facebook users, losing their Facebook account would be a catastrophe — so the motivation to behave is high for many — which is why there is little spam in Facebook.  Put this in sharp contrast to the barriers to creating an OpenID at Yahoo!, Blogger, AOL or MySpace. (There is little, Orange being an exception for OpenIDs associated with their customers.)  Other social networks such as MySpace, Orkut etc. can’t provide the same level of assurance of accountability.

But OpenID has ____ …

Yes, there are far more users with OpenIDs. OpenID fits into the vision of the Open Web. There is so much more that can be built on OpenID. And what about the Digg screen shots at F8 showing OpenID in addition to Facebook Connect? Digg is going to want to try and keep Facebook honest, and they understand that some users will reject helping Facebook create a monopoly on identity, so it makes sense to support OpenID. But for your average user, the experience of using Facebook to login will be vastly superior. OpenID may be the desktop Linux to Facebook’s Windows. A geeky solution for the rebels.

… and the issue is?

Facebook Connect provides great value to the user, great value to the site, and deepens the dependency of the user on Facebook, which is great for Facebook. Not so great for Facebook competitors. While I empathize with the competitors, we live in a capitalistic society. I am concerned that a centralized identity store is a bad thing for the internet and will delay the arrival of Identity 2.0.

Facebook will have little interest in moving around rich claims from different providers. There is no clear value to them as a consumer grade site to implement strong security. While CardSpace can provide these richer identity transactions: for many sites, Facebook Connect will be “good enough”. It will be interesting to see how the next few months unfold and how the rest of the web platforms respond to Facebook Connect; and if a new “Liberty” emerges to prevent Facebook from building an identity monopoly. With any luck, everyone including Facebook will come together and build Identity 2.0.