One future direction for online identity

I have been trying to figure out how to organize my thoughts after a conversation I had with Ryan Kelly today. They are still unorganized, my apologies.

Ryan asked me a couple of months ago how we, as Mozilla, could do leave our mark on "identity on the web".

Identity on the web is a big subject. We have so far focused on authentication and authorization, and for good reason. We gain "skin in the game" as Mark Mayo put it a while ago.

Now I'm asking myself, what problems still exist that current identity systems have not yet solved or have shied away from? What problems are worthwhile to tackle because they fixing them will make people's lives better?

A few great ideas have already been tossed out - better backup, and a smoother experience for browser integrated services. Fast profile switching is one I'd like to add to that list. These are worthwhile incremental improvements that we should do. Each is challenging in their own right, but none make me think "wow, we are really pushing things."

The UK government is doing work that I find inspiring. Gov.uk Verify is a middleman of sorts, an identity broker between a user, an identity provider, and an online service that requires a verified identity. The setup sounds a lot like Persona, but their aspirations are much easier to understand and convey. They want to eliminate online fraud by providing verified identities to services that need to ensure the person interacting with the service is indeed who they claim to be. The relying services are currently other government agencies such as HMRC (the UK equivalent of the IRS) and DVLA (drivers licensing agency). The government is not actually the identity provider, rather a list of several external companies like Verison, Experion, and several banks are. The user gets to choose an identity provider from the list. The verified identities have multiple levels of user data exposure, depending on the needs of the service and the user's willingness to provide the data - from a basic email address at the lowest level, to very personal information like a home address in higher levels. When I spoke with the tech lead of the project, he expressed how the larger goal is to allow to any UK company that requires a verified identity to become a relier. A verified identity that includes a user's home address would be a major boon to online retailers - in the majority of cases users would no longer need to fill in their shipping address, and retailers would have piece of mind knowing that charges are almost certainly not going to be reversed.

Credit card fraud hit me personally a few weeks ago. I opened my last credit card statement and noticed a 400 pound charge at an online sailing goods store. I may live on a small island where no point of land is more than 75 miles from the sea, but I'm not a sailor. Somebody got ahold of my credit card details and made a purchase in my name. I called my bank and had the charge reversed, but only after a stern warning from the operator that if they suspected me of lying or if the store refused to reverse the charges, then I would still be liable. I hung up the phone thinking "it's 2015, how is credit card fraud still a thing?"

The UK government is doing a lot more work around mixing online and offline identities. Much of their research is posted online.

While these concepts may not fit in with Firefox Accounts as it stands today, I think these are the sorts of ideas Mozilla should be exploring if we want to push the notion of online identity forward.