Five Easy Pieces of Online Identity

Every Internet service that has a concept of users has to deal with identity. And for anything social (which seems like everything these days) identity is a huge part. For the Internet as a whole, there are battles waging to "own" identity—or, at the very least, not let someone else own it. And there have been efforts for years to make identity more manageable for users and to put control in their hands.

So, identity is an important concept. But I've always found it a confusing one. I think that's because it's ambiguous in most discussions what "identity" means.

A while back, Twitter's CTO, Greg Pass, and I created a framework I've found useful for thinking about all this. We reckoned there there are five different things people mean in different contexts when talking about identity and the Internet. (There are probably more, but these are key.) Each of these are offered as features of different services. Sometimes they are combined, sometimes they're not. And sometimes companies outsource these features to other services. With these pieces in mind, you can look at different companies, services, and protocols and realize which pieces of the identity puzzle they offer (or perhaps should).

I thought this might be useful framework for others, so, I present to you, the five pieces of online identity:

1) Authentication

Question Answered: Do you have permission?*
Offline Equivalent: Picture ID or keys, depending on method.

There are various ways to check if someone should have access to something. At my Gym, to get in, it's with my membership card. At a bar, to get a drink, it's your state-issued picture ID (or my receding hairline). And for your house, it's probably a key or code. On the Internet there are different methods, as well, but that vast majority of services use a simple username and password, which is lot like a key.

There have been many attempts create "single sign-on" solutions, both decentralized and centralized, so people can walk around with a single key and get into everything they need. These solutions, whether Microsoft Passport, or OpenID, have historically failed to gain much traction, both because of strategic risk on the side of the service provider and usability problems for individuals. Recently, however, Facebook, and to a lesser extent, Twitter and others, have gotten traction providing outsourced authentication. This is because, by itself, it's not worth the trouble to use third-party authentication, but when combined with other aspects of identity (plus distribution), it gets more interesting.

2) Representation

Question Answered: Who are you?
Offline equivalent: Business card. (Also: Clothes, bumper stickers, and everything else one chooses to show people who they are.)

Back in the day, us web geeks thought everyone needed (and would want) their own web site with a custom domain. Turns out, that's a pretty high bar, and not even that useful for a lot of people. But most people online have "profile pages" on one or more services. People also choose profile pics/avatars and usernames to represent themselves.

Obviously people care a lot about how they appear to others in the real world. Turns out, they do online, as well. They spend tons of time (and sometimes money) working on representing themselves. Representation is a large part of any social network, but some more than others. MySpace thrived in its day by enabling a mainstream user base to endlessly tweak and customize how their pages and, thus, how they appeared to others. Facebook is less centered around the page design aspect, but lots of other actions there and elsewhere online are about representation, at least in part, from joining groups, to uploading pictures, and selecting your friends.

For professional representation, LinkedIn is clearly the leading service. But the purest-play representation service is probably, which is pretty brilliant. It focuses on offering a simple, attractive page that gives people a much more "me-centered" representation than anywhere else (short of a custom web site) with minimal cruft or other obligations (such as friend requests, messages, or content creation).

(Google Profiles seems to also be pure representation, as well, even though Google offers communication and other identity features separately.)

3) Communication

Question Answered: How do I reach you?
Offline Equivalent: Phone number.

As the Internet has evolved, communication and representation (as well as the other aspects of identity) have become more integrated. A phone number gives communication without representation. That is, you don't know anything about someone based on their phone number (save for geography). You know a little bit more about someone from their email address, but not much. (Aside: Because there were fewer options for representation back in the day, it seems people used to think a lot more about what their email address should be.)

IM handles are another form of identity that is centered mostly about communication. AOL's AIM was very popular as a pure communications tool. Then ICQ came along and added (minimal) representation (profile pages and search) and became a popular place to meet people, rather than just talk with those you knew. (AIM later added profile pages, as well.)

Why has the same thing not happened with email? There are hundreds of millions of people on HotMail to communicate with but no way to find them—or to find more information about someone who's sent you a message. Tools like Rapportive are exploiting this by adding a representation layer to email communication.

4) Personalization

Question Answered: What do you prefer?
Offline Equivalent: Your coffee shop starting your drink when you walk in the door.

Identity on some services is all about making the service better for a user. For example, My.Yahoo! is the same as regular Yahoo!, except you can more easily get to the stuff you care about. There was a wave of personalization hype on the web a few years back when getting people to create accounts was the big challenge. Now, of course, it's de rigor for a service to be personalized based on who you know and what you like.

What's fairly new, however, is outsourcing personalization data. Personalization engines were outsourced a long time ago, just like authentication services. Facebook Connect's big play was combining authentication with personalization in a way that helps make a service someone may be using for the first time immediately more useful or interesting.

There are other unexploited opportunities to take this approach. After all, not all your preferences can be determined based on whom you know. Google and Yahoo! have offered authentication services to third-party sites for years. They don't seem to be widely used. However, to my knowledge, they've never offered the additional benefit of automatic personalization—despite having tons of data about most of their users. There are obvious privacy complications to doing that, but those would be possible to overcome.

It looks like Hunch is doing a pure-play personalization service. I don't know their plan, but if you could tell any site you logged into what your Hunch ID was and have it immediately customized to your preferences, you'd be motivated to tell Hunch more and more stuff. And it would be a big benefit to users and sites if you could keep a centralized repository of preferences and data about you that you're willing to share. This isn't how Hunch works at present, but you might be willing to share simple non-secret facts, like that you use an iPhone and drive a Prius and live in California, which could let services customize themselves to you (and, among other things, make ads more relevant).

5) Reputation

Question Answered: How do others regard you?
Offline Equivalent: Word of mouth/references, credit agencies.

Though talked about a lot, reputation is probably the least developed of these five pieces in the online world. In the offline world, though, it's built into all our interactions and choices. To me, this suggests it will get more important online when we figure out how to do it right. Ebay is the classic example of making reputation a large part of identity. Many other services have an internal reputation score of some sort, usually as a way of combating spam and other abuse.

For spam-combating purposes, there are back-end systems that major email services use to check reputation of servers and domains. To my knowledge, no one has successfully exported reputation in a way visible to users. Maybe that's part of the trick. One's reputation isn't really visible to them in the offline world, either.

What's Next?

Online identity is still a messy problem with lots of opportunities. I predict we'll continue to see further integration of the five pieces by all major players, as well as more attempts to outsource these services across the Internet.

Hopefully we'll also see more attempts at decentralized services that offer these features, as well.

Will there be a day when there's one true identity system? While the big guys will keep getting bigger, I don't think identity will be "owned," per se—at least not on the open Internet. As we transition to a mobile-dominated Internet (and a more closed one), things are going to play out much differently, however. (I have another post in mind about that.)


  • Though Greg and I conceived of the five pieces while thinking about Twitter's strategy, I wrote this document outside of Twitter and with an Internet-wide perspective. I.e., you can't surmise what Twitter is going to do from this post.

  • Though not presented in that order, a useful mnemonic for remembering the five pieces is the following acronum: CRAPR

    * From a technical perspective, authentication defines who someone is and authorization defines what they have permission to do. However, I didn't find that terminology useful for my purposes here.