[kory]

If anything, my bet is the future of identity is more centralized.

Decentralized solutions, as I've read about them in their current form, require a significant amount of technical knowledge to understand. That is, to understand both what they are and, more importantly, their benefits ("why does this specific solution matter to me?"). Past that, the user experience is extremely poor in comparison to clicking "log in with Google", and I'm not convinced it can ever fully get there.

It is for those reasons that I think centralized identity is here to stay long term. Most people aren't going to spend the time to learn about this because they just want the easiest solution and don't care about their data being sold. I know several people in tech that fully understand the extent of how their data is used by internet corps, and don't mind it because they prefer convenience for free. And I think that's OK--it's their informed choice.

Personally, I try to login with email most of the time, and that's the limit of my drive to care about the security of my personal data. But my email is gmail, so I doubt it really makes a difference from login with Google.

[djhaskin987]

In the US, everyone uses credit cards (centralized identity) to pay for stuff.

In Mexico, credit cards are stolen and reamed for all they're worth by criminals. As a result, everyone uses cash (decentralized, anonymous, difficult to use). Everyone could move to decentralized in the face of significant pressure, even if centralized identity is more convenient.

[kory]

All central authorities are built on trust, fear, or complacency. Americans are complacent with the credit card system and trust it for the most part. The Experian breach has shown that breaches of trust are easily overlooked in favor of complacency, at least to a point.

Considering how Americans view other Americans (I hear "stupid" thrown around a lot), I strongly doubt that a decentralized authority would ever gain enough trust in the US to take hold today without a strong historical precedent.

For what it's worth, cash is still centralized. It's made "legitimate" by the power of the central government, and is managed & controlled by that authority. Given, it is somewhat "decentralized" because the value of fiat money comes from the people's agreement that the currency has value. On the other hand, the US dollar's global hegemony exists in large part because of global US Military presence, which is absolutely a "central authority".

[maccard]

> The Experian breach has shown that breaches of trust are easily overlooked in favor of complacency, at least to a point.

I disagree that it matters for trust in CC's. It may have damaged experians reputation, but people still trust amex/MasterCard/visa and their banks, despite Experian being useless. The fact that Experian is required to access those systems is unfortunate, but most people don't deal with Experian directly.

I think people's day-to-day trust in banks is well placed, for what it's worth. I banked with a large bank that fell in 2008, and had less than 10,000 in my bank. My money wasn't affected, I just had to find a new provider.

I've had multiple incidents of fraudulent transactions on debit and credit cards over the last 15 years, and in _every_ instancr, my card provider has sided with me and refunded me the money immediately (even in the one case I was actually wrong and it was a billing mistake). Those amounts we're almost always in the few hundreds.

[asciident]

Considering that the data breach was actually at a completely different company than the one this thread named leads me to believe that the reputation damage is not as significant as you suggest.

[twitch-chat]

It's unfair to say we still use credit because we are complacent. If you stop caring about building a credit score, you will end up paying more money in things like mortgages or car loans. There is a financial incentive to use credit cards (if you don't miss payments) despite the breach of trust.

[kory]

I didn't say it's just complacency that keeps the credit system going. Low friction purchasing (complacency) absolutely plays a strong role. Trust is important, too (but is less strong than complacency) because the system wouldn't be used at all without it, and, to your point, fear absolutely plays a role as well.

[theamk]

Bad example. In Australia, everyone was using credit cards.. but they have PIN code + chip.

If a centralized system is not inept, it can do all the same things decentralized things do and better.

[djha-skin]

PIN codes and chips are used in the US as well, but I doubt a PIN and better encryption would help you[1].

1: https://xkcd.com/538/

[hyperman1]

As I used to work in a high-crime area, I placed fairly low daily and weekly limits on how much I can spend. I have to warn the bank at least 1 day before if I want to spend more. So chip+pin allows for mitigations where cash doesn't

[ohmaigad]

Then with cash it is even easier as it doesn't leave any digital trace.

[mirimir]

In the US, liability for fraudulent credit card use is limited to $50. No matter how much was charged.

[johnmarcus]

Yes, I suppose if we moved to becoming a lawless society fuelled by drug lords....then yes, I can see how the hoops could be worth it.

[hunter-gatherer]

As much as I'd like to see a decentralized solution, I agree with you. I just spent 30 minutes helping my mom (age 60) and brother (36) set up a microsoft family account so they can dictate and monitor my nephews computer usage because [nephews] are addicts.

I didn't even know Microsoft family was a thing, but setting it up and configuring it (from my perspective), was intuitive and simple. My mother and brother however struggled to follow along, an are stressed that they won't be able to manage it.

Most users (even my spouse who is in her late 20's) readily fall into this category. My point is that if configuration requires any troubleshooting it won't reach mass adoption unless it addresses a perceived necessity without an alternative approach.

[fwip]

Beaker Browser is getting close to solving it.

When you visit a website that works with it, to login, you just grant the webpage access to one of your profiles. (I just use one profile for everything, but you may wish to keep some things separate). Then any activity you do can be associated with that profile. No passwords or keys or even email addresses to remember.

[ryukafalz]

I dunno, I think the UX for decentralized identity could be made pretty good. The GNUnet project has one that runs locally but exposes itself with an OIDC interface: https://reclaim.gnunet.org/

It's still pretty early, but imagine a more polished version of that with a user-friendly installer. If you had the software installed and running, it'd behave pretty similarly to e.g. Google's OIDC provider. Linux distros could even preinstall it. (I have no hope that MS/Apple/Google would do the same since they all have their own centralized providers.)

[kory]

That's so so many steps and requires knowledge of so many things. It has the big two fundamental problems, and a major third one:

* Its value prop is poorly explained. As an engineer with a CS degree, I still barely understand what it's talking about (what's an "identity attribute"??) without some digging.

* Even if the value prop was well-explained, it's still very high friction compared to "Sign in with <Service I Already Use>". Why would a user download an installer and deal with managing all of their accounts? There's a secure, anonymous, easy, centralized option that does it all for you (Sign in with Apple). That service does it so well that you only have to click a button to log in or sign up. Nothing else required. That isn't achievable without a central authority managing everything for you.

* (this is the big one) Your local machine is a major point of failure. If you lose your local machine and haven't backed up your accounts, you just lose access, right? The only solution is either set up a server with periodic backup (too much friction for regular users) or a centralized authority that stores them for you, which defeats the purpose of all of this.

This project, to me, falls into the "cool technical stuff category". It's obviously built for "geeks" (lack of a better term) and not for people. That's why centralized tech co's will probably always do this better than open source. They are customer focused just as much as technology focused.

Unmonetized open source projects tend to focus more on technology than user experience. That's why you see regular people using monetized software and developers using open source to build monetized software.

[ryukafalz]

>As an engineer with a CS degree, I still barely understand what it's talking about (what's an "identity attribute"??) without some digging.

It's not really ready to be used widely at this point. Given that, the fact that the documentation is currently more oriented towards developers working on identity software is fine, I think.

>Even if the value prop was well-explained, it's still very high friction compared to "Sign in with <Service I Already Use>". Why would a user download an installer and deal with managing all of their accounts? There's a secure, anonymous, easy, centralized option that does it all for you (Sign in with Apple). That service does it so well that you only have to click a button to log in or sign up. Nothing else required. That isn't achievable without a central authority managing everything for you.

Sure, installing software is higher-friction than using a centralized service, but it's not that much higher friction. It's not like people don't install software all the time. (And again, this is something that could easily be preinstalled by your OS vendor of choice, which would make the experience very similar to the centralized providers'.)

>Your local machine is a major point of failure. If you lose your local machine and haven't backed up your accounts, you just lose access, right? The only solution is either set up a server with periodic backup (too much friction for regular users) or a centralized authority that stores them for you, which defeats the purpose of all of this.

Yes, this is a big one. No, I don't think those are the only two options. You could sync them between devices if you have more than one (phone/laptop?), you could store them on a user-specified data storage location (think MIT's Solid), etc. I acknowledge that it's a problem, but I think it's a tractable one.

>This project, to me, falls into the "cool technical stuff category". It's obviously built for "geeks" (lack of a better term) and not for people.

I think you're looking at the project as it is, and not as it could be.

[sascha_sl]

All people still somewhat understand is federated identity, and that's becoming less prevalent.

Though a weird set of coincidences I often get support tickets about people using or enrolling in TOTP escalated to me. These people have never used an authenticator, except for the company-mandated Microsoft authenticator. Not only do they simplify the concept thinking there's just one code for everything (e.g. microsoft token are used for AWS, don't worry these people only have access to some S3 stuff) they also extrapolate that because Microsoft sends them a push notifications, AWS must too, and they didn't get one, so it's obviously broken.

Email is slowly losing this awareness too. The only remaining analogy that's probably not going away is getting your credit card from a bank while they still work on the same network.

[edoceo]

Couldn't the UX just be improved and deliver the benefit while hiding the complexity?

[summerlight]

It's more about a fundamental design trade-off rather than removing accidental complexity coming from UX. Currently, most of us delegate the responsibility of identity management (other than memorizing id and password) to one of big-techs, presumably much better at this area than 99% of us. In the fully decentralized world, the burden of proof is now up to users. And they usually don't really care about the best practice for security, privacy and reliability. Technology may improve over time so the equation will get better, but I don't expect this dynamic to change that much.

[christophclarke]

On the other hand, however, the outcomes of a breach are vastly different. An individual who fails to secure their information is liable for only their information. If a "big-tech" is compromised, they are liable for everyone's information.

If users are still unwilling to run their own infra, then that seems like a great opportunity for Identity as a Service. I'd feel much more comfortable handing identity to a firm whose entire business model revolves around securing my information and protecting my privacy rather than a big-tech.

[tudorconstantin]

"I'd feel much more comfortable handing identity to a firm whose entire business model revolves around securing my information and protecting my privacy rather than a big-tech." - in order for that company to be rock solid, trusted by most of the world and with a proven track record of top notch security, would mean that the said company is a big-tech.

I would call okta, auth0 and iWelcome big-tech already, even if they're not FAANG-level big tech yet.

[kory]

This is a great point that I hadn't thought of. Well said.

I'd rather, as a company, risk managing all of my users' identities (vulnerability to a data breach, mitigated by a well-trained security team) than trust my users to manage their own security well and inevitably deal with a mass amount of compromised accounts.

As a user, especially if I'm not technical, I'd have a strong bias towards handing my identity to a team that's spent years studying computer security. Managing my own identity would involve learning a lot about computer security. That would take a lot of time and I'd really have to care about it to do it "right". Regardless, I'd likely get a lot of things wrong, leading to my identity being more insecure than if I had just stored it with someone like Apple.

[kory]

The UX isn't the most looming problem, but it's one that needs to be solved. My question is: How in the world would you convince people to use keys to verify their accounts to one unique, anonymous, identity, as the OP suggests? I just don't see it being something people would spend the time to do. Not to mention, getting to a "Login with Google" level of UX, available as universally as "Login with Google", would be extremely hard without a centralized authority.

The bigger problem is convincing people that it's worth switching. Apple is the closest to doing this with "sign in with Apple". "Sign in with Apple" hides your identity from the client site, the value prop is clear for the user, and the process as close to frictionless as possible. But the solution is still "centralized". Apple stores all of the information to make the system as frictionless as it is.

[api]

Yes, but that requires an economic model. UX is often well over 90% of the work for a product and usually includes a ton of work that is not much fun and people have to be paid to do.

Centralized has subscriptions, advertising, and "surveillance capitalism." Decentralized has nothing. I had some hope that cryptocurrency would provide some kind of mechanism, but cryptocurrency was taken over and destroyed by scammers and bad money drives out good.

The lack of an economic model is IMHO why decentralized solutions have not succeeded, not technical challenges.

One possibility would be to abandon the free as in beer part of open source ideology and go back to just charging for software, but licensing and payment add friction and it's very hard to compete with "free" options funded surreptitiously via surveillance.

BTW the fact that cryptocurrency was destroyed by scammers and criminals highlights a second huge issue: it seems to take the efficiency, executive ability, coordination, and direct human guidance of a centralized system to resist bad actors. This is why even the most democratic countries have mechanisms to phase shift into dictatorships during emergency or war. I have yet to see a decentralized system that became popular and was not instantly destroyed by black hats.

[EGreg]

The lack of an economic model is IMHO why decentralized solutions have not succeeded, not technical challenges.

You’re right. This lack needs to be addressed for us to progress.

How about this model? Would like feedback: https://qbix.com/token

[zbyte64]

The model intentionally guards against data harvesting. I think that is great but unless users are willing to pay for that the existing "free but we collect data to manipulate you" will receive more capital.

[EGreg]

So since you have one identifier, companies can track you across all domains.

They can find out if you are a user of sex.com or dangerouspoliticalopinions.com

They can do this by trying to register an account with your email address, and being told it was already registered.

Here is a tool that allows anyone to do it:

https://www.quora.com/Is-there-a-way-to-know-which-all-sites...

https://brandyourself.com/blog/privacy/find-all-accounts-lin...

[mirimir]

Yes, exactly. Attempts to register with an email that's already used will fail, and so adversaries check whatever sites interest them.

However, I believe that would fail for those using Google or Facebook authentication. But I can't test that, given that I don't have an account with either.

[kortilla]

Everyone? Unless the sites publish a list of logins for everyone to read the only one with that knowledge would be the identity provider.

[EGreg]

Not at all. See above.