Yesterday I participated in the IdentityNext Unconference and made some notes I would like to share about the following topic:
The business case for Service Providers entering the Identity Provider Market…
The business case for companies outsourcing Identity Management to ‘The Cloud’.
It is often said that both business cases are two sides of the same coin and that a ‘Chicken and Egg’ problem compounds the issue with Service Providers (SP) not entering the market due to lack of a clear demand, while Relying Parties (RP) see the absence of mature service offerings as a sign that the time is probably not ripe for seriously contemplating outsourcing Identity and Access Management (IAM) to an Identity Provider (IDP).
The IdentityNext unconference provided a stimulating and creative environment to for some of the best known industry experts to shed some light on the issues standing in the way of consumer adoption and accelerated market growth.
We heard from representatives of the Nordic countries that in Scandinavia the banks have taken the plunge creating a joint IdP proposition with transaction volumes approaching a million a day. The business case is solely based on risk reduction as a result of incorrect or fraudulent identity data . Uptake and re-use of the Bank Identities outside the financial industry however is disappointing.
We also heard from Belgium, where an eID card has been rolled out for several years to the entire 10Million population. The Belgium eID card has been designed to be re-used for e-Commerce and a web site exists listing eID enabled applications accessible on the web by all. While at first sight the list looks impressive, the reality is that the user experience is often disappointing and apart from signing on-line tax returns on the web Belgium internet public at large has not taken really taken this electronic credential to heart and neither has Belgium commerce or industry. So that is in spite this in fact being a ‘free’ resource. People probably find it too klunky an can’t be bothered to pick up their free eID card readers.
So here we have it. Outside of a few Baltic countries and one or two homogenous island states like Singapore the re-use of centrally issued electronic credentials in every day electronic transactions remains the exception, rather than the rule.
While cost/risk reduction can, in some cases, justify the capital expenditure associated with building an IdP infrastructure and keep it ticking over nicely, this is not the kind of business case that will excite the Board of Directors of a large Bank or Telecom and convince them this will grow into the next Google or FaceBook success story.
Saving risk associated costs is all well and good, but by definition there is a limit to growth if you base your business case on opportunity costs alone.
The winning business case formula must produce a win-win-win scenario for Service Provider, Relying Party and the User Subject at the same time.
This means the IdP business case must have all of the following ingredients:
- Reduce the risks of dealing with unknown identities for RPs
- Cut costs out of business processes for RPs
- Cloud based transactional model scalable on demand with no up front Capex
- An incentive for the user to partake in it by sharing rewards.
This means a transaction based scenario, where like with some credit cards, there is a kick-back to the user as well, which can initially be as small as earning loyalty points or getting a discount on your next booking or purchase. This way we will get an eco system that has the potential to break the laws of gravity and allow us to proclaim we finally have ‘Lift off!’