idPlace, a provider of unique IDs using OAuth


I think the image best explains how other ID providers fails in one way or another.


Why is uniqueness (sometimes) necessary

Imagine a taxi-app that lets people login and appear as taxi drivers. If one don't make sure that the ID is unique, it will quite soon be those resourceful drivers who creates like hundreds of ID's and thereby gets way to much market exposure relative to other drivers, and thereby the taxi-app would effectively be sabotaged.

Why is it important not to bundle to much other data with the ID (like Facebook etc do)...

...because people are reluctant to use these accounts because they have so much other personal data stored with them and they feel that they can't be certain of what data is being shared.

One day this might change, and people become more confident with using Facebook for logging in. But still Facebook is a commercial company, it could be good to have something as central as an ID-register not tied to commercial interests.

So the idea with ...

... is to have an ID-service that take some extra steps to ensure that the ID is unique. Of course it is not possible to be 100% certain that no fake accounts slip in (even Facebook says that a few percent of their accounts are fake).

I think that if you make it clear to the users why it is important to prevent fake-accounts then they will accept that you compare the data to external databases, and that you ask for data such as National identification number (social security number).

To assure the users integrity, one should also make it very clear that the user can delete his own account at any time. And by using open-source / free code users can verify how the software works.

How to maintain the register and to find / prevent fake IDs

Idea 1:
To relay the problem to the relying-party-site (the taxi-site using the taxi-example), who in turn can relay the problem the end-relying-party (the taxi customer).

I see two kinds of way of malicious use:

1) Users who create fake (multiple) accounts.
To deal with this problem one could ask for data like what schools you graduated from and classes you went in. This is something that the public (other users) are likely to check out and maybe also help out to spot fake ID's.

2) Users who arent consistent with the data they supply, ...
... for example pretending to be Swedish in a Swedish referendum and to be Norwegian in a Norwegian referendum

To deal with this problem one can store the time point when a piece of data was changed. It gives the age of different supplied data, like email-age, name-age, mother-tongue-age etc. And also account-age for when the account was created.

Using the referendum example, the referendum app (the site that presents the result of the referendum) can just summarize nationality and "nationality-age" in histograms and allow the end-user (those who want to see the result of the referendum) to sort/filter on those data. If the histogram shows a very large stack of people with very short "nationality-age", then it will most likely be detected by smart visitors and they can easily neglect those votes.

Using the taxi-app example, the taxi-customer could single out taxi-drivers who has for example long enough account-age. The account-age basically translates to reputation in the eyes of the end-customers. Ex: an account-age of ten years give much more confidence than an account-age of one week.

Idea 2:
A further way for the taxi-driver to increase the taxi-customers confidence is to tie his account with other OAuth providers with unique IDs (like Facebook), either at the ID-provider-level (at idPlace) or at the taxi-app level. The account will get boFacebookVerified=true (in programming terms), something that the taxi-app again can relay to the taxi-customer. It would sort of serve as a CE marking on stuff you buy.

Idea 3:
An other more direct way to get rid of fake accounts is to purchase other registers and compare to.

Idea 2: An item you buy in a store may have different "badges" which makes it easier to hold manufacturers with brand names responsible for whether they actually do what they claim.
In the similar way a taxi-app could relay that an ID (a driver) is for example "Facebook-verified" with a badge. (And this without revealing the identity of the driver)

See also