Monday, November 15, 2010

Ubiquitous Identity

The idea of having one account/identity to rule them all isn't new. Folks have tried (Microsoft's Passport now Live Id, OpenID, AOL, etc.) it in the past and it didn't really seem to get traction. That is of all of the sites that a person would visit, the vast majority would require you to create a *new* account and re-enter ALL of your details. Within the past year that seems to have started to change. Facebook, Twitter, Google, and others all provide authentication hooks (many using OAuth) so that you can login to a different site using the same credentials you use for FB, etc.

This is interesting for a couple of reasons:

  1. It basically guarantees that you will ALWAYS be signed into FB, etc. If there are times when you're not regularly using Facebook and perhaps your session has even expired, Facebook Connect (used to link up your account and provide your Facebook identity to a different site) will refresh your Facebook session.
  2. It centralizes authentication for basically the entire Internet which means it's a pretty big target... Break my Facebook account and you have access to lots of other accounts that I have. I suppose it's arguable that a person's digital presence is more secure if they have distributed accounts, but it would at a minimum make it a little harder for an attacker and if the user uses multiple strong passwords it's a good deal harder.
  3. It creates a huge moat for Facebook and cedes them a a lot of power. Don't like what they're doing with your account or generally and you're inclined to cancel your account? Think again, it's going to be a pain to have to re-setup all of those other accounts unless you plan on losing access to other things you care about.

Generally, I'm not a security or privacy conscious person but the more I think about this the more it seems like there should be some central/regulated/neutral authority for identity and authentication.

Tuesday, November 2, 2010

Build Assuming a Paying Customer

I've been working on turning a site I built a while back into a site I could charge for. When I built it, I assumed that:
  1. I was building it only for myself.
  2. If I ever wanted to open it up to other folks I wouldn't want to charge for it because it'd obligate me to maintain it... So I'd monetize by advertising, associates programs, etc.
Realistically you have little chance of building something that will generate enough traffic to make money off of advertising so stop fooling yourself. On the other hand if you build something useful (and if it's not useful then why the heck are you building it) you can probably charge for it... Maybe not a lot, but $5/mo or something, and 1000 people paying you $5/mo is nothing to quibble over.

So don't be dumb like me because when you do to turn it into a pay service you'll discover all sorts of work that you didn't do the first time. Such as
  1. Documentation and help sections
  2. Authentication/security needs
  3. Permissioning and roles
  4. Missing editing functionality that you always figured you'd just do by hand
  5. Scaling problems that you were ignoring because it'd only ever be for a handful of users
  6. Ugly UI that you tolerated because no one really cared