Traditional web services that require at least the creation of a unique user identity and the establishment of a shared secret (e.g. password), can be provided such that only those in possession of the shared secret are allowed to access the resources associated with that user identity. In this way, the user can place some degree of trust that the information left in the care of the web service, for example their name, address etc, is only available to themselves and the operator of the web service. Conversely, the web service can build up a history of interactions with each user in order to offer a more personalized service. Also, web services can make different services available to each user, for example based upon the level of subscription paid, with a reasonable expectation that access to each user account is restricted to a single person.
Transactions between users and web services often require the web services to collect further information from the users, for example, credit card details, real name and address, insurance details etc. Additionally, some web services may require access to the user's accounts on other web services, for example LinkedIn may request access to a user's GMail account in order to suggest additional contacts.
While the above activities may be needed to establish relationships and to deliver services via the web, they are repetitive, time consuming and sometimes complicated for the user. Furthermore, the user may also end up with many copies of personal information, such as their address, being held by different web services, which presents a potential security vulnerability. Furthermore, many web service providers would rather not hold personal information. For example, if the web service provider is subject to security attack and this information is inappropriately revealed, liability and reputational damage can be incurred. Many web services only hold information because it is necessary to give an acceptable user experience, e.g. avoiding a user having to re-enter payment or address details for each transaction. Many web services would prefer not to have to store this information, or even have to handle passwords preferring instead to outsource account creation and storage to other organisations, such as Google.