Network-based services are becoming increasingly pervasive. For example, electronic commerce services are widely available and appealing for both individual consumers and businesses. From a consumer perspective, an abundance of services offers flexibility and economic benefits. Internet-based businesses or service providers routinely maintain an account relationship with their customers. Customer databases that include identity information facilitate and increase the integrity of transactions. Identity information helps a service provider deliver value to its consumer. Further, customer directories and data are important business assets. From the service provider viewpoint, a well-developed customer database creates revenue. A customer database enables targeted marketing and extended functionality that increases customer loyalty and generates business goodwill.
In a typical service provider framework, each service provider maintains a distinct user account database. For a user or consumer, this often means that the user must create a unique account with the service provider to access the services. One difficulty with this conventional identity framework is that it hinders service provider usability. For example, the user is required to enter repetitively similar identity information for each service provider, such as name, mailing address, and telephone number. Because user accounts are distinct for each service provider, the user must be singularly authenticated (e.g., a password-based login) for each service provider. The user also must remember or securely store the account name and password used for each service provider, which further frustrates and inconveniences the user. Because each service provider requires a unique account name, a user may have many different account names and identity profiles for various service providers by necessity. Alternatively, in the conventional context, a user may desire many different account names to reduce the likelihood that service providers will be able to engage in the unauthorized sharing of a customer's personal information. Thus, because of these complications, users may be highly selective of service providers or prefer to restrict their usage of network-based service providers.
Centralized identity methods address some of the limitations of the conventional identity framework. Centralized technologies can reduce the amount of repetitive data entry required when users access various service providers. However, the privacy and security of centralized identity data are paramount user concerns. Centralized identity technologies typically create a global name that is used for multiple affiliated service providers. A central authority stores the identity data and disseminates it to the service providers. The central authority may permit some user control over the information that is available to the service providers. The service providers could, however, collude to violate the user's privacy preferences because of the common visibility of the global user name. Further, a physical or an electronic breach of security at the central authority could expose large amounts of identity data to theft or to tampering.
From a service provider perspective, an additional problem with typical centralized identity methods is the control or ownership of the customer database. The central authority could impose restrictions on the service provider's use of its customer directory. This could have the undesirable consequence of restricting the service provider's ability to generate revenue from a valuable business asset.
Additionally, other identity approaches have been network- or application-specific implementations. One disadvantage of these approaches is that they are often limited to homogeneous networks or operate only with specific computing devices. For example, a network- or application-specific single sign-on architecture may enable a user to access the resources of a local or a closely administered service provider, but not resources offered by other service providers. Therefore, network- or application-specific approaches are often limited in scope to local or closely administered environments and offer a user few convenience benefits outside of these environments.
What is therefore needed is an identity architecture that is decentralized or distributed for user authentication and storage of identity information, that provides single sign-on and single logout convenience for users, that permits users to link accounts and to set enforceable privacy controls, and that provides for delegation of services among service providers.