Identity is broken

A couple of day ago I was setting my mom with a new Dropbox account. She is not great with technology so we were screen-sharing while my mom was going through the install process. All-in-all, the setup was straight-forward. If you don't have Dropbox yet, go ahead and install, you will see for yourself.

Once we got to the account registration page, it got interesting. Mom typed in her First and Last names and then asked me whether she should use her regular email and password, the same password that opens her email. Of course, I said no and explained that she should use an alternative password, but I bet you if given the choice, she would ask the same question again. After all, it's our fault.

My mom isn't the only person who has problems with email+password combination in my family. My grandpa, who is almost 80 now, have had this problem for the last couple of years that he started using a computer. Time and time again I've tried to explain, in person, over the phone, with diagrams, with examples ... Explaining web 2.0 to a guy who is used to analog world just doesn't work. It doesn't work for him and and I am certain doesn't work for for others. What we've designed doesn't fit an analog worldview, so it is not their fault. Logins and passwords are simply not that intuitive.

Think about it. In the real, analog world, we usually have a lock and a key. For the most part, one key only opens one lock and you know which key belongs to which lock. In the digital world, whoever, we are allowed to enter into many-to-many relationships. You may have multiple locks (websites) and multiple keys (password). Not only that, but all of a sudden whenever we approach any lock, we are now required to tell the lock who we are (to give our username). In the old world, the lock belonged to you and as long as you had a key, you could access it without a problem. In the new world, even if you know where to go and you have a key, the lock is oblivious to who you are and until you can prove your identity, you would not be granted the access.

Now, isn't that silly! Tight security might make sense if you're trying to access the CIA, where aside from accessing your personal files you could also access billions of other files, but if all you want is to share some cat pictures, current security systems are too much.

You see, the obvious solution is to pick an easy to remember username, thus only asking you to remember the matching password. This is when most websites (including mine) resort to using emails as usernames. You still need a key (password), but your lock no longer interrogates you on the way in. Using email as a login is convenient, but it is a terribly broken system.

Email is where most people spend most of their online time and email has a one-to-one relationship with your identity. You have an email and you have a password for it. Your email will always respond to the said password and you never have to prove that you are, in fact, the owner of your email. But, for reasons of convenience (to developers), we break this relationship on every other website.

We broke the identity, but can we fix it? In my opinion, we can, but only if we enable the internet as whole to accept a better standard. Facebook is trying this with the FB login. You no long have to remember anything, but your FB credentials. For everything else, just give a website permissions and voila! This is an incredibly powerful approach and I am surprised that Google, out of all companies, haven't caught up yet.

Gmail-based authentication makes perfect sense. Most sites are already asking for email, which is probably Gmail for many user. Google has the money, technical chops and enough people to make this happen. Most importantly, with Google Plus being the ghost town that it is, we don't have to worry about our social information leaking across these websites.

Sure, some websites already offer gmail authentication, but most that I use are still on Facebook and I am not a big fan. In fact, just the other day I wanted to try Airtime, but couldn't. For whatever reason, I am okay with Zuck having access to some of my data, but I really don't want Sean Parker anywhere near it. Don't ask me to share my friends with you, don't ask me to let you see my pictures, don't ask me let you read my wall while I am asleep and I will happy to let you authenticate me.

Identity is broken and it isn't clear how to fix it, but we really should. Still don't believe me? Listen to this TED talk, maybe David Birch could change your mind.