I want to go ahead and start fleshing out my thoughts on which SSO providers we should look at, and examining the value they each bring for each of the primary goals of this project:
a) Identity Verification - how much value will this service provide for the purpose of verifying the validity and uniqueness of the person in question?
b) Data Verification - what data does the service provide access to, and have they taken any steps to verify this data?
As I’ve been digging into the various APIs, I’ve been realizing that there’s very little formal validation for many important attributes about a person. And even when a service does do more formal validation they don’t actually expose any of the corresponding data via their API, as it’s not terribly relevant for most of their use cases. See the Coinbase section for a great example of this. Even services that have a very robust identity verification component (i.e. √) do not allow you to access that information via their API, even when other quite sensitive information is exposed.
Given that’s the case, I believe that the most utility we can gain from the existing SSO providers will be for use-case a). If you have 10+ SSO accounts, including ones that verify your identity behind the scenes, such as banks/Coinbase, and ones that have fairly-sophisticated anti-botting mechanisms, such as Facebook, your proof of identity will be quite strong. In contrast, if you just sign up with Facebook and Twitter, you’ll not have a very strong identity. This is why making it very smooth integrating all of these SSO providers is so crucial.
So, in the interest of opening up the discussion, what SSO providers would accomplish this?
Here are some I've researched already:
Facebook
None of the fields we can get from facebook are verified, and therefor the transmission of this information is not very useful. However, the fact that they have anti-botting measures in place mean they are decently useful for verification of individuality, especially in contrast to a more botting-friendly platform, i.e. Twitter.
Twitter
At face value, and for unverified accounts, we can glean very little information from Twitter. However, accounts that are of public interest can be verified, which allows for verification that the individual in question has access to a verified account. This could be very useful as a proxy for
showing that folks have some certain access levels for certain public institutions. Probably not strong for use case a), though, as typically more than one person has access to these verified accounts, and they're tied to organizational identity as opposed to individual identity.
This is about as good as it gets in the USA for b). Due to federal regulation, bank account holders are required to be above 18 and state ID. Therefore, if you SSO into your bank account, we can make a single call to verify you have an active account, and voila, we've got a pretty strong proof of identity here. As for a), while many individuals have bank accounts with more than one bank, this is still a strong proof of individual identity.
SSO Providers
I want to go ahead and start fleshing out my thoughts on which SSO providers we should look at, and examining the value they each bring for each of the primary goals of this project: a) Identity Verification - how much value will this service provide for the purpose of verifying the validity and uniqueness of the person in question? b) Data Verification - what data does the service provide access to, and have they taken any steps to verify this data?
As I’ve been digging into the various APIs, I’ve been realizing that there’s very little formal validation for many important attributes about a person. And even when a service does do more formal validation they don’t actually expose any of the corresponding data via their API, as it’s not terribly relevant for most of their use cases. See the Coinbase section for a great example of this. Even services that have a very robust identity verification component (i.e. √) do not allow you to access that information via their API, even when other quite sensitive information is exposed.
Given that’s the case, I believe that the most utility we can gain from the existing SSO providers will be for use-case a). If you have 10+ SSO accounts, including ones that verify your identity behind the scenes, such as banks/Coinbase, and ones that have fairly-sophisticated anti-botting mechanisms, such as Facebook, your proof of identity will be quite strong. In contrast, if you just sign up with Facebook and Twitter, you’ll not have a very strong identity. This is why making it very smooth integrating all of these SSO providers is so crucial.
So, in the interest of opening up the discussion, what SSO providers would accomplish this?
Here are some I've researched already:
Facebook
None of the fields we can get from facebook are verified, and therefor the transmission of this information is not very useful. However, the fact that they have anti-botting measures in place mean they are decently useful for verification of individuality, especially in contrast to a more botting-friendly platform, i.e. Twitter.
Twitter
At face value, and for unverified accounts, we can glean very little information from Twitter. However, accounts that are of public interest can be verified, which allows for verification that the individual in question has access to a verified account. This could be very useful as a proxy for showing that folks have some certain access levels for certain public institutions. Probably not strong for use case a), though, as typically more than one person has access to these verified accounts, and they're tied to organizational identity as opposed to individual identity.
Coinbase
Age verification for Coinbase accounts, see https://help.coinbase.com/en/coinbase/getting-started/authentication-and-verification/identity-verification.html), In fact, they only require a phone number until you invest over a certain amount or want certain other features (such as transferring currency to another Coinbase user.)
Banks
This is about as good as it gets in the USA for b). Due to federal regulation, bank account holders are required to be above 18 and state ID. Therefore, if you SSO into your bank account, we can make a single call to verify you have an active account, and voila, we've got a pretty strong proof of identity here. As for a), while many individuals have bank accounts with more than one bank, this is still a strong proof of individual identity.
https://developer.bankofamerica.com/CPODevPortal/apidocs/public/#/get-started
There are plenty more to discuss.