PayPal Is an Identity Provider
Think of it: if you want a strong identity, you want one that is backed by financial information. That makes banks great natural identity providers. But financial institutions don’t seem to be interested in this space, and/or regulatory issues are in the way.
Enter PayPal. The strength of their identity is backed by financial accounts and the fact that they can abstract accounts at any financial institution. When they use bank accounts they are providing a very strong identity, because the identity had to have been verified by making a deposit to the bank account.
There are a couple of gotchas to PayPal entering this space. These relate to how PayPal does business. One issue is they are constantly trying to force you to use your bank account for payments rather than your credit card. That leads to customer distrust and customers playing games with PayPal. For instance I use my wife’s account for a lot of payments because it’s configured to use our bank account. But then I use another account, my own, in different situations. Thus I am logging in as my wife in certain situations.
How this relates to identity is as follows. Today I registered for an event via EventBrite. I used my wife’s PayPal account to pay for it. I am now attending my next event as Nancy. The point is that a PayPal account does not necessarily have a 1:1 association with a person.
Another gotcha is that the PayPal login experience is painful. OpenID is a failure because it involves a redirect. Redirects are painful. PayPal uses a redirect. To make matters worse PayPal likes to try to sell you things every time you login. I avoid the PayPal button whenever I can because the payment process is not smooth. I’d rather just enter a credit card number. I find it less invasive and painful and, of course, credit cards have a more robust dispute process.
The last gotcha is trust. I trust banks. Well I mostly trust banks and they seem to be well regulated with regard to consumer privacy. I certainly trust them to not move money between accounts without my initiating or approving the transaction. But I don’t really trust PayPal.
The gotchas above are a few of the reasons I trust PayPal less, but there are other reasons as well. They freeze accounts when they don’t like what you are doing (example here). They pull money out of your bank account to fix problems you might not agree with. Their dispute system sucks (first hand experience on this one, or read this example). When there is a problem they are in denial and are virtually no help. Customer support is just not very good. Perhaps PayPal could take a refresher course on Branding 101!
Having an entity like PayPal act as an identity provider is a superb idea. They can abstract strong identity from virtually any financial institution. My recommendation to PayPal would be that they lift their game so that they can act the part. I am not confident they can because of conflicts of interest with their own monetization goals. In fact I suspect the opposite will happen and they will exploit their identity success to further their monetization goals.
Does this leave an opening for a competitor? Maybe, but probably not. PayPal is the big fish in town with the most strong identity accounts, so someone looking for a strong identity partner doesn’t really have anywhere else to look.
Where would you use a strong identity? Are there enough sites requiring this type of feature to make it worthwhile? Is this just for commerce, as Russ Jones at Glenbrook suggests? Or is there an application for strong identity in non-commerce situations?