In a number of recent blogs I have discussed the emergence of an online identity verification marketplace -- most recently in a blog about the just completed NSTIC launch. Of course the emergence of the marketplace depends on someone paying for the services received. No payment, no marketplace. So who should pay for identity services in this new marketplace? Today, at least online, organizations and individuals aren't used to paying for this type of service, so it is an area that all participants need to come to terms with for this marketplace really to take off.
Let's first review the parties that are involved in such a marketplace so that we can better consider the question of who should pay. First there is the user, for whom ultimately all these enabling security services are provided. Next there are the identity providers and attribute providers (may or may not be the same entity) who provide the identity verification services as well as verified attributes (age, address, citizenship, professional credentials etc.) about the user. And finally there is the relying party or service provider - the entity with the application(s) that the user would like to use.
So who should pay for these identity verification services, the user or the relying party? As an aside, I recognize that some identity providers are willing to provide their services without a direct cash payment, but in these cases I would argue that they must be receiving value in some indirect way from someone. However for a broad and deep market to occur actual cash payments will need to be part of the equation for most situations.
While there is logic which supports both the user and relying party paying, there are also some challenges for each actually doing so. While of course the identity verification service is being conducted ultimately to enable the user to get access to sensitive applications, the users often don't bear the direct cost of poor identity verification and thus may not feel compelled to pay for a better solution. While there is precedence in the offline world of users having to pay for their identity to be verified - national IDs, passports, and notary services - this hasn't yet translated into the online world. My view is that for very specialized services, such as for professional verification - a radiologist licensed to practice in Massachusetts - users might be willing to pay, but for general, mass-consumer uses, I think users will expect someone else to pay on their behalf.
This brings me to the relying parties. I believe they are the entity that is best positioned to pay for using an outsourced identity verification service. After all without such a service it is up to the relying parties to conduct identity verification on their own, thus any rational entity should be willing to pay a little bit to avoid a larger cost. This is even without considering the potential cost savings that result from reduced online fraud that comes with more rigorous verification that specialized providers could likely provide. So why aren't relying parties rushing forward to identity providers with cash in hand? I believe one factor is that many relying parties don't fully recognize the cost that they currently bear for the identity verification steps that they conduct today themselves. These costs are largely buried inside other process costs, such as account opening costs or the opportunity cost of not having an online relationship at all with a user.
For this marketplace to thrive it is important that all participants shine the light on the current costs of online identity management and how a marketplace for identity verification could help reduce them for everyone.