I’m Dick Hardt[1]. Over the last twenty years, I’ve led the design of identity standards (OAuth 2.0, JWT) and systems that you and billions of others use every day.[2]
You know that these systems don’t always work in your favor. Each is bespoke and most, if not all, of your identity is locked up in these silos. I called this out in my Identity 2.0 OSCON talk in 2005 where I popularized a user-centric identity vision.[3]
Unfortunately, we have failed to realize the vision of user-centric identity: of giving you control of your identity. We have far too many passwords. Identity theft is rampant. Online interactions are either tedious or risky. In short, internet identity is a disaster today.
Most proposals today to give you control of your identity require you, your applications, and the issuers of claims about you (such as your bank or government), to adopt a new technology - a three-sided cold start problem.
I founded Hellō to take a different approach -- an abstraction layer that lets you use the technology and identity you already have -- that’s operated by a not-for-profit co-operative.
The Hellō journey did not start with building a product -- it started with exploring how to resolve the risks of a central service, and finding organizations aligned on the vision. Once three industry-leading organizations joined as founding corporate members of the co-operative, we built and tested our PoC, our MVP, and then our developer console.
Hellō is available for you to use today. We have a demo at https://greenfielddemo.com. Several apps use Hellō today, and many are exploring adoption. If you are building a new app, you can tick off most of your identity tasks in a few hours if you use Hellō. Details at https://hello.dev
We’d love feedback on your experience.
In contrast to other identity service offerings, Hellō does not help the developer manage and store user data -- Hellō helps the user manage their data and share it with the developer. The Hellō business model is to charge (in the future) an interchange fee of a few pennies for each new verified claim the user releases to the application. There is no MAU fee. No fee for authentication. No fee for users. No fee for issuers.
We expect you have more questions.
https://www.hello.coop/pages/approach.html describes:
- Our approach
- How the cooperative works
- How we’ll fund Hellō with smart contracts
- Our guiding tenets
- How we protect people’s privacy
- Our architecture
Thanks for reading and trying! Please share your questions, impressions, criticisms, and requests!
Want a more personal interaction? I am hosting an AMA on Twitter Space later today (Wed Oct 12) from 4-5PM PT.
https://twitter.com/i/spaces/1LyxBqvnmAyJN
You can also email me dick.hardt@hello.coop
[1] https://www.linkedin.com/in/dickhardt/ https://en.wikipedia.org/wiki/Dick_Hardt https://twitter.com/DickHardt
[2] https://datatracker.ietf.org/doc/html/rfc6749, https://datatracker.ietf.org/doc/html/rfc6750, https://datatracker.ietf.org/doc/draft-ietf-oauth-v2-1/
We did not do GitHub and Discord at first as they are OAuth only -- no OpenID Connect support.
Thanks for letting us know what you would like!
extremely hard for me to get excited about something that has blockchain in it these days
As a co-operative we don't have equity to sell for financing. Tokens enable us to separate ROI from governance, and many investors are willing to invest in tokens.
As a developer or user, the blockchain aspect is hopefully irrelevant.
As a SaaS vendor, I likely already support several social logins and email verification. Why should I switch?
If I have not implemented the social logins, I can see the convenient factor. However, social login is not that hard to implement, and if you did for one vendor, it is just mechanic to do the same to other vendors. Users are your most valuable asset so I consider it time well spent.
Hellō is not decentralized -- apologies for any confusion -- did I mistakenly write that somewhere?
The governance is decentralized. Yes, it is another point of failure, as is any other service you build your app on. I have extensive experience with tier zero services such as AWS IAM and have applied those learnings to the Hellō deployment if that is any consolation.
The value proposition of Hellō is not as great for you as you have already made a substantial investment in your identity implementation. In the future when Hellō has a larger claims selection than verified email, phone and ethereum address -- you may find it valuable to use Hellō to request claims from your users. Additionally, depending on your application, you may want to make claims about your users that they can share with other sites. Empowering users to control their identity and share it is our mission. Claims can range from VIP cards to memberships to reputation scores.
Fully agree that social login is not hard to implement. (I'll take that as a compliment as one of the designers!) As you add additional providers so that you provider more choice to your users, the risk of a user fragmenting their identity by choosing a different provider when they return increases. Dealing with fragmented identities in your app is hard.
Additionally, registering and configuring your app at Apple / Facebook / Google etc. is non-trivial. I know what I am doing in theory, and I have already invested a week of time in configuration and approvals and updates.
I don't feel like it's worth giving up control over your user's authentication to an intermediary in return for saving a week of work. Maybe the case could be made for day-1 of a startup, but certainly not year-1, it's just too critical a component.
I'd also challenge this taking a week. Apple/FB/Google sign-on is pretty straightforward, and I've found the cost is mostly in setting up an open-source auth library in my webapps rather than enabling a given service provider.
Why not just use self-issued OpenID identities then?
Well, I guess the reason is that the standard[0] hasn't even been finalised yet, and there are no implementations (as far as I know), but it seems like some combination of that plus Verifiable Claims is the correct way to provide decentralised identities.
[0] https://openid.net/specs/openid-connect-self-issued-v2-1_0.h...
I gave a talk on the need to be pragmatic to get adoption:
https://www.kuppingercole.com/watch/eic2021-hardt-dogmatism-...
That's an interesting point about the 'openid:' scheme. Are you worried about someone having a use case where they want two separate wallet apps installed at the same time on their phone (rather than one app that can support multiple identities)?
Or is the concern more that someone might install a (seemingly unrelated) second app which surreptitiously hijacks the scheme and spoofs the interface of the existing app, to trick people into... revealing which sites they have accounts on? (The second app wouldn't be able to steal the keys from the first one, right?)
Anyway, it's good that multiple approaches are being attempted to solve the vital problem of decentralised identity, and I look forward to seeing how much adoption Hellō gets.
The only responsibility of a corporate member is to abide by the bylaws, and vote for the corporate board members.
We have been having regular corporate member meetings to review progress and discuss identity trends. I think the current members learn something from the other members at each meeting.
Losing access to your users is also a risk as a developer as the provider can take away your app access to their service. Our goal is to be neutral and not be able to take away either the user's account, or the developer's access.
Also, jrockway shared relevant Auth0 comments in this discussion at https://news.ycombinator.com/item?id=33180939.
Is your reluctance around smart contracts influenced at all by https://www.hello.coop/pages/financing.html?
There's well-documented failures of so-called "smart" contracts, and IMO building something like this on top of one is a recipe for disaster, just like the rest of the crypto-blockchain ecosystem.
As a developer/architect, I would have a user enrollment waiting room role in my application/service where certain features would be available to hello.coop asserted identities, and then more features would become available as I got the necessary identity assurance/KYC from them. It removes the need for me to do password management and account recovery, because that's on the user to manage via their social identities.
As a user, I presume if I want access to a service, I just pick the IDP of my choice to use for a given service. (imo, protonmail needs to provide an oauth2 identity service as well)
The resilliance of this could be provided by linking social identities on a blockchain, so if any one or two IDPs decide they're going to cut hello.coop off, the users can still use their hello.coop identity that was linked to their other social logins, and just not the IDP who defected.
Is this an accurate interpretation?
We not only support social login, but also crypto wallets that support browser extensions or Wallet Connect. The user can also just use email or phone. We will be adding support for Passkey once the implementations have sorted out some details.
Yes, you can bootstrap enrollment with Hellō and then prompt the user for additional profile / identity assurance. We are working on supporting KYC claims as well so that you could request them and then Hellō would interact with the user on how best to gather those from the user if we don't already have them. IE we would be an abstraction layer for KYC similar to being an abstraction for login and profile registration.
As a user, you pick your "IdP" for your Hellō wallet, and use that IdP for all apps that support Hellō until you want to change your preferred provider. In the future, the user does KYC once with us and then has a reusable identity.
wrt. resilience -- we encourage users to setup two or more backup providers so they can recover their Hellō Wallet if they lose access to their preferred provider. Recovery requires logging in with two backup providers, and then they can change their preferred provider.
I've implemented this for a bunch of clients lately and would probably have used something like this if it was available and mature.
One question, though: How do you say Hellō? [həˈləʊ] or [həˈlø] or [həˈlɔː]? :-)
