Online identity, in the form of accounts, is used these days for two main purposes. First, it allows websites to keep track of various pieces of information about you, such as your name, your date of birth, those embarrassing pictures from the party last weekend, and most importantly what you're allowed to do on the website. Second, these same systems are used to ensure that people don't create an arbitrarily large number of extra identities, since presumably this would be a bad thing for various reasons.
The first use is broken; not through any inherent fault, but because current authentication systems are so mind-bogglingly awful that phishing has compromised a sizable number of accounts on any given website. (In extreme cases, and usually due to a combination of SQL injection and an inexplicable failure to hash passwords, there have even been cases where every single account for a website is stolen.) Now, the million dollar question: how do you keep a website running smoothly when an arbitrary number of your users are actually acting maliciously, and you have no way to detect it?
The second use of identity on the web, though, is so completely broken that it's a wonder people even try anymore. Despite increasingly deseprate measures by some site owners, it remains laughably trivial to create multiple accounts on any website that allows open registrations. Requiring a valid email address? There are temporary email sites that will let you generate a new email address in under a minute. Checking IPs? Not only is it dead wrong with the increasingly widespread use of NAT, it's also trivial to find an open proxy. CAPTCHA? Only prevents machine registrations; I can still sit down and keep making accounts by hand until I get bored. (OpenID only exacerbates this problem, incidentally: for the price of a domain name you can create an infinite (seriously!) number of OpenIDs.)
"But then," you may ask, "how do I prevent people from making a ton of accounts and spamming up my website?" Well, there's a simple solution, but you won't like it. Still want it: Here it is:
Build your website from the ground up with the assumption that every user has an infinite number of accounts.
See, I told you you wouldn't like it. If you were to design a website around this principle, there are two paths you can take.
- Design your site in such a way that it has no per-user quotas: Since everybody has infinite accounts, limits set on users are useless. This isn't perfect, since user moderation is still nigh-impossible, but it's an improvement over current practices.
- Require some kind of investment from your users before an account becomes useful: This can be a contribution of effort (as stackoverflow does), some kind of monetary account fee, or something else entirely.