Anil John
Making Digital Services Secure and Trustworthy

Anil John

Does a Credential of Last Resort Need to be Offered by Public Sector Services?

 Tweet  Share  Share  Comment  Print  Email

If a public sector Relying Party (RP) has bought into the value proposition to use federated credentials, it behooves them to set up the user authentication flow to maximize the usage of these credentials.

In that case, does it make sense to offer a credential of last resort as an alternative to federated credentials?

Decision paralysis is a very real factor to consider in such a situation. More options, even if they are good ones, can freeze us and make us retreat to the default option, which in this case is to create a username and password. Which runs counter to the goal of enabling federated credential access.

It is interesting to note that this particular user interface construct has been driven by commercial sector RPs, who are focused on customer acquisition and want to make the account sign up path as friction-less as possible. i.e. They are afraid that if they don't provide this option, the user will go to a competitor.

On the public sector RP side, that particular reason is not compelling for obvious reasons.

An alternative in this case may be to NOT offer a credential of last resort with the clear caveat that the service offered still needs to be accessible to the user by alternate means if they choose not to use a federated credential:

Has anyone done any A/B testing, have pointers to studies, or have concrete experience to share on this topic?

RELATED INFO


Did you find this interesting? Don't miss any new posts. Sign up to automatically receive them now!

I will never share, rent, or sell your information to anyone. Cancel anytime.

This blog post first appeared on Anil John | Blog (https://blog.aniljohn.com). The opinions expressed here are my own and do not represent my employer’s view in any way.

Topic(s):
By on |

Continue The Conversation ...

I would love to know your thoughts on this blog post. Please leave a comment below!

I am a digital security coach. I help technical leaders make digital services secure and trustworthy. Learn more »

Free Updates

I will never share, rent, or sell your information to anyone