Anil John
Making Digital Services Secure and Trustworthy

Anil John

Balancing Identity Assurance and User Enrollment UX

 Tweet  Share  Share  Comment  Print  Email

Public sector services typically prioritize policy compliance (security, assurance, privacy etc.) over user experience (UX) when it comes to service delivery. Contrast this with private sector services where the desire to capture the consumer and not have them go to a competitor drives the decision to make the UX friction-free a higher priority. Effective public sector service delivery requires a balance between these two extremes but expertise and experience in this domain is either lacking or hard to come by.

If there is one lesson from the HealthCare.gov rollout that needs to be taken to heart by the public sector, it is to blow out of the water the notion that in a service with no competitors, users are a captive audience and as such UX is a low priority item.

The analysis done by the Nielsen Norman Group should be eye-opening, especially when it comes to account setup (user enrollment):

Account setup is users’ first taste of a service. A suboptimal account setup can spawn 3 problems:

  1. Increased service cost: When people can’t self-service online and you have no competitors, they call you. Call-center interaction is more expensive than web self-service. In 2008, Forrester estimated call-center calls to cost $5.50 per call versus 10 cents for a user who self-services online.
  2. Increased cognitive strain: The instructions for creating usernames and password in this flow [...] require a great deal of concentration, and if users don’t understand the instructions, they will need to keep creating usernames and passwords until they are accepted.
  3. Halo Effect: Account setup is the first in a series of web-based interactions that users will need to conduct [...]. A poor experience with this first step will impact how people feel not only about subsequent interactions with the site, but how they feel about the service in general [...]
HealthCare.gov’s Account Setup: 10 Broken Usability Guidelines

The challenge in this space is that there are very few organizations, who have high assurance needs, that are doing user experience and usability testing. One such is the UK GDS Identity Assurance Program, which has published some of their research:

  • most people we encounter have no prior experience of using a third party company to identify them
  • if they have used a third party to sign in it’s most likely to be via a social media account, and most people we’ve met tend to avoid using their social media account to sign in to other services
  • [The UK Program to use commercial CSPs at Gov web sites] will often be the first time people use this model and they need to be assured that it is a legitimate process
  • [...]
  • UK GDS IDAP - User Research

But do the UK results apply across jurisdictional and cultural boundaries? I don't know, but believe that it is imperative that there be localized answers. My fear is that we are not investing enough in this area, and that lack of investment will come back to haunt us down the line.

As I've pointed out before, the user enrollment aspects of how high assurance credentials are currently envisaged to be provisioned to regular users (people not familiar with identity) flies in the face of the adoption mantra that "Disruptive innovation should be non-disruptive to adopt". That needs to change.

RELATED INFO


Did you find this interesting? Don't miss any new posts. Sign up to automatically receive them now!

I will never share, rent, or sell your information to anyone. Cancel anytime.

This blog post first appeared on Anil John | Blog (https://blog.aniljohn.com). The opinions expressed here are my own and do not represent my employer’s view in any way.

Topic(s):
By on |

Continue The Conversation ...

I would love to know your thoughts on this blog post. Please leave a comment below!

I am a digital security coach. I help technical leaders make digital services secure and trustworthy. Learn more »

Free Updates

I will never share, rent, or sell your information to anyone