Anil John
Making Digital Services Secure and Trustworthy

Anil John

Leveraging User Experience Expectations at the RP

 Tweet  Share  Share  Comment  Print  Email

There are two primary "identity proofing" user experience (UX) options when it comes to enrolling a person in a high value application (RP). The differences come down to whether or not a RP or a CSP does the collection of information needed for identity validation and verification. Should one or the other be the default UX for public sector services?

As I've pointed to before, disruptive innovation should be non-disruptive to adopt, so a UX that is non-disruptive should be consistent with the day to day online experiences of a person i.e. what have the daily online user journeys of a person trained them to expect?

I don’t think the general public really minds the enrollment process. First time at a site, I provide certain pieces of identity information that assists the site in disambiguating my identity or tying me to a specific record. It actually has several advantages: I am responsible for the information passed, I know what information pertaining to me is being relied upon. And it doesn’t preclude the site I am visiting from doing an out-of-band verification.

From a recent conversation with a Domain Expert

The typical online experience is for the RP to collect the needed information, and results in the following flow:

The alternate flow is the out-sourcing of the information collection to a Credential Service Provider (CSP) which, research has shown, is not the normal expected experience for the majority of people. This results in the following flow:

BTW, it is important to note that this is about the UX and not about division of responsibility, so from an implementation perspective both the TM and IM components could very well be provided by the same CSP. In addition, the first flow lends itself a lot more cleanly to a pull based architecture which is important for authorization.

RELATED INFO


Did you find this interesting? Don't miss any new posts. Sign up to automatically receive them now!

I will never share, rent, or sell your information to anyone. Cancel anytime.

This blog post first appeared on Anil John | Blog (https://blog.aniljohn.com). The opinions expressed here are my own and do not represent my employer’s view in any way.

Topic(s):
By on |

Continue The Conversation ...

I would love to know your thoughts on this blog post. Please leave a comment below!

I am a digital security coach. I help technical leaders make digital services secure and trustworthy. Learn more »

Free Updates

I will never share, rent, or sell your information to anyone