Anil John
 
 

Leveraging User Experience Expectations at the RP

 Share  Print  Email

There are two primary “identity proofing” user experience (UX) options when it comes to enrolling a person in a high value application (RP). The differences come down to whether or not a RP or a CSP does the collection of information needed for identity validation and verification. Should one or the other be the default UX for public sector services?

As I’ve pointed to before, disruptive innovation should be non-disruptive to adopt, so a UX that is non-disruptive should be consistent with the day to day online experiences of a person i.e. what have the daily online user journeys of a person trained them to expect?

I don’t think the general public really minds the enrollment process. First time at a site, I provide certain pieces of identity information that assists the site in disambiguating my identity or tying me to a specific record. It actually has several advantages: I am responsible for the information passed, I know what information pertaining to me is being relied upon. And it doesn’t preclude the site I am visiting from doing an out-of-band verification.

From a recent conversation with a Domain Expert

The typical online experience is for the RP to collect the needed information, and results in the following flow:

The alternate flow is the out-sourcing of the information collection to a Credential Service Provider (CSP) which, research has shown, is not the normal expected experience for the majority of people. This results in the following flow:

BTW, it is important to note that this is about the UX and not about division of responsibility, so from an implementation perspective both the TM and IM components could very well be provided by the same CSP. In addition, the first flow lends itself a lot more cleanly to a pull based architecture which is important for authorization.

RELATED INFO


This blog post first appeared on Anil John | Blog (https://blog.aniljohn.com). The opinions expressed here are my own and do not represent my employer’s view in any way.
Topic(s):
By on |

Continue The Conversation ...

I would love to know your thoughts on this blog post.
Meet me over on Mastodon to join the conversation!
I am a public interest technologist. I help organizations and leaders make digital services secure and trustworthy.
Learn more »

Disclaimer: The opinions expressed here are my own and do not represent my employer’s view in any way.

About

Anil John is a public interest technologist. He helps organizations and leaders gain clarity and understanding on complex architecture, information security, privacy practices, and market dynamics, so they can enable secure, trustworthy digital services. More →

Organizations I Support

© 2003-2025 Kylas Group LLC
Privacy Policy | Terms of Service