Digital identity is the core of the digital transformation. It underpins sales and distribution, enables outreach to customer communities, and helps build business value chains. But organizations must traverse a minefield of threats, operational challenges, and compliance issues. As we wrote in the Second Golden Age of Identity, sea changes in identity accompany progress or crisis in IT. 2017 is the final year before GDPR puts companies in the crucible between online competitiveness and fiscal survival. At RSA Conference last month, we gained new insights on customer-facing identity from Ian Glazer’s presentation. Let’s work on following through some of Glazer’s ideas…
Source: Adapted from Changing Face/Fate of Identity, by Ian Glazer
Optimize the Customer Journey
How can companies rapidly onboard customers, start interacting with them, and engage them throughout multiple lines of business and partner ecosystems? Using the latest identity standards – such as OAuth 2.0, Open ID Connect (OIDC), User-Managed Access (UMA), and System for Cross-domain Identity Management (SCIM) – is essential. These standards are still evolving. Yet they have the ability today to help provide a more user-friendly online experience. Along with other standards, they also enable improved back-end business process integration by using, publishing, and protecting APIs with fewer integration headaches.
Glazer describes 3 steps to the customer journey:
- Sign up: Onboard the customer with a minimum of friction, while silently integrating back end business processes.
- Sign in: Avoid the Yet Another User Password (YAUP), but try not to settle for “standards-like behavior” (e.g. Facebook login).
- Onward journey: This is why we “do” identity – to provide the context for each step in the customer’s digital engagement with the company and its value chain.
Our Analysis: Glazer’s prescription for “sign-in” in makes sense, but we caution that online businesses must accept tradeoffs. For all its privacy issues and standards nits, Facebook login may seem desirable as an identity provider (IDP) option at least for those customers that want to use it. So should other IDPs. The “perfect IDP” does not yet exist (far from) and even if it did not all customers would subscribe. Depending on their target audience, most organizations will have to work with multiple IDPs.
Identity Hubs
Some businesses may have enough of a draw to be their own IDP. Just one YAUP then – ok? Other businesses should consider using multiple online channels. Up goes the social media login icon gallery and/or a multi-protocol pairwise federation hub solution. Whether an online business site is the IDP for the customer journey, or just uses an IDP, it needs “logical IDP integration” (or hub) functionality. Identity hubs must be able to build up or obtain whatever customer profile information is required to understand customer preferences, manage relationships, and provide evidence of consent (in some jurisdictions).
Whatever it is, the IDP hub is critical to the brand consistency. In the age of phishing, brand consistency fosters trust, but many online businesses aggregate or syndicate services in complex value chains, creating multiple-brand issues and an inconvenient, disconnected user experience.
The customer and partner-facing IAM (CIAM) architecture is all about specifying requirements for the organization’s own IDPs, federated identity integration patterns with external IDPs, identity and privacy life cycle management (ILM), runtime authorization, related business processes, etc.
Soon, part 2 of this post will drill down into Glazer’s take on identity standards and the Internet of (mobile) Things.
The post The Changing Face of Identity in 2017 (Part 1) appeared first on Security Architects Partners.