What impression do your staff, business partners and consumers develop from the moment they first interact with your online services?
How do you best manage the function, the feel and the security of your Identity and Access Management (IAM) processes for your online services?
First impressions matter. They matter when people meet for the first time through appearance, smile, handshake, eye contact and many other signals. First impressions also matter in technology and with business applications from the first interactions users have with online services. First user interactions typically include the functions of registration and access. They can influence the quality of user experience, the level of user satisfaction and eventually how well online services may succeed.
The registration function usually is a one-off operation. It captures and processes information about the intended service users’ identities as a dependency to accessing the service. The function typically results in creating a service account, which is often identified by a unique username (email address or other identifier) associated with some form of security credentials such as a password.
Registration functions, or workflows, are implemented in many different ways for different types of users and services. They generate different types of first impressions, from good to bad.
For example, the registration function can:
- be fully automated, semi-automated or manual with self-service or user administrative functions,
- let users select their desired username (unique) or impose it,
- offer users the choice of security credentials (e.g. password, external identity provider such as Facebook, fingerprint, etc.) or impose them,
- offer users the option to set password reset challenge questions and answers so users can reset their passwords themselves at a later stage if required,
- offer users the option for multi-factor authentication for increased security, or impose a standard to it,
- require many or few identity attributes as an input,
- store the identity data collected or use it only transiently,
- offer the option to import, or link with, identity attributes from third-party services (e.g. Facebook) as authorised by the user,
- include an online identify verification process, which asserts the validity of the identity information provided online against external trusted authoritative sources of identity (e.g. passport, driving license) to provide a level of assurance that the registering users are indeed who they claim to be,
- require a proof the user is human, and not a “robot” (e.g. CAPTCHA),
- require an email or a SMS verification step to complete the registration process,
- require a manual approval by an authorised delegate (e.g. a manager or a service owner),
- be done on one page or require multiple pages to go through, etc.
I experience a better registration function when:
- it is as short and as simple as possible,
- the required identity data is kept to a strict minimum and the collected data is only retained as eventually necessary (if you read my blog, you can get that I am quite keen on the subject of privacy),
- I can choose my own username,
- Password policies are not limiting to strength (e.g. some services still don’t allow special characters),
- I have an option to configure multi-factor authentication,
- CAPTCHA, when used with blurred images, are actually readable.
The access function is used every time an application is opened. The function can be renewed during long usage and it can also apply within application use to authorise specific types of transactions. The function typically includes the following workflows:
- Identification. Knock knock, it’s me (username).
- Authentication. Here is my password and/or other form of security credentials.
- Authorisation. An example with web-banking: I’m authorised to pay a bill to an already registered account, but I may receive a One Time Passcode (OTP) over SMS to authorise a transaction with a new account.
- Audit. Log who has accessed what, when and from where.
Access functions, or workflows, are also implemented in many different ways for different types of users and services. They also generate different types of first impressions, from good to bad.
The access function typically inherits the configuration from the registration process (e.g. the password) and it can also:
- request security credentials (e.g. password) every time, or let users go through automatically and transparently through Single-Sign-On (SSO),
- vary in process depending on what business application and business data is accessed and how they are accessed (location, device, time, etc.),
- force a step-up authentication for transaction authorisation purposes (e.g. SMS passcode to transact with a new account),
- time out within a period of time and require a new authentication process,
- leverage extra, contextual or behavioural information (a.k.a. adaptive authentication) about the user and the devices they use to increase security. Such information may include geolocation, devices fingerprint, further device configuration data or more refined user behavioural data (see my blog on context-aware security, user behaviour analytics and awareness APIs),
- audit and store varying level of data about who was accessing what from where and when,
- require users to change their passwords from time to time,
- offer an option to reset a password when forgotten (challenge questions or reset link sent by email), etc.
I experience a better access function when:
- there is an alternative option to using passwords (e.g. biometrics). I really like using fingerprint based authentication (e.g. TouchID),
- Single-Sign-On is supported, especially for business applications,
- I have a clear understanding of what is audited (e.g. tracking my location?)
The Function, The Feel and The Security
When designing Identity and Access Management (IAM) functions and solutions for online services, best managing the following elements may have a significant importance to the service uptake and its success:
- The Function: what the IAM controls do and how they do it.
- The Feel: what experience, impression, and very importantly the first impression, users develop through the IAM controls they are subject to.
- The Security: what levels of assurance for identity and access do the IAM controls provide.
It is my experience that many organisations, and IAM service providers, have not yet prioritised User Experience (UX) or specialised User Interface (UI) capabilities with their IAM programs and solutions. This is in my opinion an opportunity for improvement. A better IAM UX, and a better first impression, can contribute to better online business development.
What do you think about it? I’d love to get some comments on the subject.