Verified Identity Claims - UX

From IIW

Issue/Topic: VERIFIED IDENTITY CLAIMS – User Experience Challenges

Session: Wednesday 4H

Conference: IIW-11 November 2-4, Mountain View, Complete Notes Page

Convener: Ariel Gordon (Microsoft)

Notes-taker(s): Ariel Gordon (Microsoft)

Tags: Identity Selectors; Verified Claims; Identity Attributes; Privacy; Privacy Enhancing Technology; User-control.

Participants:

  • Craig Wittenberg Microsoft
  • Ariel Gordon Microsoft
  • Mary Ruddy Meristic
  • Henrik Biering Peer Craft
  • Greg Turner Sierra Systems
  • John Engler Webroot
  • James Reffell Webroot
  • Mike Min Booz
  • Adam Dawes Google
  • Charles Andacs PBB
  • Phil Hunt Oracle
  • Nishant Kaushik Oracle
  • Mike Ozburn Booz Allen
  • Tom Leon AOL


Discussion notes:

Verified Identity Claims – UX (User Experience) challenges

Policy could be driven by the RP, the user/user's agent, or the Claims provider UX gets even more complicated when we add N claim sources (orchestration scenarios)

How to mitigate UX complexity: add a "always consent" option on the agent Friction when things went well: the user has to take many actions (and stop reading) Friction when something goes wrong (error handling)

James Reffell (Webroot):

I have to go get data from 3 different, independent sources: present the UX as a ToDo list while keeping the RP's context in the background. The UX could look like a ToDo list, showing the steps that the user has to complete before continuing:

  • Go get Claim 1 [go]
  • Go get Claim 2 [go]
  • Go get Claim 3 [go]

The user can do them in different order. Say he goes to do #1. Now the UX refreshes to:

  • Claim 1 R
  • Go get Claim 2 [go]
  • Go get Claim 3 [go]

-Or-

  • Claim 1 [!]did work/here's why... Go again
  • Go get Claim 2 [go]
  • Go get Claim 3 [go]


The RP will offer a list of potential claim providers

We'll need some sort of an auditable standard so that the RP can say "I'll accept claims from any source that's auditable at level X".

Authenticate to the Claim Provider:

  • U/P
  • KBA
  • Using the phone as a second factor -- see Google's Strong Auth initiative with iPhones
  • Anakam (recently purchased by Equifax)--phone approach rather than Equifax's traditional KBA
  • Using a device-based Agent to participate in the authentication ceremony to the Claims provider, and simplify this for future use.

Installing an App on all of my device : painful. What about users without a smartphone?