cis13: providing high value consumer services as a relying party - idaas: what works and what...
Post on 26-Jun-2015
219 Views
Preview:
DESCRIPTION
TRANSCRIPT
High Value Consumer Transactions
A Relying Party's Perspective
Image by Andrew Horne
Image by TheeErin
So… what’s the context? � Consumer to business
� Relying Party supporting Identity Federation � User in control
� High value transactions � Specifically micro-‐payments
Games Platform
Purchase Flow
What we learned
Complicated
• Customer Service o finding the user's
account
• Access problems due to issues with the IdP
• Account recovery
Works
• Identity Federation for Authentication
• Challenge before purchase
Relying Party trends • Moving away from identity federation for authentication
• Using social login for attribute collection o RP's really like this
• Desire to control the entire user experience
What is driving these trends? • User Experience Concerns
o Account recovery o Forgot IdP / Login confusion o Merging duplicate accounts o Linking multiple federated identities together o Authentication from Mobile apps o Delegation o User's account "blocked" at the IdP o Customer Service Support
What is driving these trends? • Business Concerns
o Liability and dependence on external party (no contracts) o IdP policy mismatch with RP policies (e.g. data use policy)
o ROI for identity federation (or lack there of) o Lack of knowledge/understanding value of identity federation
• Technical Concerns o Legacy system already dependent on username/password o Lack of a successful identity standard (or maybe too many
viable ones) o Recyled identifiers
Critical for the RP What is my risk in supporting Identity Federation?
• How many customers will I gain? o lower barrier to entry
• How many customers will I lose if something goes wrong?
• What use cases do I need to handle now that I'm relying on another entity?
• How much does it cost to implement the mitigation flows for these new use cases?
Easy solution • Make it easy for every RP
to be their own IdP
• RP controls all the flows
• No new flows to deal with
• Well understood user experience patterns
Problem Ignores the User
• Yet another site asking for a password
• Identifier/Password management nightmare
• Consumer almost guaranteed to be compromised
Real solution • Trust frameworks to provide some assurances between RPs
and IdPs
• Industry best practices for the new flows
• IDaaS provider targeted at consumer services o Easy for startups to leverage o Mitigations for unexpected outages o Support for Federated Identity Providers
Questions & Maybe Answers
Contact Information
george.fletcher@teamaol.com http://twitter.com/gffletch http://about.me/georgefletcher
top related