High  Value  Consumer  Transactions  

A  Relying  Party's  Perspective  

Image by Andrew Horne

Image by TheeErin

So… what’s the context? �  Consumer  to  business    

�  Relying  Party  supporting  Identity  Federation  �  User  in  control  

�  High  value  transactions  �  Specifically  micro-­‐payments  

 

Games  Platform  

Purchase  Flow  

What we learned

Complicated  

•  Customer  Service  o  finding  the  user's  

account  

•  Access  problems  due  to  issues  with  the  IdP  

•  Account  recovery  

Works  

•  Identity  Federation  for  Authentication  

•  Challenge  before  purchase  

Relying Party trends •  Moving  away  from  identity  federation  for  authentication  

•  Using  social  login  for  attribute  collection  o  RP's  really  like  this  

•  Desire  to  control  the  entire  user  experience  

What is driving these trends? •  User  Experience  Concerns  

o  Account  recovery  o  Forgot  IdP  /  Login  confusion  o  Merging  duplicate  accounts  o  Linking  multiple  federated  identities  together  o  Authentication  from  Mobile  apps  o  Delegation  o  User's  account  "blocked"  at  the  IdP  o  Customer  Service  Support  

What is driving these trends? •  Business  Concerns  

o  Liability  and  dependence  on  external  party  (no  contracts)  o  IdP  policy  mismatch  with  RP  policies  (e.g.  data  use  policy)  

o  ROI  for  identity  federation  (or  lack  there  of)  o  Lack  of  knowledge/understanding  value  of  identity  federation  

•  Technical  Concerns  o  Legacy  system  already  dependent  on  username/password  o  Lack  of  a  successful  identity  standard  (or  maybe  too  many  

viable  ones)  o  Recyled  identifiers  

Critical for the RP What  is  my  risk  in  supporting  Identity  Federation?  

•  How  many  customers  will  I  gain?  o  lower  barrier  to  entry  

•  How  many  customers  will  I  lose  if  something  goes  wrong?  

•  What  use  cases  do  I  need  to  handle  now  that  I'm  relying  on  another  entity?  

•  How  much  does  it  cost  to  implement  the  mitigation  flows  for  these  new  use  cases?  

Easy solution •  Make  it  easy  for  every  RP  

to  be  their  own  IdP  

•  RP  controls  all  the  flows  

•  No  new  flows  to  deal  with  

•  Well  understood  user  experience  patterns  

Problem Ignores  the  User  

•  Yet  another  site  asking  for  a  password  

•  Identifier/Password  management  nightmare  

•  Consumer  almost  guaranteed  to  be  compromised  

Real solution •  Trust  frameworks  to  provide  some  assurances  between  RPs  

and  IdPs  

•  Industry  best  practices  for  the  new  flows  

•  IDaaS  provider  targeted  at  consumer  services  o  Easy  for  startups  to  leverage  o  Mitigations  for  unexpected  outages  o  Support  for  Federated  Identity  Providers  

Questions & Maybe Answers

Contact  Information  

 george.fletcher@teamaol.com http://twitter.com/gffletch http://about.me/georgefletcher