Upload
cloudidsummit
View
217
Download
1
Embed Size (px)
DESCRIPTION
George Fletcher, Chief Architect for Consumer Identity Services, AOL, Inc. This year AOL rolled out a games development platform that supports "micro" payment transactions. While the platform supports multiple identity providers and functions as a relying party, unfortunately, the outsourcing of identity is not as simple as it should be. This talk will cover the identity aspects of the system and the challenges both past and present.
Citation preview
High Value Consumer Transactions
A Relying Party's Perspective
Image by Andrew Horne
Image by TheeErin
So… what’s the context? � Consumer to business
� Relying Party supporting Identity Federation � User in control
� High value transactions � Specifically micro-‐payments
Games Platform
Purchase Flow
What we learned
Complicated
• Customer Service o finding the user's
account
• Access problems due to issues with the IdP
• Account recovery
Works
• Identity Federation for Authentication
• Challenge before purchase
Relying Party trends • Moving away from identity federation for authentication
• Using social login for attribute collection o RP's really like this
• Desire to control the entire user experience
What is driving these trends? • User Experience Concerns
o Account recovery o Forgot IdP / Login confusion o Merging duplicate accounts o Linking multiple federated identities together o Authentication from Mobile apps o Delegation o User's account "blocked" at the IdP o Customer Service Support
What is driving these trends? • Business Concerns
o Liability and dependence on external party (no contracts) o IdP policy mismatch with RP policies (e.g. data use policy)
o ROI for identity federation (or lack there of) o Lack of knowledge/understanding value of identity federation
• Technical Concerns o Legacy system already dependent on username/password o Lack of a successful identity standard (or maybe too many
viable ones) o Recyled identifiers
Critical for the RP What is my risk in supporting Identity Federation?
• How many customers will I gain? o lower barrier to entry
• How many customers will I lose if something goes wrong?
• What use cases do I need to handle now that I'm relying on another entity?
• How much does it cost to implement the mitigation flows for these new use cases?
Easy solution • Make it easy for every RP
to be their own IdP
• RP controls all the flows
• No new flows to deal with
• Well understood user experience patterns
Problem Ignores the User
• Yet another site asking for a password
• Identifier/Password management nightmare
• Consumer almost guaranteed to be compromised
Real solution • Trust frameworks to provide some assurances between RPs
and IdPs
• Industry best practices for the new flows
• IDaaS provider targeted at consumer services o Easy for startups to leverage o Mitigations for unexpected outages o Support for Federated Identity Providers
Questions & Maybe Answers
Contact Information
[email protected] http://twitter.com/gffletch http://about.me/georgefletcher