Why organisations should implement user-centric authentication…
Now that developments of User Centric Authentication(UCA) are taking off quickly, I think the Identity Community needs to convince their “customers” to start implementing. The “customers” of UCA are organizations that offer Internet applications like Google, MySpace, Banks, Accountants and many others. Within the identity community these organizations are defined as relying party’s (RP’s).
Although I like tools like http://demand.openid.net to put a little pressure, I think we should help the RP’s with a fact sheet to show the pro’s of UCA. The sheet should also help ambassadors of UCA to convince their general management to prioritize User Centric Authentication.
I couldn’t find any fact sheet so I started to collect the facts myself, please help to make this list complete so in the end the Relying Party’s will see the benefits themselves.
Why relying party’s should implement User Centric Authentication
Pro’s
- Outsourcing authentication saves costs. As a relying party you don’t have to worry about lost user names, passwords, a costly infrastructure, upgrading to new standards and devices. You can just focus on your core. From research the average costs per user for professional authentication are approximately 34 euro a year. In the future you will pay a few cent per authentication request (transaction based). Report from gartner, Any other calculation reports available on this?
- Your customers are demanding user centric authentication. User centric authentication gives your customers comfort. No registration hassle and low barriers of entry to your service. Offering UCA to your customers can be a unique selling point and stimulate user participation.
- Open up your service to a large group of potential customers. You are probably more interested in the potential customers you don’t know, versus the customers you already service. UCA makes this possible. If you can trust the identity of new customers you can start offering services in a minute.
- The identity provider follows new developments. When a new authentication token or protocol is introduced you don’t have to replace your whole infrastructure.
- Time to market. Due to legislation you are suddenly confronted with an obligation to offer two factor authentication. UCA is very easy to integrate and you are up and running a lot quicker
- Data sharing. If the identity provider also offers the option to provide additional (allowed) attributes of the end-user you don’t have to store all this data yourself. If for example I go on holidays for a few weeks I just update my temporarily address in stead of calling the customer service of my local newspaper!
- Quickly offer new services under your brand . If you take over a company or want to offer a third party service under your brand/ infrastructure UCS makes it much easier to manage shared users. How much time does this take at the moment…
- Corporate image. As SourceForge states they also offer openid support to join the web 2.0 space and benefit from the first mover buzz. Besides adding a good authentication mechanism provided by a trusted identity provider could add value to your own service. Like adding a trust seal of your SSL certificate provider.
Potential Con arguments
- I still have to manage the authorization. Although the authentication is outsourced, I still have to bind the identity to my internal authorization rules/ roles/ structure. So the registration process is still time consuming. (At least it is less time consuming if you outsource the identification process)
- Bulk introduction. If i introduce a new service where authentication is required I just do a mass introduction sending all my customers new authentication credentials and preregister them within my authorization DB. With UCA I have to be sure everybody is able to authenticate and I can’t preregister. (It’s just a matter of time before all of your users are familiar with UCA, what about the costs off rolling out yourself…)
- Support stays. I still get support calls because my customers need to follow a procedure to register and bind their identity to my authorization roles. If my customers can’t login it is unclear that I can’t solve this and that they should call their identity provider (UCA will be as common as the availability of water, electricity or Internet. Everybody knows they need to call their Internet provider if they don’t have Internet access)
- A Christmas tree of login frames. How many login frames do I have to display. Please login to my site if you have an infocard click here, if you have an OpenID click here, if you use higgens click here, if you still use our account click here. (UCA standards will merge. Besides you will probably only select a few identity providers you trust. What about just asking the username first…this makes it possible to have only one login frame)
- My authentication is my identity. Providing your customers a smartcard, OTP token or password makes it possible to promote your brand. With a user centric token I don’t have any marketing visibility anymore. (New authentication tokens make it possible to show your brand during the user centric authentication process)
- What if the identity provider is not available. My service is off line if my customers can’t authenticate.. (Do you implement your own water system, electricity generator, Internet backbone? User centric authentication is the core competence of the identity provider, they will do better than offering your own)
