Identity Federation: Failed Consumer Experiences and WHat We Can Do About It

From IIW

Session Topic: Identity Federation: Failed Consumer Experiences and What We Can Do About It

Tuesday 4G

Convener: George Fletcher

Notes-taker(s): George Fletcher

Tags for the session - technology discussed/ideas considered:

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

More and more sites are requiring additional forms of authentication in addition to a federated assertion. For example, a site will use Facebook Connect and then in addition ask the user for an email address and password. This creates a security vulnerability for the user and is a broken experience. Relying parties do this because there are a number of issues not currently solved by the existing identity federation flows.

RP Concerns

  * Federated IdP auth is not strong enough
  * Account recovery flows
  * Merging duplicate accounts
  * Forgot IdP problem
  * Support delegation (password is a broken form)
  * Authentication to mobile apps
  * Liability and dependence on external party (no contracts)
  * Legacy system already takes username and password (maybe requires it)
  * Misunderstanding of the value of federation
  * Lack of knowledge or understanding
  * Return on investment of depending on federation (or lack there of)
  * Lack of a successful identity standard (or maybe to many viable standards)
  * IdP policy mismatch with RP policies
  * IdP data use policies

Consumer issues

  * Lack of consumer demand (they are happy with passwords)
  * Don't want to share data in addition to identity 
  * Don't understand the risk of reusing passwords