I’ve been working on an Identity Management (IdM) strategy for a client over the past few months. They have been investing in IdM solutions to meet their needs for several years, so it was becoming important for them to look at the bigger, long-term picture.
A key recommendation in the strategy is to establish user-centric IdM in this organization. This is based on emerging research that shows users desire more control over identity information, even if that control amounts to simply viewing the information the IdM system possesses.
As I’ve commented on this blog a few times, this emerging user trend is being talked about regularly in industry circles, by select academics and by identity management ‘thought leaders’. User-centred, or user-centric, IdM can provide practical approaches to meet the increased needs of individuals who wish to better manage their own identity information.
What is less reported and commented on is that user-centric IdM is not a technology, but rather a model or philosophy that is primairly concerned with putting user needs first in IdM solution design. To be successful, designers of user-centric solutions have to consider the user identity’s full life-cycle and be ‘in tune’ with their needs for privacy and control. Two noted examples illustrate this point.
Three years ago Kim Cameron came to my city to talk about information cards. This was a completely new paradigm for those of us that had been designing and building centralized IdM systems. Mr. Cameron’s use case that day was the payment of an online purchase. He showed how a user with a Visa account could use an information card to present a cliam to an e-commerce site. The claim didn’t have to provide any details about the user — simply that the user had been authenticated and that they, Visa, would honour the payment. All the e-commerce site had to do was present this claim to Visa in order to receive payment. The user in this scenario did not have to supply personal information to the web site in order for the payment to be processed (of course, a name and address would need to be provided to the shipping department, but that was outside the actual financial transaction).
Around the same time, Dick Hardt was wowing them at the O’Reilly OSCON conference with his Identity 2.0 presentation. His use case was that of how he, a responsible adult, might purchase a quality vodka product from the local liquor outlet. The main point was this: in real life we present credentials of our choosing to clerks in order to prove an aspect of our identity, such as our current age. Liquor store clerks don’t need to record our name and address in order to conduct the transaction — they simply need to verify that the birthdate works out to the correct minimum age for the purchase and, in effect, discard the information after the transaction is completed. Mr. Hardt goes on to say that there are technology solutons that can virtualize this approach, hence user-centric and privacy-smart identity solutions can emerge.
In both these cases, the needs of the individuals are considered first. Mr. Cameron could easily have stuffed the vitual credit card with user information, and made the case that the e-commerce site would highly value that information (think Facebook). Similarly, Mr. Hardt’s example focused on the only reason the individual would want to present identity information: to confirm one aspect of their, that being their age. Both of these are in tune with the demands of privacy-aware citizen and are excellent examples of user-centric philosophy.
Centralized systems, like the Canadian government’s ePass, scale to millions of users and are well understood by users and designers alike. But these legacy systems are fraught with challenges related to security, lack of privacy controls and, potentially, accusations of ‘big brother’. In no way are these system user-centric — they simply were built in a time when user ‘control over identity’ needs were not a priority.
For organizations like large companies and governments, these systems do a disservice because they ultimately will discourage privacy-aware individuals from using the very online services the IdM system is intending to enable. Only by adopting user-centric philosophies in solution design can IdM systems meet the changing needs of individuals in an increasingly privacy-aware world.