George Fletcher, Chief Architect for Consumer Identity Services, AOL, Inc.
This year AOL rolled out a games development platform that supports "micro" payment transactions. While the platform supports multiple identity providers and functions as a relying party, unfortunately, the outsourcing of identity is not as simple as it should be. This talk will cover the identity aspects of the system and the challenges both past and present.
4. So… what’s the context?
— Consumer
to
business
— Relying
Party
supporting
Identity
Federation
— User
in
control
— High
value
transactions
— Specifically
micro-‐payments
18. What we learned
Complicated
• Customer
Service
o finding
the
user's
account
• Access
problems
due
to
issues
with
the
IdP
• Account
recovery
Works
• Identity
Federation
for
Authentication
• Challenge
before
purchase
19. Relying Party trends
• Moving
away
from
identity
federation
for
authentication
• Using
social
login
for
attribute
collection
o RP's
really
like
this
• Desire
to
control
the
entire
user
experience
20. What is driving these trends?
• User
Experience
Concerns
o Account
recovery
o Forgot
IdP
/
Login
confusion
o Merging
duplicate
accounts
o Linking
multiple
federated
identities
together
o Authentication
from
Mobile
apps
o Delegation
o User's
account
"blocked"
at
the
IdP
o Customer
Service
Support
21. What is driving these trends?
• Business
Concerns
o Liability
and
dependence
on
external
party
(no
contracts)
o IdP
policy
mismatch
with
RP
policies
(e.g.
data
use
policy)
o ROI
for
identity
federation
(or
lack
there
of)
o Lack
of
knowledge/understanding
value
of
identity
federation
• Technical
Concerns
o Legacy
system
already
dependent
on
username/password
o Lack
of
a
successful
identity
standard
(or
maybe
too
many
viable
ones)
o Recyled
identifiers
22. Critical for the RP
What
is
my
risk
in
supporting
Identity
Federation?
• How
many
customers
will
I
gain?
o lower
barrier
to
entry
• How
many
customers
will
I
lose
if
something
goes
wrong?
• What
use
cases
do
I
need
to
handle
now
that
I'm
relying
on
another
entity?
• How
much
does
it
cost
to
implement
the
mitigation
flows
for
these
new
use
cases?
23. Easy solution
• Make
it
easy
for
every
RP
to
be
their
own
IdP
• RP
controls
all
the
flows
• No
new
flows
to
deal
with
• Well
understood
user
experience
patterns
24. Problem
Ignores
the
User
• Yet
another
site
asking
for
a
password
• Identifier/Password
management
nightmare
• Consumer
almost
guaranteed
to
be
compromised
25. Real solution
• Trust
frameworks
to
provide
some
assurances
between
RPs
and
IdPs
• Industry
best
practices
for
the
new
flows
• IDaaS
provider
targeted
at
consumer
services
o Easy
for
startups
to
leverage
o Mitigations
for
unexpected
outages
o Support
for
Federated
Identity
Providers