Verified Identity Claims - UX

Issue/Topic: VERIFIED IDENTITY CLAIMS – User Experience Challenges

Session: Wednesday 4H

Conference: IIW-11 November 2-4, Mountain View, Complete Notes Page

Convener: Ariel Gordon (Microsoft)

Notes-taker(s): Ariel Gordon (Microsoft)

Tags: Identity Selectors; Verified Claims; Identity Attributes; Privacy; Privacy Enhancing Technology; User-control.

Participants:
 * Craig Wittenberg	Microsoft
 * Ariel Gordon	Microsoft
 * Mary Ruddy	Meristic
 * Henrik Biering	Peer Craft
 * Greg Turner	Sierra Systems
 * John Engler	Webroot
 * James Reffell	Webroot
 * Mike Min	Booz
 * Adam Dawes	Google
 * Charles Andacs	PBB
 * Phil Hunt	Oracle
 * Nishant Kaushik	Oracle
 * Mike Ozburn	Booz Allen
 * Tom Leon	AOL

Discussion notes:

Verified Identity Claims – UX (User Experience) challenges

Policy could be driven by the RP, the user/user's agent, or the Claims provider UX gets even more complicated when we add N claim sources (orchestration scenarios) How to mitigate UX complexity: add a "always consent" option on the agent Friction when things went well: the user has to take many actions (and stop reading) Friction when something goes wrong (error handling) James Reffell (Webroot):

I have to go get data from 3 different, independent sources: present the UX as a ToDo list while keeping the RP's context in the background. The UX could look like a ToDo list, showing the steps that the user has to complete before continuing: The user can do them in different order. Say he goes to do #1. Now the UX refreshes to:
 * Go get Claim 1 [go]
 * Go get Claim 2 [go]
 * Go get Claim 3 [go]
 * Claim 1 R
 * Go get Claim 2 [go]
 * Go get Claim 3 [go]

-Or-

The RP will offer a list of potential claim providers
 * Claim 1 [!]did work/here's why... Go again
 * Go get Claim 2 [go]
 * Go get Claim 3 [go]

We'll need some sort of an auditable standard so that the RP can say "I'll accept claims from any source that's auditable at level X". Authenticate to the Claim Provider: Installing an App on all of my device : painful. What about users without a smartphone?
 * U/P
 * KBA
 * Using the phone as a second factor -- see Google's Strong Auth initiative with iPhones
 * Anakam (recently purchased by Equifax)--phone approach rather than Equifax's traditional KBA
 * Using a device-based Agent to participate in the authentication ceremony to the Claims provider, and simplify this for future use.