To Switch or Not Switch… Enabling Smoother Transitions Between Work and Personal

Session Topic: To Switch Or Not To Switch

Tuesday 1A

Convener: Vicki Milton

Notes-taker(s): Ariel Gordon

Tags for the session - technology discussed/ideas considered: Switching context

Organizational identity vs. personal identity

BYOD

IT compliance

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

Today’s world: rich diversity of devices and ownership models. Information Workers use a mix of organizationally-owned or a personally-owned device to perform their work duties.

Two primary jobs for IT: control access (compliance), and make users more productive.

Progressive organizations: users can use their personally owned device, with a personally-owned identity that IT doesn’t control. Still IT needs to allow these users access to organizational resources. This makes enforcing compliance harder. There are solutions to enforce policies on consumer-owned devices via EAS or MDM.

What’s the correct user experience? Should users be switching back and forth between personal and organizational context on the device, or is there a way for these identities to coexist in a way that doesn’t push the complexity to end users? Different companies take different approaches. Richard O’Brian: Biometric capture has come of age. Biometrics, such as voice control is a method by which we can achieve seamless authentication. Can it be used to switch context? E.g. user tells the device that it’s going to be doing personal stuff. Vicki: many IT are taking a conservative approach to biometrics, for example don’t want to store user’s bio template.

Vicki: interestingly, investments in strong authentication are starting to outpace the strong auth that exists in the enterprise. Personal identities like Google and Microsoft are using 2MF, while the huge majority of organizations are still using passwords.

Michael Gile: let’s not forget that it’s one individual with multiple profiles, represented by different identities associated to their own credentials.

Kirk Brown: in some cases it doesn’t matter whihch ID you use. Example: if you’re about to pay your bill at Verizon, it may not matter to them who you are when you make the payment (?).

Vicki: issue of Privacy exists independently of work context, especially in Europe. Very strong cultural influx (Privacy requirements/expectations are different in Europe vs. US). Additional challenge: explaining to users that they need to agree (opt-in) to corp rules to access org resources from a personal device (waiver).

Michael Gile: Samsung has an interesting approach with Knox: virtually two separate devices; complete isolation of apps/files. On traditional iOS or Android devices, remote wipe erases the whole device; not sure if the same applies to a Samsung Knox device.

Peter Cattaneo, Kirk Brown: happy to use separate applications for different personas (e.g. use Lync and IE with work identity, Skype and Chrome for personal stuff). The selection of an app makes a contextual statement about the identity I’m using. In summary: separate cluster of applications with well-known accounts (strong IdPs). Drive contextual cues as to who you are at that time.

Woman from Amazon: this doesn’t scale. Also, may want to use apps with multiple personas (dual-headed apps). Coupling is a challenge for Relying Parties too. RPs have different trust relationship with IdPs in response to legal imperatives.

Peter: social issue + technical issue: Are protocols smart enough to help with identity disambiguation?