Identity Federation: Failed Consumer Experiences and WHat We Can Do About It

Session Topic: Identity Federation: Failed Consumer Experiences and What We Can Do About It

Tuesday 4G

Convener: George Fletcher

Notes-taker(s): George Fletcher

Tags for the session - technology discussed/ideas considered:

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

More and more sites are requiring additional forms of authentication in addition to a federated assertion. For example, a site will use Facebook Connect and then in addition ask the user for an email address and password. This creates a security vulnerability for the user and is a broken experience. Relying parties do this because there are a number of issues not currently solved by the existing identity federation flows.

RP Concerns

* Federated IdP auth is not strong enough * Account recovery flows * Merging duplicate accounts * Forgot IdP problem * Support delegation (password is a broken form) * Authentication to mobile apps * Liability and dependence on external party (no contracts) * Legacy system already takes username and password (maybe requires it) * Misunderstanding of the value of federation * Lack of knowledge or understanding * Return on investment of depending on federation (or lack there of) * Lack of a successful identity standard (or maybe to many viable standards) * IdP policy mismatch with RP policies * IdP data use policies

Consumer issues

* Lack of consumer demand (they are happy with passwords) * Don't want to share data in addition to identity * Don't understand the risk of reusing passwords