Digital Identity: User Experience — Where The Rubber Meets The Road
I just completed the best year of my career at Trusted Key. When I took on the role of CEO back in 2018, I was no stranger to the identity management space. But what has become very clear is that Digital Identity is a brave new frontier. It holds a lot of promise for both enterprises and consumers. It can simplify online registration, empower consumers with control over their personal information and ease their privacy concerns, as well as eliminate the use of passwords altogether. For enterprises, digital identity can unlock new business opportunities, increase digital adoption, reduce fraud and more. And as we’ve seen, there are numerous challenges — such as security, new trust models, standards, even new business models — that must be solved before we can see success.
However, equally critical to the success of Digital Identity with consumers is user adoption. And this depends on usability. Sometimes this gets less attention than it deserves. Just because the “identity mavericks” (as I lovingly refer to all of us pioneering this effort) think this is the right way, does not mean that consumers will find this change easy. When designing solutions for enterprise users, such as employees or partners, we may be able to get away with some degree of complexity in the overall experience. But this is not going to be case when the target audience is mainstream public — or consumers — who expect a clean and simple digital experience to everything in their daily lives.
Here are the questions we need to answer as we design and build digital identity solutions:
- Is the model simple for consumers to understand and does it surface the important concepts in way that is intuitive?
- Does the solution inspire trust amongst consumers and enterprises alike so they know they can use this as the keys to their kingdom without fear?
- Are consumers confident that they do in fact have control of their personal information?
- Does it make things easier for consumers and allow them to focus on their digital life — instead of the security tools?
Over the last year, our team has engaged almost 100 organizations — including very large ones in financial services and healthcare — and have learned that we need to look at a wide variety of aspects to really address these questions.
Consumers have relied on wallets to store their physical forms of identity information such as their driver’s license or health insurance ID cards, so the idea of a mobile “digital wallet” seems straightforward. However, they will not put their trust in a no-name, self-sovereign mobile digital identity app — no matter how cool the name is. If we expect this digital wallet to replace passwords and be essential to their digital life, it also needs to inspire confidence. Consumers already trust their healthcare company and their bank with their personal and financial information. They are much more likely to trust such a brand they already have a relationship with to also be their digital wallet provider.
Once consumers have a “digital wallet”, the next question is how to refer to this wallet in online or mobile interactions? While notions like DID make sense to technologists, most users are looking for something intuitive and easy to remember, like an email address or mobile number. When they go to a website to login, or are on a call with customer service, they need something that they are already familiar with, and is quick to share or type — not a long hex string or a QR-code. This is not to say that DIDs and QR-codes don’t have a place. The point is that we need to think about the context and provide flexibility in the user experience.
If a user has multiple forms of identity information in their physical wallet, these identity documents are easy to distinguish. They know when to grab the driver’s license, or the student ID card, or the medical insurance card. Each card has the user’s name and may even have their birthdate, but the user knows which card to use for which situation. A student ID is good for a meal at a dining hall, but a driver’s license is required when buying alcohol at a bar because the driver’s license has a higher level of assurance or trust — and the user understands this. In the digital equivalent, we need the model for assurance to be equally simple and intuitive. The user should be able to associate the level of assurance of trust with a “star” — so a 4-star identity is more trusted than a 3-star identity. Any request for digital identity should clearly specify what is needed, and the wallet should automatically pick the right identity document which meets the need, with user’s consent.
As identity experts, we think about man-in-the-middle and phishing attacks, as well as protecting the consumer from unintentionally sharing their information with the wrong company. But for the consumer, all this protection needs to run seamlessly in the background. For example, when a consumer is making a purchase online, they look for the green “padlock” icon on the browser to give them the confidence that they are connected to a verified and secure website. That’s all they need to proceed — that icon has their trust. Similarly, digital identities need some way to easily identify that their information is being shared with a reputable site so they can feel comfortable completing the transaction. When they get a notification on their device to share their identity information or to login, they need to see the same type of simple symbols — like a website logo that has been verified and a 6-digit code that represents a transaction that they just initiated — to inspire confidence and trust.
Finally, while we know people are increasingly comfortable using Authenticator apps, I find the mobile device experience cumbersome. For example, to use my mobile brokerage app I have to context switch twice, meaning I had to toggle between the brokerage app and the authenticator and back again while trying to remember and type in the 6-digit code in the allotted 30 seconds. Simply put, this doesn’t work. Trusted Key has made the authentication notification for the wallet app “actionable” — so the user can get all the information right from the notification and confirm with a single click and their biometrics such as Face ID. We eliminate the need for the user to type any codes by using a strong cryptographic challenge-response mechanism in the background — more secure AND more convenient. And we enable the wallet app to be as unobtrusive as possible by automatically returning the user to the original brokerage app once the authentication is complete.
We all want to see the death of passwords and the move to strong digital identity, but we need to recognize that security will only succeed by staying in the background. Simplifying the customer experience needs to come first. And then we will have something that is more secure and easier to use.