Identity & Access Management
The Rhythms of Recognition
A Journey from Ambiguity to Clarity
There’s something magical about train travel — the rhythmic sound of the train tracks, the gentle “tut tut tut tut….. tut tut tut tut….” that sings a song for you, allowing your mind to drift. The landscape transitions seamlessly from cityscapes to coastal views, to farmlands and pedestrians waiting at crossings. It’s a privilege to witness this, feeling guarded and special, if only for a moment.
Being enveloped in this serenity is a rare privilege. I was basking in this silence until a stranger, with a familiar smile, approached me. Despite my reasonably good memory for faces, I couldn’t place him. It was perplexing. I desperately wanted to recognize him before he said anything.
“Hi.”
“Hi! How are you doing?”
“The hell! You’re more formal now. Haha. How are you, buddy? It’s been a while.”
I smiled at his comment about formality. If I had recognized him, my excitement would have been genuine. But alas, my mind was racing, trying to place him. A name vaguely flitted through my mind, but I couldn’t be sure. I decided to let him reveal more about himself.
“Are you okay? You seem quite silent. Quite strange, buddy. What do you do now? Married? How many children? Where do you work? Or do you work at all?” His questions seemed endless, louder and longer than the train’s honk.
Gathering my courage, I decided to address the ambiguity.
“I should know you, buddy, but I’m drawing a blank. Can you help me out?”
“Really, buddy? You don’t remember me? That’s sad; we were so close. But yeah, it’s been a while. I’m Benjo.”
“Good to know your name, Benjo.” The reality was that I knew four people named Benjo. This was an ambiguous situation. I needed more information to correctly identify him.
“Since I know a couple of people with the same name, can you tell me more about yourself?”
“The hell, bro. It’s frustrating, but I’ll help. I’m from Colombo.”
That narrowed it down to three Benjos.
“I still need more details. Maybe your area?”
“From Mount Lavinia in Colombo. Does that help?”
Still ambiguous — two Benjos left.
“Maybe your university? That might help.”
“Ah, that could work. I’m from the University of Moratuwa. Figured me out yet?”
Finally, the pieces clicked. The Benjo without the belly and beard, always surrounded by friends, a superstar in sports. He had changed a bit, but it was him.
“Ah, Benjo! It’s you, the sports star. Good to see you!”
The train experience grew stronger with uniquely identified Benjo, and our conversation flowed easily from there.
User account disambiguation
Much like the above train encounter, our digital experiences often involve accessing services with multiple potential digital identities, such as usernames, email addresses, or mobile numbers. This can create ambiguity for the Identity Provider, making it challenging to uniquely identify the user.
Digital identity refers to the persona adopted or claimed in digital spaces by an individual, organization, or electronic device. This identity can range from a simple email address or username to a comprehensive profile that includes personal information (such as name, date of birth, gender, location), contact details (like email addresses, usernames, social media handles), preferences, and interactions across various platforms.
Say for example, we have two registered users in our Identity provider. Those users share same email address. Those user accounts are separate, but at the login time, if they provide, username as the login identifier, the Identity provider will be able to uniquely Identify the user and hence proceed to authenticate.
A login identifier is typically a unique piece of information that a user provides to access a secure system.
But what if the login Identifier is customer@business.com. Will the IDP will be able to decide on whether it is ben or sam who is trying to login ?
The root cause of ambiguity arises during user profile creation and updates where IDP has not preserved uniqueness within or across attributes that will be treated as login identifiers, leading to complications in login and recovery flows.
User Creation :
Consider three users, Sam, Mike and Ben, who self-sign up to the Idenity provider. The admin has not enforced uniqueness for the email address (one of the login identifiers), resulting in both Sam and Mike registering with the same email (bizdev@eg.com) but unique usernames (email formatted usernames: sam@eg.com & mike@eg.com).
Login :
The admin configures the IDP to use username (email formatted), email address, and mobile number as login identifiers. When Sam or Mike uses their unique usernames, they can log in without issues. However, if either uses the shared email (bizdev@eg.com), the IDP encounters ambiguity. Allowing authentication based on the first match is poor user experience and can lead to security concerns. IDP behaves well to prevent login in such ambiguous situations.
Password Recovery :
Sam initiates a password reset, providing his email (bizdev@eg.com). The IDP identifies multiple users with the same email and returns a 202 response, hence unable to proceed due to ambiguity.
Profile Updation :
Sam updates his email to ben@eg.com, which is the username of Ben. This escalated the issue, creating further ambiguity between Sam and Ben when logging in.
OTP Flows
This ambiguity could lead to concerns while trying Email or SMS-OTP flows as well, if the unique user could not be found.
It’s crucial to avoid allowing any user to proceed (while login, recovery) without uniquely identifying them. Allowing only one of several ambiguous users to log in and consume services would be unfair. For instance, if Benjo only mentioned his name, it wouldn’t be appropriate to assume he was a different Benjo from another place and discuss life experience.
From a business perspective, preventing authentication for all ambiguous users is also counterproductive. We need a method to uniquely identify each user, ensuring they can log in and experience the product features.
The IDP should be intelligent enough to step up at ambiguous situations and resolve the unique user and allow the user to proceed to login. This approach promotes fairness, a seamless user experience, and ultimately enhances customer satisfaction and loyalty.
1. Prevention of ambiguity:
User Creation and Profile Modification:
- Ensure attribute uniqueness across all login identifiers (username, email, mobile number) during user creation and profile updates.
- Implement validations to enforce uniqueness, preventing the creation or modification of user profiles that could lead to ambiguity.
2. Mitigation
Login:
Implement a step-up authentication process in case of ambiguity. If the initial login identifier (email or username) results in multiple matches, prompt the user for additional unique attributes (e.g., mobile number or National ID), either the next login identifier or any other unique attribute if not. Even then if ambiguity prevails can proceed to break the login flow, informing of ambiguity to the user and to the admin so that they can resolve it.
Password Recovery:
- Enhance password recovery to handle multi-attribute scenarios. Then if ambiguity is detected, IDP should prompt the user to provide additional unique attributes to identify the account accurately or else can prompt attributes that are preserved with uniqueness (e.g., mobile number or National ID) to resolve ambiguity during recovery flows.
Addressing account ambiguity in multi-attribute login systems is crucial for enhancing user experience and security. By enforcing attribute uniqueness and implementing step-up authentication processes, an IDP can mitigate the challenges of ambiguous user identities. These improvements not only prevent potential issues but also ensure a better customer experience.
