I had a really interesting conversation with a client last Friday. I’ve helped them to build a public-facing identity management system for access to a range of web applications. It has been running for over two years and has (literally) hundreds of thousands of users.
The chat went something like this…
CIO: As you know, our users are a bit of a younger demographic, and we’ve been noticing lately that they are having trouble remembering their usernames and passwords.
Me: Well, we’d expect them to use the forgot user ID or forgot password links on our login page…
CIO: But they don’t. Or if they do use those links it is confusing to them. We are seeing a spike in help desk calls.
Me (mystified a bit): Ummm… why is that? We use a pretty standard web page with links for these functions.
CIO: Yes we do. However, an increasingly large segment of our user base has grown up with smartphones, not browsers. They are used to apps and auto-remembered credentials.
Me (feeling elderly): Oh.
CIO: So what we need is a way to login to both web apps and device apps using just the mobile phone.
Okay, so it took a few minutes for this to sink it, but I get this. Younger users use mobile phones and apps predominantly, and the web browser experience is not the same for them as it is for us oldsters.
My own teen-age kids are proof of this — texting is definitely preferred over email, and I think I saw my 15-year old daughter tear-up last year when I upgraded her iPhone to a full data plan…
Teens, it seems, are most comfortable with a device. And that device presents information and services differently than a web page does. So differently in fact that it poses problems for authentication. This is really interesting…
There are two use cases to explore here.
- The first is the identity-aware app. The app needs to authenticate the user in a way that is consistent with best-practices for protecting sensitive information. It can’t just provide access without authentication because that would be against policy and create risks of breach that aren’t acceptable. But it does need to be seamless and easy — because that is the way of the app, right?
- The second case is web login without username and password… Interestingly, a user ID / password combination is only single factor (something-you-know). The replacement of this standard approach with something-you-have, i.e. a mobile device, shouldn’t be that hard. For example, a user who has pre-registered their phone with us could get a one-time code sent via SMS to the phone. They could then enter the code in order to authenticate. No more forgotten passwords, no need to remember what username I picked.
Can these use cases be met within the policies and best practices established by enterprises? Or do we need to reconsider our approaches in light of a changing demographic?