Why do system designers insist on bugging us to logon every time we want to do anything?
In this blog, I’d like to pivot on the “IDAM/ICAM Industry” core premise that establishing the Identity of the person/non-person and Authentication are the objectives of most online systems. This is, perhaps, a technology/product-centric way of thinking.
I propose to you that we reset our perceptions of that ‘who are you’ event: it’s all about Identification; authentication is one means to that outcome.
Identification: determination that the User or Subject of the online interaction is the singular entity within the in-scope population. Call it needle and haystack if you like.
Most of us experience authentication events in the form of logons. They are disruptive, and probably unnecessary in most cases. Take a look at the work of AccountChooser.com for more background on this, and if you can attend Pam Dingle’s presentations about it.
Wouldn’t it be great if architects and designers attempted to identify the user without the traditional logon flows? Given that device possession these days gets us pretty close to individual identification; and given the opportunity to step-up with authentication for transactions with higher impact, do you, the reader have reasons to insist on user action on return visits?
When I get the expected incredulous looks, I simply ask people the last time they actually had to ‘logon’ to a Google account. Usually, the answer is ‘when I replaced my phone/ipad/computer’.
So what does Google know about you and your devices that is apparently enough to pass the first gate?
Please note that this blog is not about authentication federation vs ‘in-house’ authentication. It’s about stating the true requirement for the user interaction: the requirement to Identify in order to act on policies for entitlement, authorization and access controls.
Maybe if design thinking could be shifted, we’d see some cool innovations that don’t involve yet another credential issuance.
What do you think?
P.S. please don’t use the ‘finding the browser cookie is an authentication activity’ argument – I choose to split the discussion based on user interaction for better or worse.