DENVER — Identity is only useful when users buy-in.
As Nishant Kaushik, chief technology officer of Uniken, noted in his keynote at the Identiverse Conference Thursday, countless website registrations have been abandoned when they ask for needlessly personal information, like Social Security numbers. On a more macro-scale, Facebook and Twitter suffered massive backlash for using phone numbers given as multi-factor identification to serve ads and the IRS ditched a facial recognition requirement for online tax filing amid consumer outrage.
The quality of identity-based security currently depends on how much users trust enterprises with their data.
That trust, he said, can boil down to several design choices, many not being made by security teams themselves. Everything from user experience to back-end use of private data affects what security elements users will be willing to submit to.
Kaushik spoke to an audience of identity pros at the conference, currently ongoing in Denver. Identiverse is owned by the Cyber Risk Alliance, the parent company of SC Media.
Shoring-up user interactions is often framed in terms of "delighting" the customer, corporate-speak used across many industries. Kaushik said that the identity industry's focus on delighting customers might be misguided, despite several other speakers — including some of the preceding keynote addresses — using that verbiage.
"We hear about this a lot. I personally talked about it and have been guilty of promoting this idea that we need to delight the user. But this can actually backfire on us in the area of trust. Because what we should be focusing on is usability, and using recognized design patterns," he said.
Users, he said, want a seamless experience in providing identity. That can be more dependent on a system being intuitive than being innovative. Intuitive systems recognize people expect things to be in a certain place and get confused when it is not there.
"You make them feel wary of what is going on. They no longer feel safe and confident and in control of their own experience. And this is a very real problem that we've seen in logins," he said.
That does not mean that sticking to the most barebones of patterns is a perfect solution. Demonstrating deliberate design choices aesthetically conveys that you are putting in the effort elsewhere, he said.
Designing for trust is not just what users experience, it is when they experience it, he said. It can be better to wait until users have attatchments to accounts before requiring additional account recovery information, for example. Users want an identity experience proportional to their personal value of what they use.
On the backend, he said, creating trust entails a no-suprises approach to user data. In a world where Facebook and Twitter denigrated trust by abusing MFA information for advertisements, that can mean finding ways to assure users that your enterprise takes privacy seriously. Perhaps, Kaushik suggested, it is time to offer consumers legally binding contracts that limit misuse of data.
Inclusive design is similarly important. A coalition of companies recently announced their intent to bring passwordless access to mainstream users. That was great news for users who could meet the requirements for the new world. Kaushik noted that librarians were not as thrilled. The people who used public computers for internet access, they reasoned, did not have the mobile phones they would need to use their systems. Conversations among librarians skewed into distrust of the new system.
The solution would have been to include more stakeholders in design discussions, he said.
All the design solutions would ultimately create more trust.
"And trust is a fundamental human need. Like coffee," he said.