George Fletcher has questions about online customer service, and he wants industry best practices as answers.
Fletcher, chief architect for consumer identity services at AOL, wants to know how to convince web site owners, so called relying parties, that identity federation won’t do more harm than good to customers paying for valued services.
He wants to dispel the myth that site owners need to create and maintain a user’s password in order to provide good customer service.
Fletcher will serve his food for thought at the Cloud Identity Summit during his presentation, Transition From 'Owning' to 'Knowing' the Customer.
“It is easy to show the value of a customer is not in their password,” says Fletcher. “The value is in transactions, interactions with the Web site, and in the data customers provide. That’s how you build a relationship.”
But Fletcher believes beyond the simplest log-ins, beyond the level-of-assurance 1 rank, that there are federation use cases that cause problems for online retailers in terms of customer service, especially for those with premium accounts.
What if the user’s identity provider is offline, or the user canceled the service that was providing their identity, or the identity service was hacked and passwords were locked?
“So how do those users get access to their services,” asks Fletcher. In a federated world, “if they call customer care how does a representative let them in? As an industry, we do not yet have best practices in these areas.”
There are other issues, some sites like banks want users to re-authenticate before a transaction and what does that mean in a federated identity model?
“There is some success in the enterprise and in academic environments, but what are the challenges before you can move federation into a more ‘retail-ish’ online environment?”
Fletcher says there are few sites that do pure identity federation, “and I don’t know any that do it in context of a full paid service.”
There are some solutions that can be derived with approaches using OAuth 2.0 and providing temporary sessions, user-interaction profiling, or a mobile phone number/SMS code combination, says Fletcher. “But I don’t know if any of those rise to the level of industry best practices.”
He says one temporary solution may be to use a verifiable email address the service provider has on file to send a link that can be converted into an OAuth token with limited privileges.
“We need to provide best practices so that the relying parties in the federation can feel secure that their customer relations are not going to be negatively effected by identity federation,” says Fletcher.
He thinks things like trust frameworks will come into play. And certainly, there are liability and responsibility issues to work out.
“There are benefits relying parties can get in not maintaining passwords, but what are the things we need to finish that ecosystem? “
For now, the relying party is the one that has the most to lose.