Access Control, UMA, and Everyday Experiences
In the first blog of this series, “Create Better User Experiences by Applying Confirmation and Authentication in the Right Places,” I talked about how organizations are de-emphasizing authentication in favor of confirmation to create a better, more natural user experience.
This time around, I’m turning my attention to access control and why it’s important for transactional applications to streamline this process in order to create the best possible user experience. Access control boils down to this: Is a particular individual authorized to access a resource, and can they delegate a proxy to access that resource?
Why users need and want to delegate access
Here’s a personal example where not providing a user with the ability to delegate a proxy can get things into an unpleasant tangle. Several years back, when my job required a lot of overseas travel, I hired a bookkeeping service to attend to my personal accounting and pay all my bills. Every month, my bookkeeper would log onto the website of a particular credit card I had and pay my bill. And, without fail, the credit card company would lock the credit card because it observed what looked like suspicious activity. My bookkeeper was logging into their site from her location in the U.S., and I happened to be using the credit card to pay for things in Germany. The credit company logically concluded the card had been stolen, so they blocked the account. Was it a sensible and secure measure? Yes. Did it interfere with the user experience and cause a lot of frustration? A resounding yes! And the result? I cancelled the credit card.
You can see why the concept of allowing users to assign one or more secondary authorized users makes a great deal of sense. When we consider financial services or healthcare, for example, it’s perfectly reasonable for an elderly parent to delegate their adult child to go to the pharmacy to pick up their prescriptions for them or manage their bank accounts.
In fact, the idea of giving access to people designated by the primary user is being used in many scenarios we’re already familiar with, such as family plans for mobile phones and bank accounts. These are all valid situations where we want delegation. And most of us are accustomed to sharing or delegating access to a group of people in Google Docs, for example.
Beyond delegating to people, we’re also increasingly delegating authority to things, like Amazon Echo and Google Home.
Let’s push that envelope even more by imagining a scenario where I own a self-driving car that becomes an Uber vehicle that picks up and drops off passengers while I’m at work. A number of interesting questions arise. When the automobile starts running low on gas, who will validate the credit card when the car needs a fill-up? Will the credit card company end up sending me a text message with an alert while I’m busy at the office? And what happens to the poor passenger, who is at the mercy of the credit card company approving the transaction for the driverless vehicle?
So we can see that today, and even more so in the future, multiple identities may need to be involved in a transaction.
Move over, MFA. Enter UMA.
As more organizations start to embrace the notion of delegation, there are some things they need to keep in mind. More often than not, the authorized users are geographically separated, they are likely to be using different types of devices, and one or more may or may not even be connected at any given time.
Many applications currently rely on traditional means of verifying identity, like multi-factor authentication (MFA). But if MFA is their answer to security, they are making the delegation process much harder.
This is where advanced technologies like user-managed access (UMA) can help customers and employees determine and control who can have access to their resources, for how long, and under what circumstances. And, of course, UMA can help optimize the user experience. It doesn’t have to be complicated. There are solutions available today that provide a convenient central console for organizing digital resources that reside in many locations (for example, where we save our credit card information on various sites), delegating access to others, and monitoring and revoking access.
UMA is a great way for organizations to give users what they want and need, hassle-free, while providing privacy controls that meet compliance requirements and build trust with customers.
Curious about UMA? Find out how ForgeRock does it.
*** This is a Security Bloggers Network syndicated blog from Forgerock Blog authored by Allan Foster. Read the original post at: https://www.forgerock.com/blog/access-control-uma-and-everyday-experiences
