I have a “smart” TV which apparently can act like a hub for other “smart” appliances (made by the same vendor). This is a feature I had no reason to use, until…
I got a washer and dryer from the same vendor which are also “smart.” And thus an opportunity to break stuff appeared. So, I downloaded the vendor’s mobile app and signed up with Sign In With Apple (SIWA) which creates an account without a password.
SIWA makes it easy for users to sign-in to your apps and websites using their Apple ID. It uses a WebAuthn-like process to create an unphishable credential – which is pretty darn nice and handy, BUT…
This kind of credential requires that I am on an Apple device to use it… and that brings me back to the “smart” TV. After having set up the washer and dryer in the mobile app I wanted to see them on the TV cuz why wouldn’t I?
The TV isn’t an Apple device and only offers a few social sign-on options along with a username/password option, none of which I have thanks to SIWA. So much for using the TV as a hub for devices that I associated with the mobile app account. And if someone else in the household wanted to use the “smart” features they would have to log into my account, which can only be accessed by my Face ID/Touch ID.
I kinda guessed this was going to happen and I chose this path to see if, in fact, things were going to break as expected…and they did. To be clear, this post isn’t to shame the vendor. In the olden days, I would have created a username/password credential, stored it in a password manager, and then used it on the TV… and even shared it within the household.
Whilst I strongly believe that customer identity and access management (CIAM) is about experience and bottom-line growth, it also has security implications. You can have a great experience and great security, but you have to plan carefully… and even if you do, the future is unknown. New popular authentication ceremonies will arise that your now legacy products should accommodate but will struggle to do so. This is all to say that B2C companies need identity professionals sitting shoulder to shoulder with user experience, product management, marketing, and security.
Lastly, if anyone has a good use case for password-less credentials used to get an alert that the dryer has finished, please let me know! 😉
Thanks to @samuelgoto for jogging the hazy memory loose that IF the TV implemented Sign in with Apple, then it would prompt me for my email address to sign in with but if I used the “Hide my email address” feature SIWA provides, then I am certainly out of luck.
Senior Vice President, Identity Product Management, Salesforce.com
Board Member Emeritus, IDPro.org
Ian Glazer is the Senior Vice President for Identity Product Management, at Salesforce. His responsibilities include leading the product management team, product strategy and identity standards work. Prior to that, he was a research vice president and agenda manager on the Identity and Privacy Strategies team at Gartner, where he oversaw the entire team’s research. He is the co-founder IDPro, the professional organization for digital identity management, and works to deliver more services and value to the IDPro membership, raise funds for the organization, and help identity management professionals learn from one another. During his career in the identity industry, he has co-authored a patent on federated user provisioning, co-authored and contributed to user provisioning specifications, is a noted blogger, speaker, and photographer of his socks.