It’s a well-established fact that experiences color our reactions. A good experience can turn a chore into something delightful. A bad experience can make even a favorite activity downright unpleasant. Good experiences tend to make us want to come back for more – you can thank dopamine for that! – so given that the identity experience is often the first thing that we encounter when we try and interact with an online service, it behooves any business, whether consumer or business facing, to make this experience as good, as unobtrusive and as delightful as it can be.
All too often, that isn’t the case.
I suspect that, as digital identity professionals, we tend to notice failures more readily that others, but take a moment and consider how frequently in the last month you have registered for a new online service, or needed to confirm your identity for a high-assurance use-case, or – my personal favorite – changed your password. I wonder how many of those interactions were at the very least ‘not too bad’? How many were ‘pretty good, considering’? How many were ‘surprisingly good’?
I’m prepared to bet that the majority were ‘not too bad’, with maybe one ‘Wow! I wish everyone did it like this’, seasoned with a reasonable scattering of ‘!@*$#(@ that was dreadful!’ (after an hour of back and forth trying to get the thing to work).
Businesses can and should do better.
We have the standards, processes, procedures and products to make these interactions both secure and convenient. By secure, I don’t mean: hey, we made it really hard for you to generate a new password that conforms to our arbitrary ‘rules for good passwords’. And by convenient I don’t mean ‘forgot your password? No problem, we’ll send an email (to your address, which is your username) with your new password in the clear.’ The first of those is so depressingly frequent that I can guarantee everyone reading this will have had that experience in the last 30 days. The second is sadly still more common that you might imagine.
No: by secure and convenient, I mean identity processes that are designed to help us, as human beings, get on and do the things we need to do, in the certain knowledge that our information and our privacy is being protected.
So, if we have all we need at our disposal to make this happen, why then are there still so many poor experiences? As ever, it’s a combination of things. Business owners don’t realise that this is a problem. We don’t instrument it (and in some cases it’s truly very hard to instrument), nor we do focus groups, so we can’t demonstrate the effect on the business. Security teams don’t know any better. We’ve trained consumers to understand the wrong things as ‘secure’. And users don’t complain, either because they don’t think they can or because they can’t imagine a better alternative.
Identity pros know better. We know how to build these systems better. We know we can make a positive difference to the businesses we work for and keep those businesses and our customers safe. We know that these are not competing requirements; they are complementary.
I’ll end, then, with two requests. First: if you recognise that these are problems in your own organisation, start the conversations to help make a change – and remember that those conversations likely need to start as business rather than technical discussions. Second: share with your fellow professionals what works and what doesn’t; and ask for help where you need it.
In identity, as in everything else, the experience matters. It’s time to make it better.
Andrew Hindle
Independent Consultant
Board MemberIDPro
