View this document as: a single page | multiple pages.

Customer Experience Considerations

This section is informative.

To align with the standard terminology of user-centered design, customer experience, and usability, the term “user” is used throughout this section to refer to the human party. In most cases, the user in question will be the subject in the role of applicant, claimant, or subscriber, as described elsewhere in these guidelines. Customer experience sits at the nexus of usability, accessibility, and optionality. Considering user needs allows organizations to provide responsive and secure identity solutions while minimizing unnecessary friction and frustration.

This section is intended to raise implementers’ awareness of customer experience considerations associated with identity proofing and enrollment.

Usability

[ISO/IEC9241-11] focuses on the users, goals, and context of use as the necessary elements for achieving effectiveness, efficiency, and satisfaction. A holistic approach that considers these key elements is necessary to achieve usability.

The overarching goal of usability for identity proofing and enrollment is to promote a smooth, positive enrollment process for users by minimizing user burden (e.g., time, frustration) and enrollment friction (e.g., the number of steps to complete, the amount of information to track). To achieve this goal, organizations must first familiarize themselves with their users.

The identity proofing and enrollment process establishes a user’s interactions with a given CSP and the online services that the user will access. As negative first impressions can influence user perception of subsequent interactions, organizations need to promote a positive user experience throughout the process.

An effective usability evaluation on the identity proofing and enrollment process involves representative users, realistic goals and tasks, and appropriate contexts of use. The identity proofing and enrollment process should be designed and implemented so that it is easy for users to do the right thing, hard for them to do the wrong thing, and easy for them to recover if the wrong thing happens. [ISO/IEC9241-11], [ISO16982], and [ISO25060] provide guidance on how to evaluate the overall usability of an identity service and additional considerations for improving usability.

From the user’s perspective, the three main steps of identity proofing and enrollment are 1) preparation, 2) identity proofing and enrollment, and 3) post-enrollment actions. These steps may occur in a single session, or there could be a significant amount of time between each one (e.g., days, weeks).

General and step-specific usability considerations are described in the subsections below and are described from the users’ perspective.

Section 508 of the Rehabilitation Act of 1973 [Section508] was enacted to eliminate barriers in information technology and require federal agencies to make electronic and information technology accessible to people with disabilities. While these guidelines do not directly assert requirements from Section 508, identity service providers are expected to comply with Section 508 provisions. Beyond compliance with Section 508, federal agencies and their service providers are generally expected to design services and systems with the experiences of people with disabilities in mind to ensure that accessibility is prioritized throughout identity system life cycles.

General User Considerations During Identity Proofing and Enrollment

The following usability considerations are applicable across all steps of the enrollment process. Additional information about these principles can be found in Sec. 8.1.2, Sec. 8.1.3, and Sec. 8.1.4.

Preparation

Ensuring that users are as prepared as possible for the identity proofing and enrollment process is critical to the overall success and usability of identity proofing and enrollment.

Such preparation is only possible if users receive the necessary information (e.g., the required documentation) in a usable format and in a timely manner. This includes making users aware of exactly what identity evidence will be required. Users do not need to know anything about IALs or whether the identity evidence required is considered FAIR, STRONG, or SUPERIOR.

To ensure that users are equipped to make informed decisions about whether to proceed with the identity proofing and enrollment process and what will be needed for their session, provide users with:

\clearpage

Identity Proofing and Enrollment

The following usability considerations are specific to identity proofing and enrollment:

Post-Enrollment

Post-enrollment refers to the step immediately following enrollment but prior to the first use of an authenticator. As previously described, users will have already been informed at the end of their enrollment session regarding the expected delivery, pick-up, or registration mechanism by which they will receive or add their authenticator.

Usability considerations for post-enrollment include the following:

Customer Success Considerations

A primary aspect of customer experience is anticipating the needs of the user population and offering solutions that are suitable for that population. This becomes considerably more difficult within the context of identity proofing as the processes of identity resolution, validation, and verification each introduce their own user challenges. By analyzing the entire proofing process and assessing for common challenges, CSPs can deploy solutions that “meet the user where they are” and provide a more accessible and responsive set of solutions for their users. Consistent with the normative recommendations within this document, the following subsections discuss the value of deploying optionality and choice for users throughout the identity proofing process and the risks they can mitigate.

Support Multiple Types of Identity Proofing

Whether deployed by a single CSP, multiple CSPs, or through an arrangement with RP customer service representatives, the use of multiple identity proofing types as defined in Sec. 2.1.3 provides more opportunities for users to achieve positive proofing outcomes without sacrificing security or resorting to exception handling. When deployed with effective continuous improvement mechanisms, the use of multiple proofing types can support mitigation of the following common issues:

Sections 4.1, 4.2, and 4.3 describe the acceptable types of identity proofing available for each IAL.

Partner With Multiple Credible and Authoritative Sources

Credible and authoritative sources provide a means to confirm the accuracy of identity data that an applicant claims during the proofing process. It is an essential step in preventing synthetic identity attacks and enabling accurate information for RPs to grant access and connect users to existing data and accounts. However, sources can also introduce inaccuracies, issues, and challenges, particularly when a single source is relied upon for a large volume of users. In such cases, issues with specific types of data can proliferate and persist across a larger user population. For example, the inability of a credible source to validate data from a single mobile network operator can impact entire regions or economic groups, even if data from other network operators is available and accurate.

Therefore, to support users more effectively, the integration of multiple data sources is important for CSPs. Such integrations need to be based on the core attributes that the CSPs and RPs require, the types of evidence available to users, and information about the effectiveness and population coverage of specific vendors based on testing and continuous evaluation processes. Additionally, the use of multiple vendors can create failover or waterfall processes that increase the likelihood of successfully completing identity proofing and limiting the need to expose users to exception handling processes. Leveraging multiple credible and authoritative sources minimizes risks to users who do not have a robust set of records or have incomplete records with individual sources.

Section 2.4.2.3 and Sec. 2.4.2.4 address the requirements for data validation and credible and authoritative sources.

Offer Robust and Responsive Exception Handling Processes.

Errors in the identity proofing process happen routinely and for a variety of reasons. Exception handling processes enable users to address issues associated with their identity proofing experience while still successfully establishing a subscriber account and accessing services. When deployed with effective continuous improvement mechanisms, exception handling processes can help mitigate the following common issues:

Section 3.14 provides specific requirements for exception handling processes. Since exception handling processes result in the acceptance of some risk, they can often be combined with other controls to limit RP exposure. These can include limiting authorizations, entitlements, and access or applying additional monitoring for subscriber accounts that are established under exception handling processes. For RPs to implement these controls, CSPs must provide RPs with an indicator that exception handling processes were used, either in the assertion, via an API, or using another real-time mechanism.