Customer Experience Considerations

This section is informative.

To align with the standard terminology of user-centered design, customer experience, and usability, the term “user” is used throughout this section to refer to the human party. In most cases, the user in question will be the subject in the role of applicant, claimant, or subscriber, as described elsewhere in these guidelines. Customer experience sits at the nexus of usability, accessibility, and optionality. Considering user needs allows organizations to provide responsive and secure identity solutions while minimizing unnecessary friction and frustration.

This section is intended to raise implementers’ awareness of customer experience considerations associated with identity proofing and enrollment.

Usability

[ISO/IEC9241-11] focuses on the users, goals, and context of use as the necessary elements for achieving effectiveness, efficiency, and satisfaction. A holistic approach that considers these key elements is necessary to achieve usability.

The overarching goal of usability for identity proofing and enrollment is to promote a smooth, positive enrollment process for users by minimizing user burden (e.g., time, frustration) and enrollment friction (e.g., the number of steps to complete, the amount of information to track). To achieve this goal, organizations must first familiarize themselves with their users.

The identity proofing and enrollment process establishes a user’s interactions with a given CSP and the online services that the user will access. As negative first impressions can influence user perception of subsequent interactions, organizations need to promote a positive user experience throughout the process.

An effective usability evaluation on the identity proofing and enrollment process involves representative users, realistic goals and tasks, and appropriate contexts of use. The identity proofing and enrollment process should be designed and implemented so that it is easy for users to do the right thing, hard for them to do the wrong thing, and easy for them to recover if the wrong thing happens. [ISO/IEC9241-11], [ISO16982], and [ISO25060] provide guidance on how to evaluate the overall usability of an identity service and additional considerations for improving usability.

From the user’s perspective, the three main steps of identity proofing and enrollment are 1) preparation, 2) identity proofing and enrollment, and 3) post-enrollment actions. These steps may occur in a single session, or there could be a significant amount of time between each one (e.g., days, weeks).

General and step-specific usability considerations are described in the subsections below and are described from the users’ perspective.

Section 508 of the Rehabilitation Act of 1973 [Section508] was enacted to eliminate barriers in information technology and require federal agencies to make electronic and information technology accessible to people with disabilities. While these guidelines do not directly assert requirements from Section 508, identity service providers are expected to comply with Section 508 provisions. Beyond compliance with Section 508, federal agencies and their service providers are generally expected to design services and systems with the experiences of people with disabilities in mind to ensure that accessibility is prioritized throughout identity system life cycles.

General User Considerations During Identity Proofing and Enrollment

The following usability considerations are applicable across all steps of the enrollment process. Additional information about these principles can be found in Sec. 8.1.2, Sec. 8.1.3, and Sec. 8.1.4.

• To avoid user frustration, streamline the identity proofing and enrollment process and make each step as clear and easy as possible.

• Clearly communicate how and where to acquire technical assistance. For example, provide helpful information, such as links to an online self-service portal, chat sessions, and a phone number for help desk support. Ideally, sufficient information should be provided to enable users to answer their own enrollment preparation questions without outside intervention.

• Clearly explain what personal data is being collected and whether collecting the data is optional or not. Additionally, provide information indicating with whom the data will be shared, where it will be stored, and how it will be protected.

• Ensure that all information presented is usable.
  • Follow good information design practices for all user-facing materials (e.g., data collection notices, fillable forms).
  • Write materials in plain language, and avoid technical jargon. If appropriate, tailor the language to the literacy level of the intended population. Use an active voice and a conversational style; logically sequence main points; use the same word consistently rather than synonyms to avoid confusion; and use bullets, numbers, and formatting where appropriate to aid readability.
  • Consider text legibility, such as font style, size, color, and contrast with the surrounding background. The highest contrast is black on white. Text legibility is important because users have different levels of visual acuity. Illegible text will contribute to user comprehension errors or user entry errors (e.g., when completing fillable forms). Use sans serif font styles for electronic materials and serif fonts for paper materials. When possible, avoid fonts that do not clearly distinguish between easily confusable characters (e.g., the letter “O” and the number “0”). This is especially important for confirmation codes. Use a minimum font size of 12 points, as long as the text fits the display.
• Perform a usability evaluation for each step with representative users. Establish realistic goals and tasks and appropriate contexts of use for the usability evaluation.

Preparation

Ensuring that users are as prepared as possible for the identity proofing and enrollment process is critical to the overall success and usability of identity proofing and enrollment.

Such preparation is only possible if users receive the necessary information (e.g., the required documentation) in a usable format and in a timely manner. This includes making users aware of exactly what identity evidence will be required. Users do not need to know anything about IALs or whether the identity evidence required is considered FAIR, STRONG, or SUPERIOR.

To ensure that users are equipped to make informed decisions about whether to proceed with the identity proofing and enrollment process and what will be needed for their session, provide users with:

• Information about the entire process, such as what to expect at each step
  • Clear explanations of the expected time frames to allow users to plan accordingly

• An explanation of the need for and benefits of identity proofing to enable users to understand the value proposition

• Identity evidence requirements for the intended IAL and a list of acceptable evidence documents with information about how they will be validated

• Information about whether there is a fee and, if so, the amount and variety of acceptable forms of payment

• Relevant information on whether the identity proofing and enrollment process will be conducted on-site, over remote channels, or a combination of the two and whether the user has the option to choose
  • Information on the location, whether a user can choose their preferred location, and necessary logistical information for on-site attended or unattended sessions. Users may be reluctant to bring identity evidence to certain public places (e.g., a supermarket versus a bank), as it increases exposure to loss or theft.
  • Information on the technical requirements (e.g., requirements for internet access) for remote sessions
  • An option to set an appointment for remote attended or on-site attended identity proofing sessions in order to minimize wait times. If walk-ins are allowed, make it clear to users that their wait times may be greater without an appointment.
    • Provide clear instructions for how to schedule an identity proofing appointment, obtain reminders, and reschedule existing appointments, if necessary.
    • Offer appointment reminders, and allow users to specify their preferred appointment reminder method (e.g., postal mail, voicemail, email, text message). Users need information such as the date, time, location, and a description of the required identity evidence.
• Information on the allowed and required identity evidence and attributes, whether each piece is voluntary or mandatory, and the consequences for not providing the complete set of identity evidence. Users need to know the specific combinations of identity evidence, including requirements that are specific to a piece of identity evidence (e.g., a raised seal on a birth certificate). This is especially important due to potential difficulties procuring the necessary identity evidence.
  • Where possible, implement tools to make it easier to obtain the necessary identity evidence.
  • Inform users of any special requirements for minors or people with unique needs. For example, provide users with information on whether applicant reference and/or trusted referee processes are available and the information necessary to use those processes (see Sec. 3.14).
  • If forms are required:
    • Make fillable forms available before and during the identity proofing process.
    • Do not require users to have access to a printer.
    • Minimize the amount of information that users must enter on a form, as users are easily frustrated and more error-prone with longer forms. The CSP may auto-fill form fields when such data entry does not disclose personal information to unauthenticated users, such as data from scanned documents or data provided during the identity proofing process.

\clearpage

Identity Proofing and Enrollment

The following usability considerations are specific to identity proofing and enrollment:

• At the start of an identity proofing session, remind users of the procedure. Do not expect them to remember the process that was described during the preparation step. If the identity proofing session does not immediately follow the preparation step, it is especially important to clearly remind users of the typical time frame for completing the identity proofing and enrollment process.
• Depending on the identity proofing method (e.g., remote or on-site unattended), provide a separate video window with a step-by-step tutorial of the identity proofing process. When these types of tutorials or examples are offered, service providers should have a range of support options to cover a broad set of users. Alternatives to a video window include verbal or written instructions.
• Provide options for the user to reschedule the time or type of their identity proofing appointment, if needed.
• Provide a checklist with the allowed and required identity evidence to ensure that users have the requisite identity evidence to proceed with the identity proofing and enrollment process. If users do not have the complete set of identity evidence, they must be informed regarding whether they can complete a partial identity proofing session or use exception processing through a trusted referee or, as appropriate, applicant references for identity proofing exception processing. This would also apply to international users if the types of identity evidence and access to data, services, and validation sources may not be easily or readily available to achieve IAL identity proofing requirements. Trusted referees and applicant references are intended to provide capabilities for alternative identity proofing workflows and risk-based decisions for users who need exception processing.
• Notify users regarding what information will be destroyed or retained for future follow-up sessions and what identity evidence they will need to bring to complete a future session. Ideally, users can choose whether they would like to complete a partial identity proofing session.
• Set user expectations regarding the outcome of the identity proofing and enrollment process, including time frames for any subsequent activities (e.g., delivery of a notification of proofing).
• Clearly indicate whether users will 1) receive an authenticator immediately at the end of a successful identity proofing and enrollment process, 2) have to schedule a follow-up appointment to pick up an authenticator in person, or 3) receive the authenticator in the mail and, if so, when they can expect to receive it.

• If subscriber-provided authenticators are permitted, provide information to users about how to register them to their subscriber accounts.

• During the identity proofing and enrollment process, there are several requirements to provide users with explicit notice, such as what data will be collected and processed by the CSP. See Sec. 3 and Sec. 7 for detailed requirements on notices. CSPs should be aware that seeking consent from users for the use of their attributes for purposes other than identity proofing, authentication, authorization, or attribute assertions may make them uncomfortable. If users do not understand how they will benefit from the additional collection or uses, they may be unwilling or hesitant to provide consent or continue the process. Therefore, it is recommended that CSPs provide users with a thorough explanation of how they may benefit from the additional processing of their personal information and the steps that the CSP takes to mitigate the risks associated with such processing. Additionally, CSPs should provide users with the opportunity to opt out of the additional processing.

• Confirmation codes are used to confirm that an applicant has access to a postal address, email address, or phone number for the purposes of future communications. If confirmation codes are used:
  • Notify users in advance that they will receive a confirmation code, when to expect it, the length of time for which the code is valid, and how it will arrive (e.g., physical mail, SMS, landline telephone).
  • When a confirmation code is delivered to a user, remind the users which service they are enrolling in and include instructions on how to use the code and the length of time for which the code is valid. This is especially important given the short validity time frames specified in Sec. 3.8.
  • If issuing a machine-readable optical label, such as a QR Code (see Sec. 3.8), provide users with information on how to obtain QR code scanning capabilities (e.g., acceptable QR code applications). Additionally, provide a human-readable code as an alternative to QR codes.
  • Inform users what will happen if the confirmation code expires or is lost before use.
• If an applicant is unable to complete identity proofing and enrollment in a single session, or if they will have to complete identity proofing via a different identity proofing type (e.g., remote attended, on-site attended), they may be issued a continuation code. Continuation codes are used to reestablish an applicant’s linkage to an incomplete identity proofing or enrollment process. If a continuation code is issued:
  • Provide users with information about continuation codes, why they are used, how they will be delivered, and how they will be used to complete their identity proofing process.
  • When a continuation code is delivered to a user, remind them which service they are enrolling in and include instructions on what they need to do or where to go to complete the identity proofing or enrollment process.
  • If issuing a machine-readable optical label, such as a QR Code (see Sec. 3.9), provide users with information on how to obtain QR code scanning capabilities (e.g., acceptable QR code applications). Additionally, provide a human-readable code as an alternative to QR codes.
  • Provide users with alternative options for reestablishing their linkage to an incomplete identity proofing or enrollment process, as not all users may have access to the necessary technologies.
• At the end of the identity proofing and enrollment process:
  • If enrollment is successful, send subscribers a notification of proofing that confirms successful identity proofing and enrollment (see Sec. 3.10) as well as directions on the next steps they need to take (e.g., when and where to pick up their authenticator, when it will arrive in the mail).
  • If enrollment is partially complete (e.g., due to users not having the complete set of identity evidence, users choosing to stop the process, or session timeouts), communicate to users:
    • What information will be destroyed;
    • What information will be retained for future follow-up sessions;
    • How long the information will be retained; and
    • What identity evidence they will need to bring to a future session.
  • If enrollment is not successful, provide users with clear instructions for alternative identity proofing and enrollment options (e.g., on-site attended, use of trusted referee).

• If users receive an authenticator during the enrollment session, provide instructions on its use and maintenance. For example, information could include instructions for use (especially if there are different requirements for first-time use or initialization), information on authenticator expiration, how to protect the authenticator, and what to do if the authenticator is lost or stolen.

• For both in-person and remote identity proofing, additional usability considerations apply:
  • At the start of the enrollment session, operators or attendants need to explain their role to users (e.g., whether operators or attendants will walk users through the enrollment session or observe silently and only interact as needed).
  • At the start of the enrollment session, inform users that they must not depart during the session and that their actions must be visible throughout the session.
  • When biometric samples are collected during the enrollment session, provide users with clear instructions on how to complete the capture process. The instructions are best given just prior to the process. Verbal instructions with guidance from a live operator are the most effective (e.g., instructing users where the biometric capture device is and how to interact with it, when to begin the capture process, how to know when the biometric capture is completed).
• Since remote identity proofing is conducted online, follow general web usability principles, such as:
  • Design the user interface to walk users through the enrollment process.
  • Reduce users’ memory load through techniques such as simplifying the interface or using visual aids.
  • Make the interface consistent.
  • Clearly label sequential steps.
  • Make the starting point clear.
  • Support multiple platforms and device sizes.
  • Make the navigation consistent, easy to find, and easy to follow.

Post-Enrollment

Post-enrollment refers to the step immediately following enrollment but prior to the first use of an authenticator. As previously described, users will have already been informed at the end of their enrollment session regarding the expected delivery, pick-up, or registration mechanism by which they will receive or add their authenticator.

Usability considerations for post-enrollment include the following:

• Minimize the amount of time that users wait for their authenticator to arrive. Shorter wait times will allow users to access information systems and services more quickly.

• Inform users whether they need to go to a physical location to pick up their authenticators. The previously identified usability considerations for appointments and reminders still apply.

• Along with the authenticator, give users information that is relevant to the use and maintenance of the authenticator, such as instructions for use, especially if there are different requirements for first-time use or initialization; information on authenticator expiration; and what to do if the authenticator is lost or stolen.

• Provide information to users about how to protect themselves from common threats to their identity accounts and associated authenticators, such as social engineering and phishing attacks.

Customer Success Considerations

A primary aspect of customer experience is anticipating the needs of the user population and offering solutions that are suitable for that population. This becomes considerably more difficult within the context of identity proofing as the processes of identity resolution, validation, and verification each introduce their own user challenges. By analyzing the entire proofing process and assessing for common challenges, CSPs can deploy solutions that “meet the user where they are” and provide a more accessible and responsive set of solutions for their users. Consistent with the normative recommendations within this document, the following subsections discuss the value of deploying optionality and choice for users throughout the identity proofing process and the risks they can mitigate.

Support Multiple Types of Identity Proofing

Whether deployed by a single CSP, multiple CSPs, or through an arrangement with RP customer service representatives, the use of multiple identity proofing types as defined in Sec. 2.1.3 provides more opportunities for users to achieve positive proofing outcomes without sacrificing security or resorting to exception handling. When deployed with effective continuous improvement mechanisms, the use of multiple proofing types can support mitigation of the following common issues:

• Users who are unable to complete automated or technology-heavy processes (e.g., due to limited technology fluency, physical or cognitive disabilities) or users for whom certain processes (e.g., automated biometric recognition) may be less effective
• Users who may rely on shared computing resources that may be prone to observation or other security risks
• Users who do not have reliable access to high-speed internet or computing devices that are capable of completing remote identity proofing processes
• Users who prefer human interactions to remote or automated processes
• Users who may have failed remote or automated approaches through no fault of their own (e.g., false rejections, failure to capture)

Sections 4.1, 4.2, and 4.3 describe the acceptable types of identity proofing available for each IAL.

Partner With Multiple Credible and Authoritative Sources

Credible and authoritative sources provide a means to confirm the accuracy of identity data that an applicant claims during the proofing process. It is an essential step in preventing synthetic identity attacks and enabling accurate information for RPs to grant access and connect users to existing data and accounts. However, sources can also introduce inaccuracies, issues, and challenges, particularly when a single source is relied upon for a large volume of users. In such cases, issues with specific types of data can proliferate and persist across a larger user population. For example, the inability of a credible source to validate data from a single mobile network operator can impact entire regions or economic groups, even if data from other network operators is available and accurate.

Therefore, to support users more effectively, the integration of multiple data sources is important for CSPs. Such integrations need to be based on the core attributes that the CSPs and RPs require, the types of evidence available to users, and information about the effectiveness and population coverage of specific vendors based on testing and continuous evaluation processes. Additionally, the use of multiple vendors can create failover or waterfall processes that increase the likelihood of successfully completing identity proofing and limiting the need to expose users to exception handling processes. Leveraging multiple credible and authoritative sources minimizes risks to users who do not have a robust set of records or have incomplete records with individual sources.

Section 2.4.2.3 and Sec. 2.4.2.4 address the requirements for data validation and credible and authoritative sources.

Offer Robust and Responsive Exception Handling Processes.

Errors in the identity proofing process happen routinely and for a variety of reasons. Exception handling processes enable users to address issues associated with their identity proofing experience while still successfully establishing a subscriber account and accessing services. When deployed with effective continuous improvement mechanisms, exception handling processes can help mitigate the following common issues:

• Users with limited history at credible or authoritative sources
• Users whose records with credible or authoritative sources may be incomplete, inaccurate, or impacted by errors resulting from past identity theft
• Users without common forms of identity evidence or whose evidence has been lost, destroyed, stolen, or otherwise compromised
• Users who are unable to complete automated or technology-heavy processes due to internet bandwidth limitations, limited access to devices capable of completing remote identity proofing processes, limited technological fluency, physical or cognitive disabilities, or for whom certain processes (e.g., automated biometric recognition) may be less effective
• Users whose attributes have changed and whose records do not reflect those changes
• Users whose records may be difficult to match as a result of name formatting and data entry design with the identity system

Section 3.14 provides specific requirements for exception handling processes. Since exception handling processes result in the acceptance of some risk, they can often be combined with other controls to limit RP exposure. These can include limiting authorizations, entitlements, and access or applying additional monitoring for subscriber accounts that are established under exception handling processes. For RPs to implement these controls, CSPs must provide RPs with an indicator that exception handling processes were used, either in the assertion, via an API, or using another real-time mechanism.