This section is informative.
To align with the standard terminology of user-centered design, customer experience, and usability, the term “user” is used throughout this section to refer to the human party. In most cases, the user in question will be the subject in the role of applicant, claimant, or subscriber, as described elsewhere in these guidelines. Customer experience sits at the nexus of usability, accessibility, and optionality. Considering user needs allows organizations to provide responsive and secure identity solutions while minimizing unnecessary friction and frustration.
Ergonomics of Human-System Interaction — Part 11: Usability: Definitions and Concepts [ISO/IEC9241-11] defines usability as the “extent to which a system, product or service can be used by specified users to achieve specified goals with effectiveness, efficiency and satisfaction in a specified context of use.” This definition focuses on users, goals, and the context of use as the key elements necessary for achieving effectiveness, efficiency, and satisfaction. A holistic approach that considers these key elements is necessary to achieve usability.
From a usability perspective, one of the major potential benefits of federated identity systems is to address the problem of user fatigue that is associated with managing multiple authenticators. While this has historically been a problem with usernames and passwords, the increasing need for users to manage many authenticators — whether physical or digital — presents a usability challenge.
As stated in Sec. 8.1 of [SP800-63A] and Sec. 8.1 of [SP800-63B], overall user experience is critical to the success of digital identity systems. This is especially true for federated identity systems, as federation is a less familiar user interaction paradigm for many users. Users’ prior authentication experiences may influence their expectations.
The overall user experience with federated identity systems should be as smooth and easy as possible for legitimate users. This can be accomplished by following usability standards (e.g., the ISO 25060 series of standards) and established best practices for user interaction design.
Guidelines and considerations are described from the users’ perspective.
Section 508 of the Rehabilitation Act of 1973 [Section508] was enacted to eliminate barriers in information technology and require federal agencies to make electronic and information technology accessible to people with disabilities. While these guidelines do not directly assert requirements from Section 508, identity service providers are expected to comply with Section 508 provisions. Beyond compliance with Section 508, federal agencies and their service providers are generally expected to design services and systems with the experiences of people with disabilities in mind to ensure that accessibility is prioritized throughout identity system life cycles.
Federated identity systems should:
Minimize the use of unfamiliar technical jargon and details (e.g., users do not need to know the terms IdP and RP if the basic concepts are clearly explained, and users do not need to know the specific FAL value if its effects are clearly communicated).
Strive for a consistent and integrated user experience across the IdP and RP, particularly when in a single security domain.
Help users understand identity by providing resources, such as graphics, illustrations, frequently asked questions (FAQs), tutorials and examples. Resources should explain how users’ information is treated and how transacting parties (e.g., RPs, IdPs, proxies) relate to each other.
Provide clear, honest, and meaningful communications to users (i.e., communications should be explicit and easy to understand).
Provide users with online services that are independent of location and device.
Make trust relationships explicit to users to facilitate informed trust decisions. Trust relationships are often dynamic and context-dependent. Users may be more likely to trust some IdPs and RPs with certain attributes or transactions more than others. For example, users may be more hesitant to use federated identity systems on websites that contain valuable personal information (e.g., financial or health). Depending on the perceived sensitivity of users’ personal information, some users may be less comfortable with commercial IdPs since people often have concerns about advertising and the data usage of such companies. Conversely, some may have more confidence in commercial IdPs than in government IdPs based on a general mistrust of government services or because they are more familiar with commercial offerings. Either way, it is critical to be clear to end users about the entities involved in a federation transaction and, ideally, provide options that support the broadest set of stakeholder perceptions possible.
Follow the usability considerations specified in [SP800-63A] Sec. 8 for any user-facing information.
Clearly communicate how and where to acquire technical assistance. For example, provide users with a link to an online self-service feature, chat sessions, or a phone number for help desk support. Avoid redirecting users back and forth between transacting parties (e.g., RPs, IdPs, and proxies) to receive technical assistance.
This section addresses the specific usability considerations that have been identified with federated identity systems. This section does not attempt to present exhaustive coverage of all usability factors related to federated identity systems. Rather, it is focused on the larger, more pervasive themes in the usability literature, primarily users’ perspectives on identity, user adoption, trust, and perceptions of federated identity space. In some cases, implementation examples are provided. However, specific solutions are not prescribed. The implementations mentioned are examples to encourage innovative technological approaches addressing specific usability needs. See standards for system design and coding, specifications, APIs, and current best practices for additional examples. Implementations are sensitive to many factors that prevent a one-size-fits-all solution.
Even when users are familiar with federated identity systems, there are different approaches to federated identity that make it necessary to establish reliable expectations for how user data is treated, especially in terms of privacy and the sharing of information. Users and implementers have different concepts of identity. Users think of identity as logging in and gaining access to their own private space. Implementers think of identity in terms of authenticators, assertions, assurance levels, and the necessary set of identity attributes to provide a service. Given this disconnect, it is essential to help users form an accurate concept of identity as it applies to federated identity systems. A good model of identity gives users a foundation for understanding the benefits and risks of federated systems and encourages user adoption and trust of these systems.
To minimize the personal information collected and protect privacy, IdPs and RPs ought to inform users of the benefits and drawbacks of pseudonymous identification, what information is transmitted, and for what purpose.
Many properties of identity have implications for how users manage identities, both within and among federations. Just as users manage multiple identities based on context outside of cyberspace, users must learn to manage their identity in a federated environment. Therefore, it must be clear to users how identity and context are used. The following factors should be considered:
Provide users with the requisite context and scope in order to distinguish among different user roles. For example, differentiate whether the user is acting on their own behalf or on behalf of another, such as their employer.
Provide users with unique, meaningful, and descriptive identifiers to distinguish among entities, such as IdPs, RPs, and accounts. Any such user-facing identifiers are likely to be in addition to identifiers used by the underlying protocols, which are not normally exposed to the user.
Provide users with information on data ownership and those authorized to make changes. Identities and the data associated with them can sometimes be updated and changed by multiple actors. For example, some healthcare data is updated and owned by the patient, while some data is only updated by a hospital or doctor’s practice.
Provide users with the ability to easily verify, view, and update attributes. Identities and user roles change over time (e.g., address, health, and financial data). The ability to update attributes or make attribute release decisions may not be offered at the same time. Ensure that the process for users to change attributes is well-known, documented, and easy to perform. See Sec. 5.3 of [SP800-63A] for more information about allowing users to update core attributes.
Provide users with a means to update data, even if the associated subscriber account or RP subscriber account is disabled or terminated. Consider applicable audit, legal, or policy constraints when tracking updated data.
Provide users with a means to completely delete their identities completely and remove all information about themselves, including their transaction history. In certain cases, deactivating the RP subscriber account is more appropriate than deleting it, as the RP may be required to retain portions of the data in the RP subscriber account. Consider applicable audit, legal, or policy constraints that may preclude such actions.
Provide users with clear, easy-to-find information on the site or application data retention policy.
Provide users with appropriate anonymity and pseudonymity options and the ability to switch among such identity options as desired, in accordance with the organization’s data access policies.
Provide a means for users to manage each IdP to RP connection, including complete separation and the removal of RP access to one or more attributes.
Many factors can influence user adoption of federated identity systems. As with any technology, users may value some factors more than others. Users often weigh perceived benefits versus risks before making technology adoption decisions. It is critical that IdPs and RPs provide users with sufficient information to enable them to make informed decisions. The concepts of trust and tiers of trust are fundamental principles in federated identity systems that can drive user adoption. Finally, a positive user experience may also result in increased user demand for federation, triggering the increased adoption by RPs.
To encourage user adoption, IdPs and RPs need to establish and build trust with users and help them understand the benefits and risks of adoption. The following factors should be considered:
Allow users to control their information disclosure and provide explicit consent through the appropriate use of interactive user interfaces and notifications (see Sec. 7.2). Considerations such as balancing the content, size, and frequency of notifications and tailoring notifications to specific communities are necessary to avoid users clicking through without fully understanding the implications of their consent.
Collect information for constrained usage only, and minimize information disclosure (see Sec. 7.3). User trust is eroded by unnecessary and superfluous information collection and disclosure or tracking without explicit consent. For example, only request attributes from the user that are relevant to the current transaction, not for all possible transactions that a user may access at the RP.
User concern over risk can negatively influence their willingness to adopt federated identity systems. Users may have concerns about trust, privacy, security, and single points of failure perceived in federated systems. For example, users may be fearful of losing access to multiple RPs if a single IdP is unavailable, either temporarily or permanently. Additionally, users may be concerned or confused about learning a new authentication process. In order to foster the adoption of federated identity systems, the perceived benefits must outweigh the perceived risks.
Users’ beliefs and perceptions predispose them to expect certain results and behave in certain ways. Such beliefs, perceptions, and predispositions are referred to in social sciences as “mental models.” For example, people have a mental model of dining out that guides their behavior and expectations at each establishment, such as fast food restaurants, cafeterias, and more formal restaurants. Thus, it is not necessary to be familiar with every establishment to understand how to interact appropriately at each one.
Assisting users in establishing good and complete mental models of federation allows users to generalize beyond a single specific implementation. If federated identity systems are not designed from users’ perspectives, users may form incorrect or incomplete mental models that impact their willingness to adopt these systems. The following factors should be considered:
Provide users with clear and usable ways (e.g., visual assurance) to determine the authenticity of the transacting parties (e.g., RPs, IdPs, proxies). This will also help alleviate user concern over leaving one domain for another, especially if the root domain changes (e.g., .gov to .com). For example, display the URL of the IdP so that the user can verify that they are not being phished by a malicious site.
Provide users with clear information regarding logins and logouts, including visual cues. Depending on the implementation, logging into an RP with a federated account can create long-running sessions for the user at both the IdP and RP. Users may not realize that ending their session with the RP will not necessarily end their session with the IdP; users will need to explicitly “log out” of the IdP. Users require clear information to remind them if explicit logouts are required to end their IdP sessions. Both the IdP and RP could also have automated logout features, which proactively log the user out based on how long it has been since the user authenticated or how long it has been since the user was active in a session. Users require clear information about when their session might end without any action on their part in order to avoid frustration, lost work, or insecure workarounds (e.g., copying data out of a secure site in order to avoid an unexpected session timeout).
Provide users with clear and understandable explanations of trust agreement terms and consequences that are free of technical jargon.
A primary aspect of customer experience is anticipating the needs of the user population and offering federation in a manner that is suitable for that population. In assessing customer experience risks and challenges, IdPs and RPs should consider the overall user population that is served by their federated identity service and deploy solutions that support their needs and capabilities.
Federation is a highly technical process. There is very little process exposed to the end user that directly impacts their customer experience and is not already addressed by authentication and identity proofing customer experience considerations. There are two notable exceptions: 1) the process for selecting and remembering the IdP and 2) handling errors and communication between the IdP and the RP help desks. In addition to what is discussed here, the IdP needs to consider the customer experience related to identity proofing, attribute validation, and enrollment (see Sec. 8.2 of [SP800-63A]) and considerations concerning authenticators (see Sec. 8.2 of [SP800-63B]).
Users can struggle with choosing between multiple IdPs, especially if there is a large volume of them. While there is not a single means for presenting the user with IdP options, RPs that leverage multiple IdPs are encouraged to perform user testing with their presentation design to understand user reactions and evaluate the best means for conveying options. Additionally, by providing information about the practices and capabilities of IdPs, the RP can better support users as they select an IdP that is most likely to meet their means and capabilities.
Another challenge for users is remembering the IdP with which they established a subscriber account. This is particularly true when interactions between the RP and its IdPs are infrequent. In order to support effective and successful ongoing interactions with their users, RPs are encouraged to develop mechanisms for directing users to a previously used IdP. This could take the form of a look-up mechanisms by a subscriber’s input (such as their email address) or remembering which IdP was used in a previous session. Implementing this can address various issues, such as:
RPs and IdPs need to clearly communicate how and where to acquire technical assistance. For example, provide users with a link to an online self-service feature, chat sessions, or a phone number for help desk support. Avoid redirecting users back and forth among transacting parties (e.g., RPs, IdPs, proxies) to receive technical assistance.
Further, coordination between participating entities is critical for successful customer experiences. The IdP and RP support teams need to know how to appropriately redirect users to address their concerns in the event they are sent to the incorrect party. For example, if a user were to call an IdP help desk trying to understand why an RP website function is failing, the IdP support staff needs to be able to direct the user to information or an RP-side support capability to help resolve their concerns. This distributed responsibility in a federated model creates interaction points for users that are highly likely to result in frustration and confusion if not addressed in design, usability, operational, and continuous improvement plans.
This guideline establishes normative requirements for IdPs and RPs to mitigate commonly experienced customer friction. However, normative requirements are unlikely to anticipate all potential customer experience problems, which will vary for different applications. Accordingly, IdPs and RPs need to provide mechanisms for subscribers to report issues or challenges and to advise them on potential alternative authentication and access strategies.