Posted on August 31, 2017 by Mathijs Brand
Buying products is personal
A good salesman knows the customer and asks only the information that's relevant. My webshop knows my shoe size. So I should get a personal offering of shoes that only have my size in stock. When I buy an insurance I get a discount with my insurance company, because I already have home insurance. By the way: this is a perfect way to be loyal to my insurance company.
And also my birthdate, family situation and address are known to the system. They can be used as input when I look for an additional insurance. I know a lot of insurance companies don't have this in place. You fill out your birthdate again. But let's forget about the requirements of 2013. We're doing a thought-experiment for 2017.
We need to get personalized information without login. How does that work? Let's listen to a suggestion by an app developer: The app can store the user preferences on the device. Then the app can access the information without the consent of the user.
Storing personal information on a device is not good enough in 2017
Sure, you can store a birthdate or shoe size on a mobile device and use that for your personalized shopping experience. But then you face a whole array of new issues including technical, compliancy, privacy and security issues. With regulation like GDPR and PSD2 most governments are putting the customer in control with respect to data. You need to have one source of truth. For that reason alone you can't store information just on the device. But let's forget about boring security and regulation things.
Buying products is an omnichannel experience
Consumers are used to hopping devices. It's what Netflix, Amazon and Google provided to us. We look at shoes, movies and products on one device. We continue on the other. Storing personal information on a device is not a great solution if you continue the process on another.
And personal information will change. My shoe size is static, but surely a lot of other things like my family situation or weight is not. In cases like a divorce, it may actually be the very reason why a consumer is checking to see insurance offerings.
So in our thought experiment we now need:
A centralized personal data storage without login
By just adding a few pretty standard 2017 requirements, we suddenly need personalized access to a backend service without a login. And that is something we can't do by doing some public unprotected calls to a backend. The only way to fulfill this requirement in a user friendly and secure fashion, is by making some advanced assumptions that the user is who we think he/she is and then access the backend based on those assumptions.
An implicit authentication step
We can never be sure of a person's identity. If we don't let a user login with PIN, password or fingerprint, we won't even be close to a 100%. But for this shopping experience that may be not needed. When the actual transaction comes into play, we can do all the security and background checking that is actually needed. But in this delicate process of checking out the goods, we can make some technical assumptions like:
- the user has logged in on the device before
- the behaviour on the device is not out of the ordinary
This is what the Onegini team has been working on hard and what we can offer to you in our latest releases of the MSP platform
This blog highlights the thought process and requirements to go through when creating this feature. As mentioned in the introduction and with a lot of things related to authentication: it's not a feature to underestimate.
If you'd like to know more about implicit authentication and what we mean by that in a technical sense.
Please reach out to us.