Isn't it easy to understand that it's precisely BYO-ID we're using when we log in to Spotify using our Facebook account? You open Spotify for the first time and you're asked to register an account or log in with Facebook, for example. After authenticating yourself on Facebook, what happens in the background is that Spotify receives a ticket containing some of your details. Spotify uses this to create your account for you.
We simply use federation to exchange information between the partners. Once we have the information, we can create an account. However, it's difficult to know what partners to use to obtain this identity information.
I was in a client meeting the other day. We discussed how users could get access to their applications. One company with users in all the Nordic countries may find it difficult to choose the partner to use. eIDs are valid only for Swedish residents. There is another method in Norway and Denmark and a third in Finland. Is there a common method? Or can you direct yourself to the right partner?
But when used correctly, BYO-ID can provide many benefits. Unaccustomed clients wanted to start using one-time passwords. But they didn't really know how to get this started. There were not enough mobile numbers for all the users or any other information to trigger one-time passwords. It was at this stage we started to discuss the possibility of the users themselves specifying this information. But how could we do it? We couldn't use Google for a client who must be completely sure that the user is a physical person, could we?
We didn't solve the problem sitting down. But we have done similar things for other clients. This has mostly concerned people with eID who register the first time they log in. Quite a lot of information concerning the user is transferred with the ticket while federating logins with eID. Most interesting are probably personal ID number, first name and last name. This is sufficient for most partners to create an account.
Information that is lacking can be requested on a form. That is if you can rely on the partner where the user has been authorised.
This gives a good opportunity for self-registration. As long as the partner can be relied on, users can register the missing information themselves. You just have to choose the right partner… but that's another story.
We have an extensive experience of BYO ID here at Enfo. We've been working with it since it was called Just-In-Time-Provisioning (JITP). We have several examples of when we've helped clients in this way.
Let us visit you to explain further. And show you how it will benefit you.
Per Ölmunger, Senior IAM Consultant, Security, Enfo