Oscar Santolalla Today, Apple Music, Spotify and other online music services allow several members of a family to access the same service plan using their own individual accounts. Does it sound familiar to you? The “family model” is also seen in popular services such as Nintendo Switch Online, YouTube Premium, etc.
A clear benefit of the family model is that the members of the household don’t need to share an account and password. This frees you from many problems: have you ever started playing movies in Netflix only to notice later that you chose the wrong profile by mistake? The mess is done: you’ve mixed your preferences and viewing history with your kids. Not to mention the security risks of sharing passwords and account access, and the lost revenue from companies whose users share a single account. A well-designed family model delivers one of the principles of good Identity and Access Management: every member has their own user account and credentials to access your services.
And family plans aren’t exclusive of pure-online services. Think of a traditionally offline business – an amusement park, determined to get 90% of their customers to use its brand new mobile app. A child will use the app, but naturally without the same full admin access as mum or dad, such as being able to buy services, delete the account.
Now you might be thinking, is the family model valuable for entertainment only? Certainly not. The family model can also work miracles for a utility such as electricity distribution, or a mobile operator. Some mobile network operators such as Moi (Finland) and BT (UK) offer family plans. Let’s say David pays the bill and uses a family manager user interface to create accounts for his wife and kids and assign them credits to spend.
In all the previous cases, the family manager created the other users’ accounts, assigned them a role, and gave them certain access authorisation or the possibility to use credits. Not money, but access to or credits for a paid service.
The family model is identity delegation in its most basic form. To see the full power of identity delegation, let’s imagine this. What if when you create an account, the assigned role allows the user to:
- Collaborate on a highly-sensitive project
- Exercise power of attorney
- Order products on behalf of your employer (partners and suppliers)
Now I will share with you three core use cases of how digital services across different industries can unleash the power of identity delegation.
[1] Collaborate on a highly-sensitive project
Another high value activity is to work on a sensitive project online, which is protected. A team of entrepreneurs is building an innovative product; let us say a Water Purification System. All is going well but the next phase in their plan requires external funding, so the team will apply for funding from a governmental agency.
The application is 100% online and every user must authenticate to “using a verified identity, with strong authentication. The entrepreneurs start filling in all the forms, but they soon realise they need an accredited environmental specialist as nobody in the team can do a mandatory assessment. When the team finds the suitable specialist, Mr Park, the CEO, Scott Long, uses StartupCashPortal to send him an invitation (‘Add new user’) to contribute to the project. First, Mr Park opens the email invitation and then uses bank authentication to prove his identity, then he has access to the system to modify only the section of the funding application that concerns him.
As you see, this B2B use case of identity delegation gets even more interesting, but there is not money involved yet. The main benefit is that the third-party individual gains access to collaborate on sensitive information in a secure way with a verified identity. Imagine if the wrong person gains access to other sensitive projects; the governmental agency could face lawsuits because of the data breach.
Two key elements made this use case possible:
- Authentication with a verified digital identity (e.g. bank authentication, electronic national ID card, Mobile Connect)
- Identity delegation, a building block of modern CIAM systems.
[2] Exercise power of attorney
Taking a step forward, what would happen if a company offers delegation on its own platform in order to make monetary transactions?
Imagine that a few years back you inherited a house along with seven members of your family. Now you all want to sell the property, but everybody lives in a different city and it’s nearly impossible to meet and sign the agreement all together. Also, due to some force majeure one member of the family, Uncle Zach, can’t sign for himself and instead will need to give power of attorney to Beth.
Luckily Beth finds real estate agency RealtyPower. They have launched a digital service with electronic identity delegation, which allows the family to find the best buyer, sell the house and sign all documents (including showing Zach’s power of attorney to Beth) remotely, making the online transaction secure and seamless. Both the family and the real estate company saved time and money.
Example 2 was a B2C case with a monetary transaction. The same scenario can become B2B if you replace members of a family with companies, all sharing a very valuable asset, as the ownership of an office building. As you can imagine, the biggest value is in full B2B use cases like the one that comes next – example 3.
[3] Order products on behalf of your employer (partners and suppliers)
FairCrops, a company in the agriculture industry, has hundreds of partners and resellers and has a web service called AgroPortal, which gives “extranet” access to these companies. Bob is the CEO of one of these partners, Bob’s Corner, so he can log in, search for products on the AgroPortal database, and place a purchase order. As this order is on credit, AgroPortal must make sure that the user is indeed Bob, and so has rights to place an order.
One year later, Bob’s company experiences amazing growth and he hires two people to take care of orders: Purchasing Manager, Mary, and Purchasing Assistant, Fred. Both need different levels of purchasing rights, which starts to make things complex. Here, identity delegation comes in as the perfect solution. Bob assigns Mary an admin user role on AgroPortal, which allows her to create new users, delegate rights, assign roles, and revoke any permissions herself. Next, Mary digitally invites Fred to create an account with limited rights as the Purchasing Assistant. This advanced schema of identity delegation empowers the B2B customer and takes the heavy burden out of the agroindustry producer’s staff.
Needless to say, the portal should make a well-informed choice of authentication method to ensure a good level of security, appropriate to the situation. An easy approach would be identity federation using a business identity (e.g. AzureAD) between these two companies. If federation is not possible, a national identification or a biometric-based authentication service could be the next best choices.
| Company: FairCrops agroindustry producer | Partner: Bob’s Corner, chain of stores | e-service: AgroPortal, order products, get specialised customer service |
Find a similar example in this identity delegation explainer video here:
Can you see your organisation embracing a variant of one of these use cases? Can you see it as part of the digital transformation you are working now?
The nuts and bolts of identity delegation
One question you might be asking yourself is, ‘how do we implement identity delegation?’ The brilliance of these use cases is that once launched they look so easy. However, the nuts and bolts of identity delegation lie on a deep expertise of:
- Proof of identity. Every person using these digital services must have proved their identity to the identity provider (bank, government) first to enable the verified digital identity.
- The selection of the right authentication method. Different methods are best for different industries and purposes.
- A user has to obtain the right privileges to complete their task (e.g. sign an agreement) while sharing the minimum possible personal data with the digital servicebank, or the civil registry, has detailed personal data about you, but the online service (e.g. RealtyPower) only needs to know a few pieces of that data.
Ubisecure has the most flexible, agile and proven identity delegation solution available today: Delegated Authority. Cybersecurity analyst, KuppingerCole, said “Ubisecure has demonstrated its value specifically in scenarios with complex B2B2C relationships, where its strength in delegating access is a differentiator to other providers in the market.” Find out more about Delegated Authority here.
About The Author: Oscar Santolalla
With more than 15 years of experience in the technology space, Oscar is a trusted advisor for Ubisecure Customer Identity and Access Management (CIAM) customers and partners. As a Sales Engineer, Oscar runs product demos, supports customers and partners, and leads the IAM Academy training programme. He is also the author of the book ‘Create and Deliver a Killer Product Demo’, and hosts 'Let's Talk About Digital Identity" podcast.
More posts by Oscar Santolalla