Composing Effective Consumer Onboarding Workflows, Part 1
- Johann Nallathamby
- Director - Solutions Architecture - WSO2
Consumer onboarding is one of the, if not the most, important functions of a customer identity and access management (CIAM) solution. An overly complicated onboarding workflow significantly detracts from the consumer experience. Providing an effective, engaging and efficient onboarding workflow without compromising security has always been a challenge among security and risk professionals.
The inspiration for this two-part article series comes from many customer implementations carried out by WSO2 over the past 15 years on consumer onboarding and log-in journeys in CIAM. In this article, we will discuss the most common types and flavors of consumer onboarding workflows we see in practice.
Abstract Consumer Onboarding Workflows
The following are the three most common abstract workflows based on the method in which they are initiated:
- Self-registration workflow
- Invitation workflow
- Just-in-time provisioning workflow
In this workflow, the end consumer initiates a request to provision an account in the system by providing his/her details. This is one of the predominant methods of onboarding consumers in B2C solutions. E-commerce websites like Amazon and eBay, and social media websites like Twitter and Instagram use this method.
Figure 1: Self-registration Workflow on Flickr
An invitation workflow is where an administrator or someone with relevant authorization within the organization initiates a request to provision a consumer account, which, in turn, sends out an invitation to the consumer’s verified two-factor authentication (2FA) channel, such as a verified email address or verified mobile number. This workflow is particularly useful when only selected consumers need to be onboarded. In fact, one of the prerequisites for this workflow is that a verified 2FA channel for the consumer is enrolled in the system to send the invitation. This is one of the predominant methods of onboarding consumers in B2B solutions.
The invitation contains a “verifier” — a shared secret — that is used to prove the consumer’s identity. Later in the article, we will explore more on verifiers. Upon receiving the invitation, the consumer will present the verifier to the system in order to continue the workflow.
Figure 2: Invitation Workflow in Prefinery for Enterprises
Bulk consumer invitations are sometimes needed when migrating existing consumers between systems. Also, endpoints that support bulk invitations are typically required to support legacy systems that don’t have API integration capabilities and rely on legacy integrations such as file integrations and change data captures (CDCs).
Just-in-Time Provisioning Workflow
Although this workflow technically qualifies as self-registration, it is a popular and effective technique that deserves its own classification. The end consumer initiates a federated login, which provisions an account in the system.
The two main use cases for this workflow are:
- Social sign-up — typically in B2C relationships
- Federated login with a customer identity provider in B2B relationships
Figure 3: Just-In-Time Provisioning Workflow using Facebook Login in Medium
When discussing invitation workflows, we looked at the abstract construct known as a verifier. Now, let’s dive into more concrete implementations of verifiers. The following are the three most popular flavors of verifiers. However, it is important to understand that the semantics of the verifiers are constant across the three:
- Confirmation code
- One-time-PIN (OTP)
- Temporary password
This is probably the most popular flavor of verifiers on the internet. A confirmation code is a long string, typically comprising 16 or more characters, usually composed of random alphanumeric characters, unreadable and unmemorable by humans, and more importantly, unique and unguessable. The confirmation code is encoded into a callback URL and posted.
Once the confirmation code is posted to the callback URL, the consumer is directed to a notification page that informs him/her to check the channel to which the confirmation code was posted. The consumer will visit the channel and simply click on the callback URL, and that directs the user to the system, where the confirmation code is verified and the workflow will be continued.
Figure 4: Email with confirmation code and user-directed to callback URL in Medium
The confirmation code is more suitable as a verifier for email addresses than mobile numbers due to the above consumer experience.
This is probably the second most popular flavor of verifiers you would come across on the Internet. An OTP is a short string, typically four to eight characters, usually composed of random digits, human-readable and memorable. An OTP may or may not have an expiry time.
The consumer experience is as follows:
- The OTP is posted to the two-factor authentication (2FA) channel and the consumer is directed to the subsequent step in the workflow UI where he/she is prompted for the OTP.
Figure 5: Consumer is prompted to enter OTP posted to Mobile Number in Alibaba.com
- The consumer receives the OTP.
Figure 6: OTP Received to Mobile Number in Alibaba.com
- The consumer will enter the OTP in the application and submit it.
Figure 7: Consumer entering OTP and submitting
- The submission would be verified and the workflow will be continued.
OTPs are the most suitable form of verifier for mobile numbers, compared to confirmation codes and temporary passwords, because they are easier to read off an SMS and enter in the application.
This is probably the least popular flavor of verifiers. A temporary password is a string, which typically resembles a very strong password, usually composed of random alphanumeric characters, unreadable and unmemorable by humans, and more importantly, unique and unguessable. However, the main difference between a temporary password and the other two is that a temporary password is reusable and invalidated only when the onboarding workflow is completed. It also could have an expiry time.
Figure 8: Temporary password sent in an email invitation for ‘Oktane21’ event
Temporary passwords may not be suitable for self-registration and JIT Provisioning workflows if a permanent password was already taken, because it may result in confusion. Also in these two workflows, the verifiers are only needed for a couple of minutes. Hence confirmation codes and OTPs may be less taxing on the user experience.
Temporary passwords are sometimes considered less secure because there is a higher tendency for consumers to copy them to the clipboard and paste. They are invalidated only after the completion of the workflow to reduce the security risks of using shared computers.
- The self-registration workflow is a predominant method of onboarding consumers in B2C solutions.
- The invitation workflow is particularly useful when only selected consumers need to be onboarded and is one of the predominant methods of onboarding consumers in B2B solutions.
- The just-in-time provisioning workflow is used in social signups in B2C solutions and federated logins with a customer identity provider in B2B solutions.
Verifiers serve as an important security element in consumer onboarding workflows. Confirmation codes, OTPs and temporary passwords are popular flavors of verifiers. When choosing a verifier for your solution, you have to consider its security and user experience implications.
In part 2, we will look at the different types of components that make up an onboarding workflow.