6 May, 2022 | 3 min read

Composing Effective Consumer Onboarding Workflows, Part 2

  • Johann Nallathamby
  • Director - Solutions Architecture - WSO2

In part 1 of this series, we introduced the three most common abstract workflows based on the method in which they are initiated. But what makes an abstract workflow a concrete workflow are the different types of components that make up the workflow. In this article, we will take a look at these components.

Onboarding Workflow Components


CAPTCHA implementations are good examples for evaluating the right balance between security and usability. To avoid automated form submissions and spam on the internet, many onboarding portals use CAPTCHAs. According to studies, after introducing this, customer conversion rates can rapidly go down. However, reCAPTCHA from Google is a significant improvement over traditional CAPTCHA implementations, and consumers can now attest they are human without having to solve one.

Figure 1: Google reCAPTCHA for Self-registration in Medium

Identity Proofing

The process of verifying that a consumer’s claimed identity matches their real-world identity and issuing credentials to corroborate that is called identity proofing. This is usually embedded into the onboarding workflow. In social media contexts, you would enroll a two-factor authentication channel such as an email address or mobile number with self-verification, which tells you little about the consumer’s real-world identity. However, in the context of businesses, since the stakes are high, more stringent identity verification requirements are used such as knowledge-based answers, photo ID or passport document, proof of current residence, credit bureau searches, national identity registries, etc.

Technology advancements in the field of document verification, image processing, video processing and biometrics have propelled the adoption of self-service online identity proofing in the mass market. Techniques such as liveness detection in biometrics and contactless biometrics are some key techniques being used widely. There are also many specialized vendors emerging in the market to support these technologies, such as Jumio, Idemia and Evident.

2nd-Factor Authentication

As we saw under the invitation workflow, this component helps in authenticating and ensuring that the user is actually the legitimate consumer who he/she claims to be. However, it may also be used in the self-registration and just-in-time provisioning workflows, depending on how the workflow is composed.

Prompt for Additional Attributes

In some workflows, such as invitation workflows and just-in-time provisioning workflows, collecting additional attributes may be necessary that the initiator or federated login didn’t provide. This information generally comes directly from the consumer to fill certain mandatory attributes in the consumer’s profile in the system.

Figure 2: Just-In-Time Provisioning using Facebook Login in Adobe Spark – Date-of-Birth collected from the Consumer


Obtaining the consumer’s consent by displaying the information that is being stored in the system along with their purposes prior to provisioning an account is most often mandatory in customer identity access management today. Additional consent may be required for terms and conditions agreements, privacy policy statements, preferences on marketing communications, etc.

Multilevel Human Approvals

This component allows you to require a specific user or a user who belongs to a specific group or role to approve a particular stage in the workflow to proceed to the next component. This can be extended to require multiple levels of approvals from multiple users too.

Account Provisioning

This component is responsible for provisioning the consumer account in the system, which in fact is the essence of an onboarding workflow.

Set Password

This component prompts the consumer for a new password and sets it to his/her account.

Figure 3: Invitation Workflow in Prefinery – New Password Prompted

Figure 4: Just-In-Time Password Provisioning using Google Login in LinkedIn – New Password Prompted

It is also not uncommon to find applications on the Internet not requiring you to set up a password to access the system at all. For instance, Medium doesn’t support password-based sign-in; it only provides Magic Link sign-in and social log-in. Applications like Dropbox provide social sign-up without requiring users to set up a password in the onboarding workflow. Dropbox also provides, however, the option of creating a password post onboarding from the account settings section.

Enrolling a Two-factor Authentication (2FA) Channel

Onboarding workflows requiring a primary 2FA channel and allowing an optional secondary channel are very common throughout the internet. Consumers can choose a secondary channel via a self-service consumer portal.

Figure 5: Self-service Consumer Portal to enroll a mobile number as a Secondary 2FA Channel in

Mandating multiple 2FA channels for a consumer helps provide additional levels of assurance in authentication, given cases of stolen laptops, recycled mobile numbers, etc.

The order and placement of the components can depend on multiple factors. For example, self-registration workflows are usually open to the internet for any consumer to onboard. However, keeping it open leads to a potential automated bulk account creation attack, which can potentially also lead to a DDoS attack by exhausting server resources beyond the planned capacity. A possible countermeasure could be to enforce a 2FA channel enrollment to make sure that there is a legitimate consumer at the other end of the request.

Enrolling a Biometric Authentication Factor

Biometric authentication factors are probably the most difficult to steal and spoof among the factors that are widely adopted in the mass market today. Thanks to modern smartphone manufacturers, device-centric biometric authentication factors, such as Face ID and fingerprints, are rapidly gaining popularity.

Figure 6: Enrolling a biometric authentication factor in a banking application

Account Lock/Unlock

This is a security component that is used in a workflow to block access to the system until a certain stage in the workflow is passed. One of the important security requirements for such a component is that the workflow stage must finish during the same transaction as its preceding component. This reduces the system’s vulnerability.

Custom Workflow Component

A custom workflow component is a capability usually provided by vendors to include custom logic into the onboarding workflows. This component can be generally used to call out to an external system such as a Restful service or an enterprise service bus or a business process/business rules engine.

Closing Thoughts

The post-pandemic world is not going to be what it was yesterday. We are witnessing dramatic shifts that are bringing everything online and making the internet more prominent in our lives. Digital transformation projects that were started as strategic initiatives have now rapidly accelerated. Effective and engaging consumer onboarding journeys are no longer just nice to have, they’re a key differentiator between you and your competitors. At the same time, fraudsters have become increasingly active and innovative. Customer Identity and Access Management helps you to accelerate digital transformation while ensuring cybersecurity and excellent consumer experiences.