The following was published as Chapter 3 of our series, The Seven Deadly Sins of Digital Customer Relationships. This chapter can be read by itself as a great introduction to the many benefits of digital wallets and digital agents. However, if you’d like to start from the beginning, you can find the entire series here.
Let’s start with a question: what happens today when a customer forgets their username or password for a digital service?
Most likely they will be taken through a few ‘password reset’ steps, perhaps given a temporary password or link to click to reset things. So far, so normal. But where does that reset password get sent? Probably to their email or SMS provider.
So, the individual opens the message and clicks the link or whatever is needed. They then get passed back to the digital service and are asked to enter a new password. Now that’s fine because most customers can access email and SMS easily.
But let’s look more closely. These password reset pathways are set up right at the beginning of a digital relationship, when customers create a new account with either an email address, SMS or social network login handle. By definition, these three groups have become our default ‘identity providers,’ the digital backup when customers can’t access their digital services.
Who’s really in control
But what happens if it’s actually these identity providers who lock us out? It happened in late 2017 to a US technology journalist who was shut out of his Google account for a month. He wrote publicly about how disruptive, difficult, and dangerous the situation was. Almost completely and almost instantly, his digital life was frozen. So make no mistake, it’s the identity providers who are in control of the customer relationships here. And seemingly these incidents happen a lot – just look up #facebookdisabledme.
Simply put, this is the wrath of identity providers. Fittingly, some define wrath as “when anger is directed against an innocent person, and when it is unduly strong or long-lasting.” That feels right if you consider the real-life impacts of disabling someone’s digital identity without notice.
Here’s the irony: the right to be forgotten really does exist. It’s just not the customer’s own right; it belongs to the identity provider, who can choose to lock-out and forget the customer whenever they want.
Yes, it’s reasonable for a business to reserve the right to kick people out of an account for breaking the rules. But when that account is the digital door key for the rest of the customer’s digital life, it becomes problematic – technically, economically, and societally.
Customers often get locked out without notice, finding out the hard way that they’ve fallen foul of the T&Cs they never read; or perhaps it’s a technical blip, an accident. But either way, identity providers have all the power; end users are reduced to serfs living under the gaze of today’s digital land-owners, subjected to their rules and regulations (which can of course change at any moment).
If that’s not enough, there’s an ever bigger risk: account takeover. If a malicious actor can access a customer’s root identity provider account, e.g., an email inbox or Facebook account, then it only takes a few clicks to impersonate that customer, and reset their logins everywhere.
What a mess.
Wanted: some personal agency
What if customers had a way to represent themselves in each and every digital relationship – uniquely, without needing an identity provider? Well, it would mean that each customer could exercise and control their own digital relationships, independent of a third party. They’d have a sense of ‘digital agency’ that many say is missing today.
The good news is that this is now possible with SSI. Some call these new capabilities ‘digital wallets,’ but think of them as a digital agent – a bit of trustworthy software that individuals alone control, and which can act on their behalf:
Digital agents are personal. The individual gets to decide where their agent lives, what software it runs, and what policies it runs (additional software that helps them decide who to connect to, what data is shared with whom, and how they send and receive messages).
Digital agents can’t be turned off. They are built and run using open standards and open source tools, creating a new market of interoperable providers and avoiding vendor lock-in.
Digital agents manage digital connections. They use DIDs to set up new secure peer-to-peer channels with other agents – each of which is unique and private.
And here’s another important characteristic of digital agents. Private connections last only as long as each party wishes it to last. Meaning the customer (or business for that matter) can turn it off whenever they want. The General Data Protection Regulation (GDPR) enshrined eight rights for individuals. I want to argue that digital agents now give customers a new capability that they didn’t have before… a new 9th right: The right to disconnect.
A digital reboot
Digital agents have enormous potential. Not only to help us reimagine digital connections and enable a new generation of customer relationships, but also to free us from the wrath of the digital identity providers.
The next time you have to reset your password, just think about how much easier and more dignified it will be when you can represent yourself online independently, privately, and securely. Digital agents have the remarkable potential to unlock new powerful peer-to-peer connections for customers. So it’s time for a reboot of the customer relationship, where digital agents will be at the center of the revolution.
And I’m hoping there won’t be a password reset in sight.