What is an "Identity Journey"

In the Apple TV Series Ted Lasso, footballer Jaime Tart does not properly secure his email (using the password "password" -- with two s's!) As a result, hackers steal a video that disruptes the personal and business life of his former girlfriend, Keely Jones. This fictional event is becoming more and more common in real life. And it's not just fake celebrities that are stuggling to keep their digital assets secure.

The engineers of the digital identity ecosystem recognize that everything and nothing has changed. The technology at our finger tips is more powerful then ever. And yet human nature is eternal. So to build a more secure digital society, we need a new metaphor for "authentication". And many believe the best metaphor is that identity has become a "journey"--not as annoying as a commute! But a "journey" may involve a few steps, depending on where you're going.

When industry experts use the term "identity journey", they mean the process of verifying and authenticating the identity of a user across different channels, devices, and interaction. It is an apt description because it reflects the dynamic and complex nature of digital identity in the modern world, where users need to access various services and platforms securely and conveniently.

An identity journey can involve multiple steps, such as:

??Enrollment and identity proofing: The user provides personal information and evidence to establish their identity for the first time

??Omnichannel authentication: The user verifies their identity using different methods, such as passwords, biometrics, or device data, depending on the context and risk level of the interaction

??Interactions and transactions: The user performs actions or exchanges information with the service or platform, such as making a payment, updating their profile, or requesting support

An identity journey can vary depending on the user's needs, preferences, and behavior, as well as the service or platform's requirements, policies, and regulations. Therefore, an identity journey should be flexible, adaptable, and user-friendly, while also ensuring security, privacy, and compliance.

At Gluu, we recognized the need for standardization and reusability in identity journeys. Using OpenID Connect to detail the results of an identity journey is fit for purpose. The OpenID id_token is a signed JWT that can convey--with cryptographic trust--the result of the specific identity journey. How was the person authenticated? When were they authenticated? When did they register? To what services have they subscribed? Which of their user claims can you trust? All these details either present in an OpenID Connect identity assertion (i.e. id_token) or as a result of further interaction with the OpenID server.

Building OpenID Connect flows has never been easier. For more information on how you can use low-code block programming to build the identity journeys of your dreams, visit Agama Lab.