For Ela and Ela, my mother in law and my mum’s sister.
I recently had the pleasure of visiting a customer in Denmark and while I took the trip predominantly for business reasons I was lucky to visit my family. It was my dear aunt Ela who inspired me to write this blog. She is a senior lady (though it feels like she doesn’t age, for me she hasn’t changed a bit in the last 20 years, if you’re reading this Auntie – thank you).
Digital Transformation Age
Let’s look at the timeline, shall we? Most of the businesses undergo some form of digital transformation. They say if you don’t, you won’t survive. There must be some truth in that and while potentially scary for those who remember code on punch cards, for young people it is a perfectly natural thing. We have deployed MFA (Multi Factor Authentication) to protect our identity, we have the bells and whistles in our mobile apps, we collect parcels from local locker services using nothing more than our mobile phones. And while it is 2022 and the young generation lead the way, we somewhat neglected the older generation. Generation for whom opening a bank account and sending money equals human interaction with the bank teller. We have not completely forgotten about them but I see a gap and personally feel ashamed and responsible. From now on I making myself accountable for a refined model whenever designing a CIAM (Customer Identity and Access Management). We still have a portion of population which did not grow up along digital age and we need to try harder to incorporate the digital elements into their traditional, analog life.
Digitally Vulnerable Person
Let’s define who a DVP is. Firstly, whether a person is vulnerable is not solely dependent on one’s age. It can be a person of age, but it may well be someone with learning difficulties, impaired vision or hearing or someone who just wasn’t around technology growing up for various reasons. To put it in a nice way, technology and a DVP are usually not best friends.
The impact statement of an ISP victim (Internet Service Provider)
The Internet stops working. The technically savvy person starts some form of troubleshooting. Checks the default gateway, pings bbc.co.uk (can’t feel more sorry for their web servers), logs into the router – the lot. A DVP (at best) power cycles, tries again, waits, tries again, at some point even starting to think it’s their fault. It takes a day or two, but they decide to eventually take action. In the leap of faith, they call the support line and face 999 options for best part of 20 minutes before someone picks up the call and fires 20 questions as if they played round two of Tipping Point (for those unfamiliar it’s all about time). The operator cannot comprehend that the customer on the other side just doesn’t understand what he is taking about. And then… the well known template ‘there’s nothing wrong with your service, it all looks good from where I am sitting’, but… there’s no Internet and I can’t Facetime my granddaughter. Make no mistake, THIS IS A PROBLEM!
Parcel locker services
You ordered an item on-line, but it can only be delivered to a collection point. It’s easy, you get an email, you can go to pick it up. All you need to do is install a mobile app and log in with your credentials. Easy, right? No! I don’t have a smart phone and last time I checked it’s not a crime or a reason to be exluded. In fact most accessibility featured phones are not smart. One should not have to buy one, let alone learn to use it extensively. A DVP asks the neighbour for a favour. It has to be collected in 5 days, otherwise it’s sent back. The angel of a neighbour helps, the other simply apologises for no time. Make no mistake, THIS IS A PROBLEM!
Mobile Internet Provider’s crimes against DVPs.
You’re not in a fibre or coax area, the only way he get on-line is via 4G or 5G router. It’s a PAYG offering and the grandson tops up the account every quarter, so his favorite granny can watch youtube videos and explore world from the perspective of Google Street. Digital transformation kicks in and the provider now requires MFA to log into the account. The chosen method is SMS sent to… the SIM card in the 5G router. All you need to do is login to the ‘https://192.168.0.1/setup’ enter credentials from the sticker on the device, which are so small, an eagle eyed person would struggle to read without magnifying glass, click here, there, change the tab… and et voilà – you get your MFA code. The only trouble is that the router is with the DVP and the grandson is 1500 miles away. Make no mistake, THIS IS A PROBLEM!
Compensating controls
1. The menu
Press 1 if you’re a DVP (straight to operator). Press 2 for… press 3 for… press 9 for any other issue. THIS IS NOT A PROBLEM.
2. The interaction
If you’re dealing with a DVP, you need to slow down. Use less technical language. Reassure the person and set right expectations from the word go. If it takes too long, move immediately to the next stage – fail fast. What does that mean? For a support engineer who is not making a progress in say 5-10 mins it means scheduling a visit to the customer and fast. Priority is key. Not after we install the Internet for the 256 non vulnerable customers. If it turns out it was the WiFi switched off in the iPad – THIS IS NOT A PROBLEM.
We need to develop procedures to deal with DVP’s, educate and train our call center staff and engineers, perhaps even select few with the right skillset or predispositions. Those customers have to feel we’re here for them. They need us most.
3. The security – alternative offer vs one fits all model
One can argue that we have developed the app to open the box with the the parcel via bluetooth for security reasons. We are not only protecting the business, but most importantly the customer. We don’t have to solve the problem of DVP’s by switching to a code vs app for everyone. A DVP could be a status given to a customer and should they choose to use PIN or OTP (One Time Passcode) to unlock the box – THAT IS NOT A PROBLEM. The surface area of the attack is small, mitigate the risk by insurance if you’re really keen.
Denmark’s MitID (MyID)
A government issued digital identity that one can use for accessing healthcare, council services, banks etc. It’s not all about the app, the DVP’s have the ability to get an OTP device, which not only uses a large font, it reads the code out loud and doesn’t have a single unnecessary button or function. This state-sponsored solution is such a great candidate for a bridge to decentralised identity. What a fantastic idea, kudos to Danish IAM leaders!
The dream
I was thinking long and hard trying to dream big and picture the perfect for world for DVPs as far as identity is concerned. Unfortunately, for me it’s the decentralised identity (you can read about it in my Christmas Tale of Identity). A government issued ID, consumed (vs federated) by various systems – Amazon, council, Internet, energy companies, TV and streaming services providers, you name it. The one and only app you need to handle it all. No passwords, no codes to remember. Just you, your device and your fingerprint.
What can we do now?
Well, if you’re a ISC2 certified professional, one of the opportunities to maintain certification is to volunteer to proctor exams, help with IT programs in schools, write articles or present at conferences. Why not helping DVP’s? Let’s create some sort of network of IT professionals who go out of their way, above and beyond and help those who need it most in our beautifully complex world of IT. Let’s have the passion and desire to unblock and remove the problems for those who see them bigger than they really are. I know this can’t be rushed and there must be some guardrails to protect people from predators. But we don’t need to formalize it today, it’s a cultural change. Help these you know or that are around you. Maybe, with a bit of luck we won’t need to do anything beyond.
Improving digital customer journey for DVP’s cannot be done in isolation. We may have some ideas, like the ones I posted in this blog, but actually, we have to ask for their help and listen to them to learn more about the problem and then find solutions. I have always been a fan of the customer – centric approach, but in this case, I don’t think we have any other choice.
And from now on, if I evaluate maturity in CIAM, if you deal with DVP’s but have no controls to make their experience better, you won’t get 10 out of 10 🙂