Passive authentication

Hi Lisa, I wanted to round out your question with some thoughts on my experience implementing Passive Authentication

To recap the conditions where Passive Authentication can be beneficial

• Your company has a publicly available Verint Community, and by "public", specifically content in open groups that can be viewed without authenticating
• Your company has a "Global ID" system in place, where multiple web applications share the same login and that login gets you access to these multiple applications. Sometimes the user is aware of this, sometimes it doesn't matter. It's similar to the concept of Apple ID where user's are conscious that their Apple ID can get them access to most things Apple

For the user experience of Passive Authentication

1. The user visits your home page or another public page
2. When the page loads, some scripting checks for a Global ID session (usually with a lightweight API endpoint) to see if the user has an existing session on your identity management system
   1. If there is a session, there is a quick flicker of redirects, but when the page loads fully, you're automatically logged in. It's "Passive" because you didn't ask to log in, but as a Community Manager, you're providing this convenience to your customer
   2. If there is a not a session, you do nothing and the user continues to browse anonymously

or

1. The user is on another company page, e.g. www.NameOfYourCompany.com and has logged in through your Global ID
2. When the user clicks on a Community link that is on that website, naturally the user would expect to be logged in there as well
3. Once the user lands on community, then the steps 1 and 2 a in the previous flow apply and the user will be logged in automatically to the community. There is a common misconception here to think that the main website is "passing" something to the community, which it's not. It just happens that the user is logged in with a Global ID, and both the www site and community are configured to check for it. 

For many years, the benefit here was the ability to authenticate your users as a convenience. A similar use case for this endpoint is to meet a security requirement, where even when a user is logged in, you check the session on every page load and every 30-60s if the page is left idle, so if your Global ID session expires, you can force Vering logout as well, keeping the user's browser experience secure.

This sounds amazing, why doesn't everyone use this

One reason is the performance consideration. If the reality is that your community traffic is 90% public and 10% authenticated, then checking your Global ID's session endpoint every page for every user on every application (not just Verint!) can hurt performance with all that traffic. One way to mitigate this is to check on the user's first access, then set a cookie for a reasonable amount of time - say, 15-20m - then try again. During this time, the user may actively try to authenticate, so the same means will be achieved and the user will establish a Global ID session by actively logging into the community. Then if they go to the company's main site, e.g. www.SomeWebsite.com that uses the same Global ID, they will be automatically logged in there.

What are reasons why you wouldn't use Passive Authentication

1. If you have a closed or gated community, you're forcing the user to log in every time, so the user has to choose to authenticate
2. If your main Identity Management System is not mature enough to manage this traffic, or is using a homegrown system that doesn't allow for easy integration with other web applications

As you can see from the amount of content here to describe it, it's not a trivial exercise, but it also can be done with just a little work

• A widget, plugin or automation rule in verint to check your auth system for an existing session
• Your authentication system must have a cookie or API that the community can check to see if this session exists

Hope this helps!

Hi Lisa, I wanted to round out your question with some thoughts on my experience implementing Passive Authentication

To recap the conditions where Passive Authentication can be beneficial

• Your company has a publicly available Verint Community, and by "public", specifically content in open groups that can be viewed without authenticating
• Your company has a "Global ID" system in place, where multiple web applications share the same login and that login gets you access to these multiple applications. Sometimes the user is aware of this, sometimes it doesn't matter. It's similar to the concept of Apple ID where user's are conscious that their Apple ID can get them access to most things Apple

For the user experience of Passive Authentication

1. The user visits your home page or another public page
2. When the page loads, some scripting checks for a Global ID session (usually with a lightweight API endpoint) to see if the user has an existing session on your identity management system
   1. If there is a session, there is a quick flicker of redirects, but when the page loads fully, you're automatically logged in. It's "Passive" because you didn't ask to log in, but as a Community Manager, you're providing this convenience to your customer
   2. If there is a not a session, you do nothing and the user continues to browse anonymously

or

1. The user is on another company page, e.g. www.NameOfYourCompany.com and has logged in through your Global ID
2. When the user clicks on a Community link that is on that website, naturally the user would expect to be logged in there as well
3. Once the user lands on community, then the steps 1 and 2 a in the previous flow apply and the user will be logged in automatically to the community. There is a common misconception here to think that the main website is "passing" something to the community, which it's not. It just happens that the user is logged in with a Global ID, and both the www site and community are configured to check for it. 

For many years, the benefit here was the ability to authenticate your users as a convenience. A similar use case for this endpoint is to meet a security requirement, where even when a user is logged in, you check the session on every page load and every 30-60s if the page is left idle, so if your Global ID session expires, you can force Vering logout as well, keeping the user's browser experience secure.

This sounds amazing, why doesn't everyone use this

One reason is the performance consideration. If the reality is that your community traffic is 90% public and 10% authenticated, then checking your Global ID's session endpoint every page for every user on every application (not just Verint!) can hurt performance with all that traffic. One way to mitigate this is to check on the user's first access, then set a cookie for a reasonable amount of time - say, 15-20m - then try again. During this time, the user may actively try to authenticate, so the same means will be achieved and the user will establish a Global ID session by actively logging into the community. Then if they go to the company's main site, e.g. www.SomeWebsite.com that uses the same Global ID, they will be automatically logged in there.

What are reasons why you wouldn't use Passive Authentication

1. If you have a closed or gated community, you're forcing the user to log in every time, so the user has to choose to authenticate
2. If your main Identity Management System is not mature enough to manage this traffic, or is using a homegrown system that doesn't allow for easy integration with other web applications

As you can see from the amount of content here to describe it, it's not a trivial exercise, but it also can be done with just a little work

• A widget, plugin or automation rule in verint to check your auth system for an existing session
• Your authentication system must have a cookie or API that the community can check to see if this session exists

Hope this helps!