AGL has brought single sign-on to its online properties as part of its three-year, $300m digital transformation effort, affording customers a higher degree of self-service.
The utility’s enterprise security architect Heng Mok told the recent AWS Summit in Sydney that customers could choose how they authenticated with AGL, “whether that’s through a username or password, a social login, or a one-time password.”
Mok also said the new identity management system was designed to assess risks of different authentication methods on-the-fly.
“So as customers step up into more sensitive parts of our sites, how do we [use] adaptive step-up authentication [to assure identity and protect] the things they’re doing?”
Self-service is a major component of AGL’s $300m digital transformation, which was announced back in mid-2016.
“All the back-office functions that have traditionally been performed by the contact centre, we wanted to expose to our customers,” Mok said.
“Being able to offer more self-service capability around how people interact with their energy, so whether that’s looking at their bills or updating their personal details [is important].”
A major stumbling block to achieving that was that every AGL digital property had its own separate identity management.
“We already had a number of digital channels within our environment and all of them had separate identity stores,” Mok said.
“When you start thinking about the user experience, every time they interacted with AGL, whether that’s through our retail channel or our solar channel, they would have separate usernames and passwords.
“There was no common identity across each of those channels. Because of that, being able to market or offer customers value-add services, and even to know who your customer is becomes difficult.
“We identified that identity was a base capability that would be needed as part of any digital transformation as the glueing point across all of our channels.”
The project team made some “key architecture decisions early on”, including a decision to implement an identity as-a-service or IDaaS platform, eventually settling on Auth0 through a market-based process.
AGL initially tested Auth0 on “lower risk channels” such as its community portal, allowing its development and security teams to get familiar with the system and how it operated and integrated with existing channels.
“When you’re moving through a digital transformation, channel sequencing becomes important - how do you co-exist with the number of existing systems that you’ve got in play,” Mok said.
“In order to offer a seamless authentication experience as we cut over to the new identity system, we ended up running our existing and new identity systems side-by-side for a period of time.”
AGL took Auth0 into production in March 2017 and has spent the past year integrating nine different applications into the IDaaS solution.”
“From a velocity perspective and being able to patternise the integration with new channels and new applications, we’ve been able to take a cookie-cutter approach to be able to bring on new channels quickly,” Mok said.
“We’ve been able to experiment with a number of our New Energy [division] applications which are basically trialling a new product in the market and utilise the same IDaaS solution to be able to deliver that capability.”
While AGL’s intention was to offer a variety of different ways for customers to authenticate and establish their identity, some methods were not as popular as others.
“From a customer perspective what we did early on was we tested our various authentication methods with the market,” Mok said.
“We took a large number of customers, we put them through research, we looked at the different authentication options that we were able to provide through the platform, and we tested them.
“What we found that was interesting was that not a lot of people enjoyed reusing their social logins as part of their user experience with our digital channels whereas things like one-time password - which is a one-time code as a mechanism for interacting with us - has seen a significant uptake in our channels.
“We’ve seen more than 50 percent of our customers decide to take up a one-time code as a mechanism of authenticating with us.”
Mok said one of the biggest tangible benefits of consolidating identity management was an enormous reduction in password reset requests being handled by the contact centre.
“Our contact centre had to deal with a large volume of password resets,” he said.
“What we’ve been able to see as a result of implementing various authentication choices is a significant [86 percent] reduction in that.
“From a value perspective and financial perspective, we can go back to the business and say we’ve been able to get tangible benefits from the investment you made in our IDaaS solution with reductions in terms of the low-value work that the contact centre is doing.”
Mok said that AGL also used the project to set up a separate identity team within AGL as well as to “operationalise a DevOps model” within the IDaaS domain.
“The dedicated identity team includes security engineers, API specialists and identity specialists,” Mok said.
“Security owns the [identity] platform but we’ve got a governance process on top and an operating rhythm and model where development teams are able to add capability and functionality as required.
“We’ve come down from a three day delivery timeframe for changes into a 5-30 minute timeframe for a change with automated regression testing across the stack.
“Being able to push changes out and deliver to a more agile way of working has been one of the achievements as part of delivering this IDaaS solution.”
The company is continuing to bring more of its customer channels onto the IDaaS platform.
“Identity is a journey,” Mok said.
“It’s not the easiest thing to do, so anyone that’s been around the traps and has implemented identity systems in the past knows it requires focus and you have to go in for the long haul.”