State of authentication in Decidim and proposal on how to improve it
With Decidim, we inherit a two-part authentication system: accounts and authorizations.
An account is a user — they have a name, a username, an email, and a password.
An authorization is permission to perform an action on the platform. Generally, authorization is obtained if one is part of a "census," enters a phone number, provides an ID card photo, or something else that certifies one’s identity.
However, neither accounts nor authorizations have been left untouched and we have modified them since we started using Decidim (and we’re not the only ones doing this). For the account, we've created extra sign up fields that allow adding fields to the registration (link to the module and documentation) or friendly signup that eliminates the need to enter the password multiple times, choose a username, etc. Regarding authorizations, we have repurposed them to collect additional information from project holders, which we then collected via our BI and visualization tool, required phone number verification, etc.
These module customizations mainly stem from client requests who want to collect information about users or restrict/secure certain actions on the platform. It’s a legitimate request, though it often leads to poor UX and a lot of technical debt. We have several modules dedicated to different versions of authentication, and some of these modules are divided into several radically different branches. Here are some issues that these modules face:
Here are some requests we can't answer:
Therefore, the situation with authentication is not optimal despite some very nice advancements, particularly friendly signup and extra sign-up fields. The major challenge remains how to accommodate numerous different authentication methods without creating a unique module for each platform, without systematically refusing all client needs, and without sacrificing user experience.
The response we propose results from mapping several client requests that we've seen as a team, the extreme cases being an engineering school, a large French city and one of the most iconic cities in North America, but these are not the only cases where we had to do custom authentications. Here are the three examples:
These examples inspire these user stories:
Satisfying all these user stories is not straightforward: there are as many authentication methods as participation platforms, and we need to optimize both the user experience and administrative flexibility. The proposed approach can be summarized with two words:
Minimal
Requesting the bare minimum limits the load of registration and connection as much as possible.
Progressive
The question now is what would it look like on Decidim?
Let’s start with the user side:
Registration would remain more or less the same except for two major improvements — it would happen entirely in a modal (with a warning on mobile screens), and according to the preferences and obligations of the administrators, the forms would be different, though we would want them to be as simple as possible.
When the user wants to perform an action that requires more information or verification, a new modal would appear asking them to fill in the missing information.
And then for the admin:
A page to configure minimal signup and SSO (in global settings):
The minimal signup to configure would be a choice between email, SMS, or both, and additionally a set of fields configurable by the administrator;
The SSO configuration would be done from a library of existing SSOs by checking boxes for the data to be retrieved and added to the user profile or their general data.
In each management page of a consultation, assembly, or feature, the possibility to add criteria to view (only in the case of assemblies) or perform actions.
To conclude this mini product spec, I wanted to add a FAQ to answer some questions I have already received regarding this presentation:
How do we manage anonymous participation?
How do we send notifications if we don’t have an email address?
How do we manage if more than one action can be performed in a feature?