An identification and authentication scheme maintains control relationships among identities in order to allow a user to dynamically grant or deny permission for a technical support representative to access the user's data, while allowing the user to retain ultimate control over access to the data. Interactions entered by the representative can be distinguished from those entered by the user, while execution paths for representative-entered interactions are configured so that, to an application, the representative-entered transactions appear substantially identical to user-entered transactions. Technical support representatives are thereby able to duplicate users' problems to enable diagnosis and resolution of problems without requiring users to reveal their passwords or login credentials.