We’re routinely advised not to reuse the same access credentials across different services due to the security risks of doing so. Despite this, only 35% of people use different passwords for all of their accounts. There has been a solution to allow safer reuse of passwords for quite some time already. It’s called Bring Your Own Identity – BYOI, or sometimes BYOID.
Bring Your Own Identity – BYOI Overview
BYOI is a form of federated identity where access to different service providers’ (SP) services is permitted using credentials provided by a third-party identity provider (IdP), not credentials created for the service itself. In practice, this means that users can access the service with identity credentials that they already have instead of creating new ones. Yes, it means that you are technically allowed to use the same password for several services.
In most cases, the identity provider is either a social media company such as Facebook, Google, LinkedIn, Twitter or Amazon, or a business login such as Office 365 or G-Suite. Even a bank ID can be used as an option for BYOI in some countries, particularly the Nordics, but due to the ‘pay per authentication’ cost structure and multi-step procedure it is generally most popular where strong authentication is necessary.
Bring Your Own Identity: Benefits
Having to sign into each service with unique credentials poses several issues to both end-users and service providers. The most common complaint from the user’s side is the difficulty of remembering a unique password for every service. One option, that 24% of people rely on, is to use a password manager, but you have to make sure that it has been installed on all of your devices and is synchronised between them. And don’t forget to upgrade all of them every time there are new versions available, which is several times per year – not a simple task since we have so many internet-enabled devices in our hands nowadays.
The more common way to solve the problem is to reuse the password, despite all the advice we have heard against this method. BYOI gives us the possibility to reuse the same passwords safely, since the IdP passes identity attributes but not the password information to the SP, so it is not compromised in case of security leaks.
Since the identity is independent of the target application in the case of BYOI, the service provider does not necessarily have to maintain identity information at all. This means lower identity-related security breach risks for the SP. The Identity Provider is responsible for maintaining the identity information and sending the attributes to the service when needed.
For service providers, BYOI is a fantastic opportunity to enhance the user experience. It allows visitors to quickly register using their existing credentials thus improving customer satisfaction, in turn increasing the conversion rate from visitor to registered customer and reducing abandonment rates. Note that 45% of users give up the registration process if it is too cumbersome.
A note on social logins
Cost-wise, BYOI is an affordable way for a service to provide authentication methods, especially with social logins. Social media Identity Providers like Facebook, Google and Twitter don’t charge according to the number of authentication transactions. Service providers can offer several social media authentication options for the users – Facebook, Google, LinkedIn etc. depending on the type of service.
It could be said that social login is not the most secure authentication method due to the unreliability of the given identity attributes – as anyone can set up a social account and the attributes are not verified. However, there are a huge amount of services where it is reliable enough for the purpose. Plus, there are ways of increasing the reliability factor, especially if you engage social media login with a proper CIAM (Customer Identity and Access Management) solution, as I’ll explain in the next section.
BYOI and Customer IAM (CIAM)
If you allow access via social login without a registration process in place, then everyone with a given social media account can access the service. If you want to filter registrants however, you will need to store some identity attributes in your system. A proven CIAM system is a safe place to store these attributes.
To make the registration process user-friendly, users begin registering by doing the social login, and the Identity Provider sends the identity attributes directly to the registration form. Users can then verify the information and add the missing fields. The next time a user logs into the service, Directory User Mapping is used to fetch one or more known identity attributes from the IdP’s service (e.g. Facebook, Google or Twitter) and match them with the account of the local user. Service providers can use their CIAM system to set up the filtering process.
One step further is to automate the registration process using Just in Time Provisioning (JIT), which automates user account creation. During the initial authentication, the service provider collects and stores the necessary information from the message sent by the IdP and creates an account. More attributes can be acquired from users if necessary.
Once the account has been created, the CIAM software can provide SSO (Single Sign-On) to all of an SP’s services (where this has been authorised).
There are also other benefits a CIAM system can provide for service providers with regard to BYOI:
- Easy provisioning of multiple authentication method options per service.
Which social media logins should be provided to this specific service and should there be other options available, such as business logins? You can choose the authentication methods from a ready-made list.
- Filtering of the identity attributes.
CIAM can easily control the attributes flow between the IdP and SP, choosing only the minimum required attributes needed by the end service to comply with regulations such as the EU’s GDPR (General Data Protection Regulation).
- Step-up authentication using e.g. social login as the first step.
The basic idea is to allow users to access certain parts of the service by using e.g. the social login. But if the user wants to access more sensitive information or deal with money-related transactions, then a second-factor stronger authentication method could be required to verify the identity of the user at a higher assurance level.
- Manual linking of different authentication methods with UDF (User Driven Federation).
SPs can let end-users link existing third-party system credentials, such as social logins, to their online service. After this, instead of using the username and password registered for the service, users can authenticate with their social logins.
- Verified social identity to increase the reliability of the social login.
Service providers can ask users to verify their social identities by requesting stronger authentication during the first login. This is a one-time operation only after which the users can access the service using only social login.
BYOI is a brilliant way for apps and services to provide user-friendly journeys – increasing signups and reducing the security risks of re-used passwords. Which identity providers you connect to your app will depend on the kind of service you provide and how strongly assured you need to be of the user’s identity – there are many options available.
BYOI is best implemented by Customer Identity & Access Management software, which enables seamless and secure identity management. Ubisecure CIAM incorporates advanced BYOI capabilities, deployed via a cloud-based IDaaS (Identity-as-a-Service) model.