An identity provider (IdP) is a trusted third-party company that creates and manages a person or organisation’s digital identity and associated identity attributes. With the user’s consent, IdPs offer authentication services to third party service providers (such as websites, apps, or other digital services) by authenticating an end-user to the service provider using the identity the IdP manages, but without sharing actual login details.
IdPs manage identities of varying strength and with varying identity attributes, and may include social media companies, banks, mobile network operators, governments etc.
For example, you’ve probably seen a ‘Sign up with Facebook’ option when registering for a service, in which case Facebook is the identity provider. With the user’s consent, Facebook asserts to the service provider that you have a Facebook identity and provides the attributes you approve to the service, so you don’t need to create another identity for the new service.
As a service provider, the alternative to using an identity provider is to require users to create a new digital identity for your service, asking them to input their data and create a new set of credentials.
Now let’s look at why you would use an identity provider, why you might use more than one identity provider, and how to connect an identity provider to your service.
The customer experience benefits of using an identity provider
Building in the ability for customers to use an existing identity to sign into your service makes it very easy for new customers to simply click to register, reducing form filling fatigue and abandonment. Keep in mind that 45% of users give up if the registration process is too hard, so anything you can do to facilitate registration will see a significant impact to your customer conversion rate.
You can make this user experience benefit more inclusive by integrating multiple identity providers, giving users options for signing up to your service. Using the above example, some of your customers may not have Facebook, but would take advantage of ‘Sign up with Google’ and vice versa.
Further, identity providers can facilitate progressive profiling – enriching customer data without customers needing to repeat data entry between the linked services. They simply tick to give permission to the identity provider to provide your service with the information, saving them time and effort inputting the details again.
The security benefits of using an identity provider
How many applications do you have an account with – 50? 100? And if you sign into each of those apps with a different password, are you sure that all of those passwords are strong and unique? Even if you are, it’s likely that the majority of your service’s users are not.
Password fatigue leads to credentials being reused across multiple sites, which presents a significant security risk to your systems. If hackers get hold of a set of credentials, they often try the same username/password combination across multiple sites, leading to unauthorised access to your system. It’s worth noting here that 80% of data breaches are caused by stolen, weak or default passwords.
Using an identity provider reduces the burden and risk of you trying to mitigate these risks in house, with no need to store and protect credentials yourself for users that opt to ‘Sign up with X’.
Identity providers can offer you strong authentication for your service, meaning the use of credentials that are particularly secure. Take BankID for example. A bank already carries out rigorous Know Your Customer (KYC) processes before issuing customers with login credentials, so if customers can sign up to your service with their BankID you can be confident that they are who they say they are.
Multi-factor authentication (MFA)
MFA requires customers to present more than one piece of identifying information or form factor. It is far harder for hackers to gain access to a service if they would have to replicate two factors over a single factor in order to do so. For example, you may sign in to a service using your Facebook credentials but then have to further authenticate with a mobile phone authenticator app or your fingerprint.
In this way, combinations of identity providers can help to make your service extremely secure and mitigate against data breaches. Customers now expect to see MFA in all kinds of services, and identity providers will ensure that it is as frictionless as possible.
If you have several applications, single sign-on (SSO) is a common best-practice solution to allow your customers to seamlessly move between those applications without entering separate login credentials each time. But what happens if you have one application that requires stronger assurance of an identity that the others?
This example shows you how to leverage identity providers for step-up authentication. A customer signs into your service using Facebook and that is secure enough for a subset of your apps. Then when they SSO to an app that needs that higher level of assurance – perhaps an area that stores personal data – you ask them to further authenticate with their BankID.
This situational MFA with identity providers represents the gold standard in balancing security and customer experience.
How to integrate an identity provider
Customer Identity and Access Management (CIAM) will enable you to connect identity providers to your service and anchor users to their existing digital identities. Ubisecure CIAM supports authentication protocols like OpenID Connect, OAuth 2.0 and SAML, which are already accepted by most application servers (such as Sharepoint, Wildfly, Tomcat etc.), making it easy for your application to accept identity information based on these protocols from third parties.
Ubisecure supports a wide range of identity providers, ranging from social to fully verified bank IDs. See the list of Identity Providers that Ubisecure enables here – from social login to verified identities and regional eIDs, and fast addition of any standards-based identity credential via its Authentication Adapter microservice.