An identity provider (IdP) is a trusted third-party company that creates and manages a person or organisation’s digital identity and associated identity attributes. With the user’s consent, IdPs offer authentication services to third party service providers (such as websites, apps, or other digital services) by authenticating an end-user to the service provider using the identity the IdP manages, but without sharing actual login details.

IdPs manage identities of varying strength and with varying identity attributes, and may include social media companies, banks, mobile network operators, governments etc.

For example, you’ve probably seen a ‘Sign up with Facebook’ option when registering for a service, in which case Facebook is the identity provider. With the user’s consent, Facebook asserts to the service provider that you have a Facebook identity and provides the attributes you approve to the service, so you don’t need to create another identity for the new service.

Sign up with Spotify screenshot - Facebook as Identity Provider for Spotify

Facebook is an Identity Provider for Spotify

As a service provider, the alternative to using an identity provider is to require users to create a new digital identity for your service, asking them to input their data and create a new set of credentials.

Now let’s look at why you would use an identity provider, why you might use more than one identity provider, and how to connect an identity provider to your service.

 

The customer experience benefits of using an identity provider

Building in the ability for customers to use an existing identity to sign into your service makes it very easy for new customers to simply click to register, reducing form filling fatigue and abandonment. Keep in mind that 45% of users give up if the registration process is too hard, so anything you can do to facilitate registration will see a significant impact to your customer conversion rate.

You can make this user experience benefit more inclusive by integrating multiple identity providers, giving users options for signing up to your service. Using the above example, some of your customers may not have Facebook, but would take advantage of ‘Sign up with Google’ and vice versa.

Sign up with airbnb screenshot - multiple Identity Providers

Source: airbnb

Further, identity providers can facilitate progressive profiling – enriching customer data without customers needing to repeat data entry between the linked services. They simply tick to give permission to the identity provider to provide your service with the information, saving them time and effort inputting the details again.

Kickstarter FB signup screenshot - Facebook as Identity Provider

Signing up to Kickstarter with Facebook – can choose to allow Kickstarter access to my Facebook friends list.

Follow Facebook friends on Kickstarter screenshot - Facebook as Identity Provider

I gave permission for my friends list to be shared, so I can now follow them on Kickstarter without searching individually.

 

The security benefits of using an identity provider

How many applications do you have an account with – 50? 100? And if you sign into each of those apps with a different password, are you sure that all of those passwords are strong and unique? Even if you are, it’s likely that the majority of your service’s users are not.

Password fatigue leads to credentials being reused across multiple sites, which presents a significant security risk to your systems. If hackers get hold of a set of credentials, they often try the same username/password combination across multiple sites, leading to unauthorised access to your system. It’s worth noting here that 80% of data breaches are caused by stolen, weak or default passwords.

Using an identity provider reduces the burden and risk of you trying to mitigate these risks in house, with no need to store and protect credentials yourself for users that opt to ‘Sign up with X’.

Strong authentication

Identity providers can offer you strong authentication for your service, meaning the use of credentials that are particularly secure. Take BankID for example. A bank already carries out rigorous Know Your Customer (KYC) processes before issuing customers with login credentials, so if customers can sign up to your service with their BankID you can be confident that they are who they say they are.

Multi-factor authentication (MFA)

MFA requires customers to present more than one piece of identifying information or form factor. It is far harder for hackers to gain access to a service if they would have to replicate two factors over a single factor in order to do so. For example, you may sign in to a service using your Facebook credentials but then have to further authenticate with a mobile phone authenticator app or your fingerprint.

In this way, combinations of identity providers can help to make your service extremely secure and mitigate against data breaches. Customers now expect to see MFA in all kinds of services, and identity providers will ensure that it is as frictionless as possible.

LinkedIn MFA screenshot

LinkedIn MFA

Step-up authentication

Screenshot of O2 app asking for additional authentication

O2 requires an additional authentication factor to change payment or address details

If you have several applications, single sign-on (SSO) is a common best-practice solution to allow your customers to seamlessly move between those applications without entering separate login credentials each time. But what happens if you have one application that requires stronger assurance of an identity that the others?

This example shows you how to leverage identity providers for step-up authentication. A customer signs into your service using Facebook and that is secure enough for a subset of your apps. Then when they SSO to an app that needs that higher level of assurance – perhaps an area that stores personal data – you ask them to further authenticate with their BankID.

This situational MFA with identity providers represents the gold standard in balancing security and customer experience.

 

How to integrate an identity provider

Customer Identity and Access Management (CIAM) will enable you to connect identity providers to your service and anchor users to their existing digital identities. Ubisecure CIAM supports authentication protocols like OpenID Connect, OAuth 2.0 and SAML, which are already accepted by most application servers (such as Sharepoint, Wildfly, Tomcat etc.), making it easy for your application to accept identity information based on these protocols from third parties.

Ubisecure supports a wide range of identity providers, ranging from social to fully verified bank IDs. See the list of Identity Providers that Ubisecure enables here – from social login to verified identities and regional eIDs, and fast addition of any standards-based identity credential via its Authentication Adapter microservice.

Ubisecure's pre-connected Identity Providers

Identity-as-a-Service (IDaaS, aka SaaS-delivered IAM) is a very fast and easy way of deploying CIAM capabilities, including identity providers, into your service with simple configuration. Find out more about IDaaS and start your free trial here.

Introducing IDaaS banner