Anyone who has been online for a while most likely has numerous online accounts. It’s just a fact of online life. For example e-commerce sites may ask you to register so you can come back later to track the status of an order you have placed. The problem with this is many sites still ask you for a direct username and password. Security best practices are to never reuse passwords between sites. There are tools that can help remember the passwords you have used, but most mere mortals give in and do reuse passwords – it’s too hard to remember them all otherwise!
Why is reusing passwords bad? “I came up with such a clever password that nobody is going to crack! Why can’t I just reuse it?” The problem is the more sites you give a password to, the greater the chance that the password will be compromised. If any one of the sites is compromised, your password is compromised across many accounts. It’s not hard to automate a bot to try your password across a list of sites the attacker is interested in.
For more advanced users that do use at least a few different passwords (they may have different qualities of passwords for different sites they use – e.g. banking sites vs forums), they often forget which password is for which site. That may mean they try multiple passwords until one works. If the site they are talking to has been hacked, the attacker can collect multiple passwords in one sitting!
Entering passwords is also a major friction point for visitors. Nobody enjoys filling in a username/password. It is seen as necessary, not enjoyable. Especially on a mobile device!
This has led to the rise of identity providers – sites that maintain login credentials (frequently an email address and password) which can be used to authenticate against other sites.
So what are some of the benefits of using an identity provider?
- A major benefit for users is reduced friction. Rather than typing in a password for each site they visit, they sign on once to an identity provider then to navigate to sites and log on with a single click to select which profile they wish to use. This is a major driver for adoption of identity providers.
- Security is also a key attraction, or at least it should be! The user’s password managed by a dedicated expert security team, making the user’s password much harder to steal.
- Identity providers invest more than typical merchant sites into security, providing better quality tools and services around authentication and security (such as text messaging security codes for potentially suspicious new device activity).
- If a merchant site is compromised, the user’s password is not compromised because the merchant’s site never sees the user’s password.
- Security aware users may not wish to supply a password to your site as they do not know if you are staying up to date with use of latest security best practices. (How does a user know you are not storing the password in plain text?) There is greater trust in identity providers.
- If the identity provider password is compromised (e.g. guessed), the user only needs to update it in one place. Having to update numerous sites on the web is painful – it is hard to remember them all (some may be missed), and after a while it can be hard to track which site has which password.
- Identity providers can watch for suspicious patterns of behavior across multiple sites.
- Users no longer have to remember many different passwords. Further, web browsers can reuse authentication details across sites, reducing the number of times a user needs to log in. This is particularly important on mobile devices where keyboards are more painful to use – users may give up in frustration rather than register or login.
- Email based identity providers have an advantage in that they guarantee to provide a reliable email address for the user. Merchant sites also need correct email addresses for password reset flows. Email addresses are also often easier to remember for users than a user id (especially since different sites allow different characters within user ids).
Given all the positives for using an identity provider on your site, are there any negatives?
From developers one of the challenges is that it requires additional development work and maintenance. If there is an existing account database, that functionality needs to be kept (and you don’t want to turn away customers who do not wish to use an identity provider). It does add more complexity having multiple authentication schemes with support infrastructure such as password recovery options.
Another concern I have heard is some merchants do not want to use such services because they want to keep their own customer databases private. It is true users logging on to merchant sites via an identity provider will be visible to the identity provider. My simple answer to that concern is let users log on via the identity provider or a locally created account. The user then has control over the decision of how much information to reveal to the identity provider.
There are other concerns I have heard, such as customers cannot log on if the identity provider goes down. Any merchant should think through implications as there can be concerns specific to a merchant’s business. But my personal general advice is there are more positives than negatives adopting an identity provider for customer registrations on the merchant’s site. Do you think a service you run yourself is going to be more reliable than that of an identity provider? However if it is mandatory that users authenticate against your site (e.g. true for some B2B sites), then consider allowing direct logins with a password recovery link so they can register directly in emergency situations, or support multiple identity providers tied to the same email address.
Personally I am starting to not sign up for sites where I cannot use an existing identity provider. I just walk away if I have to enter a password to a new site where I have no idea of the quality of the site’s security. So if I am your customer, sorry, you are probably not going to get my customer details *unless* you allow me to use an identity provider service.
The above discussion is by no means an exhaustive discussion on security or authentication systems. It was triggered by a few comments I had heard recently about not wanting to use an identity provider with the rationale to improve customer privacy. While it can be true, in reality I personally do not think this is a strong reason. Laws like GDPR are helping control the usage of private data (and are taken seriously by large organizations), plus there are lots of other ways to track users (after habitually accepting that good old GDPR privacy warning popup you have become desensitized to). Ultimately I think identity providers minimizing the number of logins users have to remember is an overall win – especially for sites with infrequent visits and lower security requirements (compared say to a banking site).