Tag Archives: Single Sign On

Implementing Single Sign On using Microsoft Azure

Microsoft Azure logoThis week Microsoft announced that it will be extending Active Directory on the Azure cloud. This is a major selling point for Microsoft Azure.

Azure Active Directory has been around for about a year now. It enables organisations to create large Active Directories (up to around 500,000 users), providing a Single Sign On (SSO) solution based on an enterprise-level Identity Management standard. Azure Active Directory extends a company’s existing Active Directory to offer a single login across applications, for free.

The new Premium offering, now in preview (i.e. beta) phase, supports unlimited users, two factor authentication (including phone calls and text messages), to provide a Single Sign On solution across Azure applications, even non-Microsoft ones. If an organisation creates a custom app on Azure, they can add Active Directory as their own branded SSO system, competing with the likes of Facebook Connect, Twitter, and so on.

Organisations have been requesting these types of systems for a while. At Endava we build and host customers’ websites which have millions of users. Identity Management (IM) systems are usually licensed on a per-user basis, which is unaffordable for clients who offer free user accounts, so in the past we’ve usually built custom solutions for IM. Windows Azure Active Directory Premium offers this as a cloud based Identity Management system on a monthly cost rather than per user.

Many IT professionals predict public cloud offerings as the end of private data centres. Other IT professionals think that public cloud is fine for consumer apps, not enterprise level. I believe it depends on what the enterprise is trying to do that makes public cloud an option or not.

Azure Active Directory, especially the Premium offering, significantly strengthens Microsoft’s public cloud offering for the enterprise and provides an affordable IM solution for all websites.

Identity & Authentication – Time for a Financial Services digital services passport?

Endava has been helping a UK IT industry association with some thought leadership pieces recently, and I’ve been permitted to share my contribution before the report is published.

We’ve contributed to two essays, and I’ll post a link on this site when they are released in early 2014 . This is the second part of two posts – you can read the first one on user experience for banking customers here.

Identity & Authentication – Time for a Financial Services digital services passport?

The answer here lies in three distinct areas:

  1. The Authentication Conundrum
  2. The Internet Identity Crisis
  3. The Organisational, Political and Social Resistance to Single Sign On.

The Authentication Conundrum

Let’s take one of the biggest retail banks in the UK. To log into their online banking systems they have a variety of authentication methods:

  1. Website which requires a physical security device to create a one-time numeric password
  2. Website for their credit card product which requires the user to enter specific digits of their password
  3. Telephone banking which requires a requires the user to enter specific digits of their telephone banking password
  4. Mobile app which requires a 5 digit numeric password
  5. ATM machines which require a 4 digit numeric password
  6. Message board/ forum which requires a username (none of the other services require this) as well as a password with a minimum of 8 characters with a combination of numbers, symbols and mixed case letters.

These methods are not only inconsistent, they negatively impact the users’ experience of the online servicing channels.

Organisations need a unified authentication standard. I understand that an ATM requires a physical card, so it can have the easiest authentication of only 4 characters, but why does the message boards (which have no account access) need to be more complex than the mobile banking app?

The Internet Identity Crisis

In order to trust online retailers with our private details, we use SSL security certificates. Certificates are not just for encryption, they are a means of ensuring we are buying from a company who is who they say they are.

It’s now time for the other way round – for customers to prove who they are.

If a user books a room on Air B&B, they don’t want to stay at a mass murderer’s house, and the house owner doesn’t want a mass murderer staying with them either. Both need to have a level of trust on the network – usually achieved by previous transactions being validated.

I have an eBay account with 100% positive feedback amassed over a few years and over 500 ratings, both buying and selling. So when I join a site such as TripAdvisor, or Air B&B, that eBay ‘score’ should count for something. I’m the same person. And this is the Internet’s Identity Crisis.

The Internet needs a centralised Single Sign On system to link all accounts into a common identity. Facebook and Twitter both have their own systems in place (Facebook Connect and Sign in with Twitter), but the issue here is about Trust. I don’t trust those two organisations to log into my bank, tax or healthcare providers.

I do trust my bank though. And so do most people. Whilst the media attempts to discredit banks, there aren’t mass cash withdrawals from banks because the public fundamentally does trust them.

In my view, to solve the Internet Identity Crisis, banks should build a Single Sign On system which uses similar OAuth based technologies to the social networks which can be used by any third-party website. The system provides authentication to the website, but won’t allow any other details to be exposed unless the user explicitly permits.

Only then will the Internet Identity Crisis be solved.

The Organisational, Political and Social Resistance to Single Sign On.

Technically, Single Sign On has been solved by a number of organisations. This leaves three resistances to Single Sign On: Organisational, Political and Social.

Metro newspaper headline. Source: weareblink.com
Metro newspaper headline. Source: weareblink.com

Traditional organisations are built in silos. When one part of an organisation builds a system, it’s uncommon for that part to comply with existing authentication systems unless specifically mandated, which is also uncommon. This leads to the issues outlined in the retail banking example above, with six systems, each with different passwords and password complexity.

Political resistance is encountered where a specific authentication system isn’t adopted because of perceived risk or perceived non-standard technical constraints.

Social resistance are attention grabbing headlines such as the one shown above. These headlines undermine the credibility and security of large-scale websites and digital service providers, creating resistance to adopt new technologies. And this doesn’t help anyone.


Using your bank for Single Sign On

Where do you store your important documents?
Where do you store your important documents?

I’ve been writing about the need for a trusted Single Sign On system across the web for some time now and I think I’ve seen it start to emerge.

My concept of the Single Sign On solution is similar to Facebook Connect, but from a trusted, strong, long term brand. Facebook still needs to prove its credibility in the trust arena. I only use Facebook Connect for some personal sites where I want to reduce, or even avoid, the time it takes to register.

Would I use Facebook Connect for tax returns, or my road tax, or my company’s payroll system? Nope.

I do a fair amount of travel and seem to need my passport number (and sometimes other passport details) from time to time. I once scanned my passport and I keep it as a digital image on some secure digital storage where I know I can access it everywhere (interestingly the UK Government also recommends to store it online using a secure data storage site). The same goes for my National Insurance card, photos of my bikes’ frame numbers and stuff like that. When I speak to other people about this, they have similar solutions, and I know some people who keep these solely as photos on their phone. We all have different levels of security that we’re comfortable with, but I really wouldn’t advise the phone method.

Last week I heard about a new service from Barclays Bank called Cloud It. Cloud It enables, well actually it encourages, users to upload important documents. It then adds additional functionality such as alerts for expiring documents, or regular renewals (e.g. MOT certificates and insurance).

I have no proof whether Barclays Cloud It is any more or less secure than say, BT, Google, Microsoft or Dropbox, but the fact that a bank is storing your document ‘feels’ more secure.

The next step of Cloud It really should be Single Sign On. I would trust my bank to authenticate me into other services.

Trust a bank?

I spoke about this concept of a bank offering Single Sign On at a conference earlier this year. Over lunch afterwards I was asked whether people really trust banks after the recession, and the bad press that bankers often receive. One person on the table categorically stated that he wouldn’t trust his bank.

My answer to this is simple: people still keep their money, one of our most valuable day to day assets, in banks once they’ve been paid and they still go to banks to borrow money for their houses and cars. Conversely, if people didn’t trust banks, we’d be hearing a lot more about mass withdrawals after being paid. But people don’t withdraw their money based on lack of trust (except Cyprus), and this proves that people do trust them, and in the future we’ll be trusting them to log in to all sorts of systems across the Internet.

Five Key Internet Megatrends: 5. Trust

Credit: http://www.flickr.com/photos/brenda-starr/3509344100/
The quest for identity management continues
Credit: http://www.flickr.com/photos/brenda-starr/3509344100/

Key points:

  • We need a Single Sign On across the web, from a truly trusted brand
  • Sellers need to know who customers are, just as much as we need to identify real retailers
  • Web sites that build a reputation score will need to transfer their data

To give you an idea of how ridiculous passwords have become, let’s look at my bank. My bank is one of the most technically advanced banks, and has created some great innovations.

I use their website banking, which uses a log in process that has been designed to deter users from using the service. It takes two screens, a physical device to generate a random number, and various other forms of identity.

And then take their mobile app. With a simple 5 digit numerical passcode, I can do almost anything I can do via the website equivalent. Either the security department went on holiday when the mobile app was released, or they came to their senses to make it easier for customers to access their account. I hope it was the latter but it was probably the former.

Passwords are one of the biggest nuisances of the Internet. Another nuisance is multiple accounts. The number of accounts we have, and continue to keep creating, has got out of control. Not only is it out of control, but we then have security experts telling us not to use the same password on multiple sites. And personally I won’t use a password manager because I fear they are all run by some spotty (but clever) teenager from his bedroom, and one day he’ll have access to lots of people’s accounts and go on a spending spree at Amazon.

If I see a website offering to use my Facebook or Twitter credentials to register or login to a website, I’ll always take the offer. It’s so much easier.

The problem with websites offering Facebook or LinkedIn or Twitter is that the social network gets to keep the customer data, not the website we’re registering with. And also, whilst I’m happy to use a social network to log me on to various websites, I’m not sure I would use Facebook connect for my healthcare or pension site.

We need a Single Sign On system across the internet from a trusted party. It needs to be trusted by both users and website owners – from my bank to the Inland Revenue (whose authentication system is extremely rigid).

Once we have the Single Sign On system, it needs to keep a track of our various reputation scores. I have an eBay account with 100% positive feedback amassed over a few years and over 500 ratings, both buying and selling. So when I join a site such as TripAdvisor, or AirBandB, that eBay should count for something.

As the Internet continues to become more complex, retailers need to know their customers are who they say they are, and can be trusted. We’ve been using SSL security certificates on the Internet for a long time now, and as a means of ensuring we are buying from a company who is who they say they are. It’s now time for the other way round – for customers to prove who they are.

This type of system is called VRM (Vendor Relationship Management). It’s all about making the Internet a level playing ground, establishing trust that we take for granted in the real world, and migrate it to the virtual one. All with the aim of being treated as a real human being rather than an IP address and cookie jar.