A recent NIST Study has found that users are experiencing ‘security fatigue’. Security fatigue is caused by users having to remember yet another password, register for yet another online service, or being told they must do (or not do) something related to IT security. The impact is poor security, which leads to cyber-attacks and lost business.
Even if it costs more, it’s often easier to buy something from an online retailer that we’ve already registered with, simply because it means we won’t have to register for another shopping cart with yet another new password. Businesses are losing customers because of this kind of fatigue.
The average person has 22 different passwords to remember
Sharing passwords between services weakens a user’s online security and risks exposure to hackers. If your password is stolen from one site, it can be used on another. At the time of writing, there are currently 1.8 billion usernames and passwords available on the dark web which have been exposed during data breaches, and we can be pretty sure that cyber criminals are using them for personal gain of some sort.
All of this is security fatigue: it’s a real problem, and one that will only get worse, as we continue to expect users to remember lots of different passwords and requirements. As well as making life more difficult than it needs to be for the user, it means storing user credentials within your online service – a process which opens you up to hackers, who might be looking to sell these credentials on.
Fortunately, there is a solution available which can help with these issues! By removing the need to store credentials and allowing the user to use a credential that they already have and probably use daily, Azure Active Directory B2C can reduce security fatigue.
Azure Active Directory B2C
Azure Active Directory B2C is a new service from Microsoft which, through the provision of identity management, allows you to concentrate less on the issue of authentication and more on the features of your online applications.
Users are made able to use a social login such as Facebook, Amazon, Google, etc., with email and password as a backup if they don’t use any of the configured providers. Subsequent authentications are simple, as the user just needs to remember which provider they chose during registration. As a result, they don’t have to remember yet another password; they’re using credentials you use every day. What’s more, you don’t have to store their credentials, which reduces the size of your attack surface.
Integration into your application is relatively simple, with Microsoft providing libraries that contain all the heavy lifting around authentication. The libraries are available in several flavours (.Net, PhP, etc) and as B2C uses standards based OpenID Connect and OAuth behind the scenes any standards compliant library will work. Additionally, plugins for popular applications such as WordPress are already available, making basic implementation nothing more than a configuration exercise.
As the name suggests, Azure Active Directory B2C is built upon the already massively used Azure Active Directory, so you know it’s scalable, highly available and secure. It’s also customisable, allowing you to tailor the user experience and branding to your needs. You can gather additional information during registration, and this can be used within the application (e.g. home address).
If you have more than one application configured within your Azure AD B2C tenant, you will be able to reuse the registration and login info between the applications giving you single sign-on (SSO) between applications.
Give it a try within our demo application. Click ‘sign up’ in the top corner of the window and follow the process for yourself. You will see that registration and subsequent logins to the service are very simple and don’t require the user to remember anything new. Additionally, ‘profile edit’ (available via the menu at the top) is performed by B2C so that you don’t have to worry about saving that data within your application.
By implementing Azure B2C for your online services you will not only help in reducing security fatigue for your users; you’ll also gain be able to use single sign-on between applications and reduce the attack surface of your application.
Depending on the customisation levels required, you may be able to configure and implement this yourself, or engage the services of OCG to assist in developing the simplest solution for your users while providing maximum benefits to your business.
Does your organisation deliver the secure and friction-free user experience consumers expect? Take our customer and identity access management online assessment now and find out.
Discover how you can guarantee secure and seamless access for your partners and customers with Customer Identity and Access Management Workshop.