Login is pretty much the first thing your users will experience when it comes to authenticating their credentials.
However, it isn’t just about the “Login Box“: in today’s modern B2C and B2B environments, there’s more to the login than meets the eye!
Hi, I’m Peter Fernandez, and as a CIAM expert, I want to share my experience building modern Login (a.k.a. Sign-in or User Authentication) into modern applications.
More than a UserID & Password
In the world of SaaS application development, Login — a.k.a. sign-in — is a whole lot more than just acquiring a UserID & Password. With the rich source of user information offered by the likes of Social Login and the convenience of using security-enhanced workflows like Passkeys, not to mention the commercial flexibility offered by (Enterprise) Federation, there’s so much more to the process.
It’s also more than just user validation. Login has to be capable of employing protection strategies, and with safety and security being of paramount importance to many consumers, it has to provide for MFA, too. Users want a Sign-in/Sign-up experience that’s as frictionless as possible, so SSO and progressive User Profile enrichment are important considerations.
Credential Validation
Switching development to exchange the validation of a UserID and Password credential with the validation of a credential-verified artefact — namely, an ID Token delivered by an application-independent IdP — opens up a variety of opportunities: the flexibility to deliver user-centric information to build the application session, for example, and the ability to explore the likes of SSO, MFA and Passwordless scenarios being just a few. Using an IdP as a separate service supports all of this without changing a single line of application code.
Via OIDC…
OIDC provides industry-standard verified authentication via JSON Web Format (JWT) ID Tokens and opens up the world of Social Login! Application builders not only defer the authentication process to a third party but, at the same time, can leverage rich sources of user profile information in a regulatory-compliant manner. Further, offering OIDC-compliant user authentication flows provides the means for your application(s) themselves to become Social authenticators if desired.
…with SAML enablement
With the addition of SAML, you have full access to the world of B2B and B2B-derived opportunities in a way that best suits you and your business needs. Via the comprehensive flexibility of an application-independent IdP platform, automatically enable (Enterprise) Federation via the flick of a switch: no need to spend precious time and effort on anything other than your core business logic, with interop between the two — i.e. OIDC and SAML — easily done too!
Sign in…
Sign-in, more commonly referred to as Login, typically starts with an interaction that we’re probably all familiar with: the interactive supply of credentials. Credentials come in many different forms, the most common being the UserID and Password. But other forms associated with the likes of Social, (Enterprise) Federation, and Passwordless scenarios exist too. Once credentials are validated, an application will typically establish the session for the user and, optionally, an SSO context too.
…Sign out…
The converse process is typically known as Logout, Logoff, or Sign out. When a user has finished interacting with an application, they will typically terminate their session explicitly, effectively de-authenticating. Or the application will terminate their session implicitly if no user interaction has occurred for some time. Optionally, a Logoff will also reset any established SSO, so that the user must engage with the Login process interactively if they wish to continue.
…Signup
Before anyone can log in, however, they typically have to be a registered user of an application first. That process is typically referred to as signup and is where the user chooses which credentials to use (e.g. UserID and Password, etc). However, with the likes of Social and (Enterprise) Federation, Signup is often implied: when user credentials are verified by some 3rd party, upstream IdP, the process of user registration becomes implicit rather than explicitly prescribed.
Login has become a whole lot more than just acquiring a UserID & Password. With the rich source of user information offered by the likes of Social and the convenience of using security-enhanced workflows like Passkeys, not to mention the commercial flexibility offered by (Enterprise) Federation, there’s so much more to authenticating your users.
Build vs Buy vs DIY
You could build an in-house custom solution yourself…it’s certainly an option. Particularly if you have a team with the time, capacity, knowledge, and expertise to develop:
- SSO,
- Leverage OIDC and/or SAML for Authentication, Social and/or (Enterprise) Federation,
- Implement Passwordless, Passkeys and/or MFA, with optional
- OAuth 2.0 for API Authorization, as well as
- Deploy and maintain Attack Protection.
The alternative is to integrate with a SaaS solution provided by one of the popular vendors, and the cost of subscribing to one of these typically depends on the features you use and the number of active consumer identities you have.
With vendor-based CIAM, the cost is typically associated with the platform hosting the backend service(s) that deliver Authentication, Authorization, Management and Protection from attack.
With consumer-oriented SaaS, much of this infrastructure is already in place: cloud-based “compute”, database, network resources, etc., could be a necessity for your solution, and delivering these at scale may be something you also need to do.
Deploying a standards-based (open-source) DIY solution within your existing infrastructure might provide a more cost-effective approach, delivering secure and robust CIAM without the need to build everything yourself and with the added benefit of more flexibility and control.
Questions? Comments?
Feel free to reach out!
