It’s important to note that simply using an identity service doesn’t make you secure. As Troy Hunt notes, “If you don't know what you're doing, how do you know you're choosing the right service?” Rather than attempting to outsource the responsibility of security, CIOs need invest in education. “They should ensure those making such key decisions are properly trained,” Hunt says.
Simons agrees: “There's no substitution for knowledge. You have to make the investment to keep up on these things. You have to think about it at multiple layers and have a good defence in depth story. But there are big pieces of this you can outsource to smart people like us. Your identity security: we can take care of that for you. Then the surface area and the complexity of the threat model you have to worry about is reduced.”
One area many companies get wrong is support and account management. If your system can mail out a forgotten password, then you’re storing unencrypted passwords at some point. “One of the coolest things about our B2C system is that it's all workflow and metadata driven,” says Simons. “All those workflows like how to reset your password, how to answer a two factor authentication challenge; we generate the emails for you. You declare in metadata ‘here's how I want to have it work’ and we take care of best practice. You never have a user saying ‘hey, support team, send me my password’. We have a nice instrumented flow they go through to prove they own the account, maybe using their phone and they get the chance to reset the password securely. It’s about managing the lifecycle of an identity and it’s all done in policy.”
One advantage it would be hard to get on your own is the scale of an identity service like Azure B2C and what Microsoft has learned from managing the 500 million Microsoft account users who log in every day. To protect them, Microsoft actively looks for what it calls endangered accounts. “We have a team that works with governments and other companies, and also looks on the black market and picks up leaked user names and passwords,” Simons says. “We run these through our services and we can alert you about potentially compromised user names and passwords in your tenant for customers and employees. And we can help you take action, so you can require them to do a multi-factor authentication or reset their password.”
The B2C service will also use a system that’s already in place to protect Microsoft accounts from weak passwords. “If you put in one of the top one thousand most frequently used passwords, we ask you ‘please pick a password that's harder to guess’.”
Sign up for CIO Asia eNewsletters.