If your customers are other companies – not individual consumers – how easy is it for their users to sign in? It’s a fair question and here’s why: The gap between great business-to-consumer (B2C) sites and business-to-business (B2B) experiences is rapidly shrinking. That means the definition of “good enough” and “great” is also changing (more on that here: When your customers have customers: CIAM for B2B brands).
But before we talk about how to gauge the success of your B2B CIAM, let’s get our terms straight.
In a B2B CIAM scenario, it’s easy to get confused. Like many a relationship status, it’s complicated.
For the purpose of this blog here’s what we mean:
For example, if you are ACME Products, your business customer might be Roadrunner Inc., and your end user might be their star employee, Wile E. Coyote.
(Like we said, it’s complicated.)
So how can you tell where your B2B customer sign-in experience stands? Here are some telltale signs you may be ready for an upgrade.
If onboarding a new customer requires sending an email, opening a spreadsheet, or calling a help desk, you’re sending your customers down the equivalent of a bumpy dirt road.
Manual processes are no good for anyone. They’re slow and frustrating and more often than not your customer will hit dead ends when, for example, the human in the loop is on vacation. Even when your off-line processes move fast, they’re rife with the potential for human error.
Don your CFO hat, and manual workarounds look pretty expensive, too. Plus, they’re hard to scale. For one thing, they can crush your help desk employees with calls and emails. And if the users are the ones who buy or sell your product – think office supplies or insurance policies – getting locked out means they’re spending less time buying and selling.
Where to look: First, walk through the process like you were the end user. Identify the manual bottlenecks. Then, to quantify what the manual workarounds are costing you, track down things like the number of customer complaints, password reset requests, and help desk calls related to your customer portal.
Most CIAM solutions weren’t built for B2B scenarios. That’s usually painfully obvious to your business customer’s superadmins who have to choose between a bunch of bad options. For example, consider an end user that wants to update their phone number online. If your CIAM solution doesn’t support delegated administration in their UI you’ll either have to (1) require the admin to update the phone number; or (2) build a custom user interface using the CIAM platform’s APIs.
Custom interfaces cost money, take time and are hard to change. Meanwhile, any time someone has to answer a phone to solve a doom loop, it costs money and isn’t very satisfying. It also creates a risk for social engineering. As UX expert Jared Spool famously said, If it’s not usable, it’s not secure.
Where to look: Poll your CIAM admins. They’ll give you straight talk.
When employees leave your customer, IT is usually pretty efficient about turning off access to work-related apps like email and Microsoft Office. But because your customer portal is an external system, chances are IT doesn’t know employees have access to it. (This is part of the classic “joiner mover leaver” problem that workforce IAM has faced since Employee001 logged into ARPANET).
More often than not, former employees will keep access to your customer portals … unless your B2B CIAM solution has a buttoned-up sync into your customer’s workforce identity provider to disable access when IT flicks the switch on their other apps.
Short of that level of integration, a good CIAM solution provides auditable control of admin changes. That way you get visibility into user-related changes and evidence for your friendly auditor – right on-platform.
Where to look: One quick check is to see how many users at each customer haven’t logged in for 90+ days. If they’re not using their access, they probably don’t need it. Another way is to spot check with a few customers. Give them a list of inactive users and have them check their employee status.
This one’s a close kin to the ^previous one^. If your CIAM system doesn’t enable business customers to manage roles and permissions or delegate access the way they want to, your customer’s admin is going to err on the side of more access. And more access = more risk.
Most of the security world is moving towards a Zero Trust approach and CIAM is no exception. Zero Trust starts with securing the identity and then granting the least amount of access the user needs. Make sure your B2B CIAM vendor can support a Zero Trust strategy.
Where to look: Here again, reach out to a few admins at your customers. They’ll give you a clear sense of whether the system gives them sufficiently granular control.
After #1, this is the one we hear the most. In an ideal world, you’d be able to go into your CIAM tool and turn on passwordless for some customers, add multi-factor authentication (MFA) for others, tailor sign-in flows, or make other changes.
Unfortunately, most CIAM solutions are developer-centric, which means any customization requires coding. That often leaves you on hold – waiting … and waiting … and waiting for engineering to get to your ticket.
Where to look: I bet you know this one without even looking. To document your frustration, check your email or ticketing system. Find the last three requests and see how long it took from request to go-live.
This may sound basic – as in “Don’t Make Me Think” basic – but a good sign-in journey is one that brings you to your desired destination with the fewest steps possible.
By delivering end users directly to the right product catalog or a version of your website that reflects your customer’s brand, you can save time, eliminate cognitive dissonance, and serve up a warm fuzzy of a consumer experience.
Rather than depositing all your customers and users into the same online experience, your sign-in journey should send each one down the right paths after they authenticate.
Where to look: This one is binary – either users get a tailored experience or it’s one-size-fits-all – and you know the answer already.
Sad but true, this one isn’t always obvious. Problem sites fall at different ends of the spectrum. Some display too many sign-in options – like one for each product line. Others have no customer sign-in button at all
Where to look: Pretend you're a customer or user, open a fresh browser tab, type in your own URL and see what you find. Enough said.
Now that we’ve examined the warning signs, what does “great” B2B CIAM look like?
In short, it looks a lot like social login for a B2C experience.
With B2C social login, the customer uses, say, their Facebook credentials, which are managed by Facebook. With B2B login, the customer uses their enterprise credentials, which are managed by your business customer.
The difference is that rather than going to a single source like Facebook for authentication, your CIAM system has to integrate with different IDPs for each of your business customers. If it can’t, either you, the business customer, and/or the end user is going to be stuck managing credentials for your website or app. That creates vulnerabilities and hassles for everyone in the chain. Which delights exactly no one.
With great B2B CIAM, once the business relationship between you and the business customer is established, onboarding end users is effortless – with humans in the loop only when necessary to control for specific risks.
At Strivacity, we specialize in simplifying complexity in CIAM – for you, your business customers, and their customers. If your B2B journeys aren’t utterly forgettable, contact our friendly experts.
Subscribe and never miss out on our blog posts and latest news.
Subscribe and never miss out on our blog posts and latest news.