Bluetooth Special Interest Group (SIG) is a standards-based organization that oversees the development and licensing of Bluetooth technologies. With over 30,000 member companies including the biggest names in consumer electronics, the organization aims to unify, standardize, and drive innovation in the vast range of connected devices. We sat down with Jeremy Syme, Director of Systems Engineering and Guru Nagaraju, Software Development Manager, to discuss why they chose Auth0 as their identity provider.

Bluetooth SIG needed a modern identity solution in order to meet the challenges of expanding collaboration, providing secure access, and ensuring organizational compliance for over 150,000 users. The organization wanted a standards-based authentication solution that could meet present and future needs. They decided that OpenID Connect and OAuth 2 met these requirements.

Security and authentication go hand-in-hand. Ensuring secure access was very important to Bluetooth SIG due to the nature of their work as well as the requirements of their members. Auth0 puts security front and center through numerous ways: all communication is encrypted, passwords are hashed and salted with bcrypt, and attack prevention and mitigation measures in place to ensure service availability.

Granular access to the various services Bluetooth SIG provides was also needed. Users are assigned member levels based on their organization. Organizations are grouped into three member levels:

• Adopter – the basic level of membership that allows an organization to license and use Bluetooth technologies in their products.

• Associate – this level of membership allows an organization to participate in Bluetooth SIG working groups and the specification development process.

• Promoter – the member companies that oversee Bluetooth SIG have this level of membership and act essentially as the board of directors for the organization.

Naturally, the different member levels meant different levels of access needed to Bluetooth SIG services. Adopters, for example, would only need access to view the latest approved specification, while Associate members would participate in contributing to working drafts and have privileged access to unreleased documents.

The Bluetooth standards are defined by various working groups within the organization. A highly granular permissions system was needed to ensure compliance and limit legal liability. This was non-negotiable and whatever solution the team would recommend would need to work with the existing system that enforces these roles.

Bluetooth SIG already had a homegrown authentication solution but it was not meeting the needs of the organization. The engineering team, led by Jeremy Syme, decided that it was time to implement a modern authentication solution into their ecosystem. The team evaluated whether to build or buy, and quickly determined that buying was the way to go. The engineering team did not have the resources or expertise to build and maintain another homegrown solution, so after evaluating various options decided to entrust Auth0 as their identity and authentication provider going forward.

Challenge

Bluetooth SIG started out with a single homegrown ASP.NET application. At the time, they used Windows Forms based authentication to provide a secure login experience for their users. This worked while they had just a single application to maintain, but as the organization grew and additional services were deployed, it became apparent that this solution was not going to cut it.

The biggest feature the engineering team wanted to implement was Single Sign On (SSO). Without this, the various services both homegrown and SaaS would have different authentication systems, workflows, and users. The overhead of managing all of this would be highly impractical. Maintaining their own authentication infrastructure, patching security holes, and fixing authentication related bugs would take time and resources away from focusing on developing features core to Bluetooth SIG’s mission.

The engineering team evaluated their existing solution to see if they could accomplish their goals and discovered that it would be a complex task that would still not be satisfactory in the long term. They needed more than an authentication system, they needed an identity management platform.

Identity-as-a-Service

Secure authentication alone was not enough. Bluetooth SIG engineers decided that a modern identity management system was needed. They first evaluated whether to build a solution in-house, buy or license an existing provider, or configure an open-source solution. It was quickly and unanimously decided that buy was the way to go.

With the decision to buy established, the engineering team set out to evaluate options and offerings. The criteria not only included technological capability, but also licensing and support considerations. Two companies were identified as possible matches, Auth0 and a competitor.

The team reached out to both. Part of the evaluation process was building a proof-of-concept to demonstrate capabilities with both Auth0 and the competitor. The competitor fell short by lacking OAuth 2 capabilities and a licensing model that did not make sense for Bluetooth SIG. Auth0 presented the winning playbook by meeting the technological, licensing, and support needs.

Winning Playbook With Auth0

Auth0 was chosen as the identity platform for Bluetooth SIG. The platform was chosen not solely for technological capability, but also for state-of-the-art security, top-notch documentation, excellent customer support, and a superior licensing model that was a right fit for the organization.

The return on investment for Bluetooth SIG was measured primarily in opportunity cost. For every engineer that would have been tasked with building and maintaining the identity solution, would be an engineer taken off of working on a project core to the organization’s mission.

Technology

On the technology front, Auth0 met all of the needs of Bluetooth SIG. Having the capability is one thing, but the ease of integration cemented the choice for the engineering team. The organization already had various applications, both homegrown and SaaS, and Auth0’s modern identity solution was implemented on top of the existing technology without any code changes.

With Auth0, the team was able to integrate Single Sign-On (SSO) and modern authentication on top of the existing legacy implementation. This allowed the team to use their existing database of users which meant they wouldn’t need to inconvenience their members with password resets or downtime. This also allowed the engineering team to define a roadmap for migration that they felt comfortable with and fell in line with their plans for the future.

“Implementing the Auth0 identity solution took a single digit number of days versus the estimated months to build a solution in-house.”

– Jeremy Syme, Director of System Engineering

Security

Bluetooth SIG needed an authentication solution they could have full confidence in both from a security and access standpoint. On the security front, Auth0 met the needs by providing a secure cloud based infrastructure that supported encryption, password hashing, and attack mitigation. Support for standards-based authentication protocols like OpenID Connect and OAuth 2 ensured that Bluetooth SIG would not experience vendor lock-in.

Bluetooth SIG needed a highly granular permissions system for their users. With various member levels and working groups across the organization focusing on different parts of the Bluetooth specification, it was important to get access control right. The organization already had a permissions system defined and Auth0 was able to use these existing roles and permissions seamlessly.

Documentation

Top notch documentation played an important educational role for Bluetooth SIG engineers. Authentication and identity management are complex topics by themselves, but compounded with various standards and implementations it can be a daunting task to understand and implement correctly.

Auth0 provided quick start tutorials paired with real world code samples which allowed the Bluetooth SIG team to quickly build and experiment with different features and configurations. Actual code samples that could be downloaded and run were a key in helping the team understand how to put all the pieces together and how the real-world implementation would work for their platform. In-depth guides and blog posts provided additional knowledge on how-to’s and best practices for optimal security and performance.

Licensing

Auth0’s licensing model was a perfect fit for Bluetooth SIG. Rather than charging a fee for every user each month as is typical in the SaaS industry, Auth0’s licensing model is based around active usage. This means that an organization using Auth0 only incurs a cost when their users actually log in.

The majority of Bluetooth SIG members fall in the Adopter category. Out of the 150,000 users, the majority typically log in a few times per year to get the latest documentation and standards released by the organization. A pay per user licensing model did not make sense in this regard. Paying for active users made much more sense.

Support

Bluetooth SIG and Auth0 worked collaboratively to develop a proof-of-concept and showcase platform capabilities. After the decision was made to go with Auth0, the customer success team provided quick response times for questions and issues. Issues were resolved quickly and transparently.

A concern that the management team had with offloading authentication and user management to a third party was unexpected downtime. Auth0’s track record of transparency for incidents and downtime as well as community outreach helped put the management team at ease with trusting a third party with one of the key aspects of their platform.

Looking Ahead

Auth0 met Bluetooth SIG’s identity needs of today and is also ready to tackle future needs. Looking ahead the organization is looking to add enhanced security features like Multifactor Authentication and OAuth 2 implicit flow for greater control. Auth0 supports both of these features of the box and will be there to assist and support at every step of the way.

Eventually, Bluetooth SIG is planning on migrating their users from the existing database and moving to a full standards-based OAuth and OpenID Connect-capable infrastructure. Here too, Auth0 is poised to delight with comprehensive migration tools and support to ensure a smooth transition.

Conclusion

Meeting the technological needs for modern identity and authentication is important, but it is not enough to just have the tools. Documentation that clearly explains, shows, and educates developers on how to implement authentication the right way, support and transparency for when things go awry, a fair licensing model, and pleasant developer experience drove Bluetooth SIG and its engineering team to Auth0.