Bluetooth Special Interest Group (SIG) Case Study
Learn how a standards-based organization implemented standards-based authentication via OpenID Connect and OAuth for improved security, access, and interoperability
About Bluetooth SIG
Formed in 1998, the Bluetooth SIG is the not-for-profit trade association that oversees Bluetooth® technology. In support of more than 34,000 member companies, the Bluetooth SIG facilitates the collaboration of its members to create new and enhanced specifications that expand the technology, drives global interoperability via a world-class product qualification program, and grows the brand by increasing the awareness, understanding, and adoption of Bluetooth technology.
Bluetooth Special Interest Group (SIG) is a standards-based organization that oversees the development and licensing of Bluetooth technologies. With over 30,000 member companies including the biggest names in consumer electronics, the organization aims to unify, standardize, and drive innovation in the vast range of connected devices. We sat down with Jeremy Syme, Director of Systems Engineering and Guru Nagaraju, Software Development Manager, to discuss why they chose Auth0 as their identity provider.
Bluetooth SIG needed a modern identity solution in order to meet the challenges of expanding collaboration, providing secure access, and ensuring organizational compliance for over 150,000 users. The organization wanted a standards-based authentication solution that could meet present and future needs. They decided that OpenID Connect and OAuth 2 met these requirements.
Security and authentication go hand-in-hand. Ensuring secure access was very important to Bluetooth SIG due to the nature of their work as well as the requirements of their members. Auth0 puts security front and center through numerous ways: all communication is encrypted, passwords are hashed and salted with bcrypt, and attack prevention and mitigation measures in place to ensure service availability.
Granular access to the various services Bluetooth SIG provides was also needed. Users are assigned member levels based on their organization. Organizations are grouped into three member levels:
Adopter – the basic level of membership that allows an organization to license and use Bluetooth technologies in their products.
Associate – this level of membership allows an organization to participate in Bluetooth SIG working groups and the specification development process.
Promoter – the member companies that oversee Bluetooth SIG have this level of membership and act essentially as the board of directors for the organization.
Naturally, the different member levels meant different levels of access needed to Bluetooth SIG services. Adopters, for example, would only need access to view the latest approved specification, while Associate members would participate in contributing to working drafts and have privileged access to unreleased documents.
The Bluetooth standards are defined by various working groups within the organization. A highly granular permissions system was needed to ensure compliance and limit legal liability. This was non-negotiable and whatever solution the team would recommend would need to work with the existing system that enforces these roles.
Bluetooth SIG already had a homegrown authentication solution but it was not meeting the needs of the organization. The engineering team, led by Jeremy Syme, decided that it was time to implement a modern authentication solution into their ecosystem. The team evaluated whether to build or buy, and quickly determined that buying was the way to go. The engineering team did not have the resources or expertise to build and maintain another homegrown solution, so after evaluating various options decided to entrust Auth0 as their identity and authentication provider going forward.
Bluetooth SIG started out with a single homegrown ASP.NET application. At the time, they used Windows Forms based authentication to provide a secure login experience for their users. This worked while they had just a single application to maintain, but as the organization grew and additional services were deployed, it became apparent that this solution was not going to cut it.
The biggest feature the engineering team wanted to implement was Single Sign On (SSO). Without this, the various services both homegrown and SaaS would have different authentication systems, workflows, and users. The overhead of managing all of this would be highly impractical. Maintaining their own authentication infrastructure, patching security holes, and fixing authentication related bugs would take time and resources away from focusing on developing features core to Bluetooth SIG’s mission.
The engineering team evaluated their existing solution to see if they could accomplish their goals and discovered that it would be a complex task that would still not be satisfactory in the long term. They needed more than an authentication system, they needed an identity management platform.
Secure authentication alone was not enough. Bluetooth SIG engineers decided that a modern identity management system was needed. They first evaluated whether to build a solution in-house, buy or license an existing provider, or configure an open-source solution. It was quickly and unanimously decided that buy was the way to go.
With the decision to buy established, the engineering team set out to evaluate options and offerings. The criteria not only included technological capability, but also licensing and support considerations. Two companies were identified as possible matches, Auth0 and a competitor.
The team reached out to both. Part of the evaluation process was building a proof-of-concept to demonstrate capabilities with both Auth0 and the competitor. The competitor fell short by lacking OAuth 2 capabilities and a licensing model that did not make sense for Bluetooth SIG. Auth0 presented the winning playbook by meeting the technological, licensing, and support needs.
Winning Playbook With Auth0
Auth0 was chosen as the identity platform for Bluetooth SIG. The platform was chosen not solely for technological capability, but also for state-of-the-art security, top-notch documentation, excellent customer support, and a superior licensing model that was a right fit for the organization.
The return on investment for Bluetooth SIG was measured primarily in opportunity cost. For every engineer that would have been tasked with building and maintaining the identity solution, would be an engineer taken off of working on a project core to the organization’s mission.
On the technology front, Auth0 met all of the needs of Bluetooth SIG. Having the capability is one thing, but the ease of integration cemented the choice for the engineering team. The organization already had various applications, both homegrown and SaaS, and Auth0’s modern identity solution was implemented on top of the existing technology without any code changes.
With Auth0, the team was able to integrate Single Sign-On (SSO) and modern authentication on top of the existing legacy implementation. This allowed the team to use their existing database of users which meant they wouldn’t need to inconvenience their members with password resets or downtime. This also allowed the engineering team to define a roadmap for migration that they felt comfortable with and fell in line with their plans for the future.
“Implementing the Auth0 identity solution took a single digit number of days versus the estimated months to build a solution in-house.”
– Jeremy Syme, Director of System Engineering
Bluetooth SIG needed an authentication solution they could have full confidence in both from a security and access standpoint. On the security front, Auth0 met the needs by providing a secure cloud based infrastructure that supported encryption, password hashing, and attack mitigation. Support for standards-based authentication protocols like OpenID Connect and OAuth 2 ensured that Bluetooth SIG would not experience vendor lock-in.
Bluetooth SIG needed a highly granular permissions system for their users. With various member levels and working groups across the organization focusing on different parts of the Bluetooth specification, it was important to get access control right. The organization already had a permissions system defined and Auth0 was able to use these existing roles and permissions seamlessly.
Top notch documentation played an important educational role for Bluetooth SIG engineers. Authentication and identity management are complex topics by themselves, but compounded with various standards and implementations it can be a daunting task to understand and implement correctly.
Auth0 provided quick start tutorials paired with real world code samples which allowed the Bluetooth SIG team to quickly build and experiment with different features and configurations. Actual code samples that could be downloaded and run were a key in helping the team understand how to put all the pieces together and how the real-world implementation would work for their platform. In-depth guides and blog posts provided additional knowledge on how-to’s and best practices for optimal security and performance.
Auth0’s licensing model was a perfect fit for Bluetooth SIG. Rather than charging a fee for every user each month as is typical in the SaaS industry, Auth0’s licensing model is based around active usage. This means that an organization using Auth0 only incurs a cost when their users actually log in.
The majority of Bluetooth SIG members fall in the Adopter category. Out of the 150,000 users, the majority typically log in a few times per year to get the latest documentation and standards released by the organization. A pay per user licensing model did not make sense in this regard. Paying for active users made much more sense.
Bluetooth SIG and Auth0 worked collaboratively to develop a proof-of-concept and showcase platform capabilities. After the decision was made to go with Auth0, the customer success team provided quick response times for questions and issues. Issues were resolved quickly and transparently.
A concern that the management team had with offloading authentication and user management to a third party was unexpected downtime. Auth0’s track record of transparency for incidents and downtime as well as community outreach helped put the management team at ease with trusting a third party with one of the key aspects of their platform.
Auth0 met Bluetooth SIG’s identity needs of today and is also ready to tackle future needs. Looking ahead the organization is looking to add enhanced security features like Multifactor Authentication and OAuth 2 implicit flow for greater control. Auth0 supports both of these features of the box and will be there to assist and support at every step of the way.
Eventually, Bluetooth SIG is planning on migrating their users from the existing database and moving to a full standards-based OAuth and OpenID Connect-capable infrastructure. Here too, Auth0 is poised to delight with comprehensive migration tools and support to ensure a smooth transition.
Meeting the technological needs for modern identity and authentication is important, but it is not enough to just have the tools. Documentation that clearly explains, shows, and educates developers on how to implement authentication the right way, support and transparency for when things go awry, a fair licensing model, and pleasant developer experience drove Bluetooth SIG and its engineering team to Auth0.
Auth0 provides a platform to authenticate, authorize, and secure access for applications, devices, and users. Security and application teams rely on Auth0's simplicity, extensibility, and expertise to make identity work for everyone. Safeguarding billions of login transactions each month, Auth0 secures identities so innovators can innovate, and empowers global enterprises to deliver trusted, superior digital experiences to their customers around the world.For more information, visit https://auth0.com or follow @auth0 on Twitter.