In 2007, Canadian company ecobee released the first-ever Wi-Fi-enabled thermostat, and since then, they’ve been pioneers in smart home. Recently, ecobee branched out into home monitoring and security — producing sensors, cameras, and software that lets customers control and track the comings and goings in their homes and businesses.

ecobee’s ecosystem has expanded and evolved over time with the addition of category leading hardware and services, but when the company entered the home security space, their own security needs underwent a fundamental shift since customers were now entrusting the company with a new set of data – video from their home. To help keep their customers secure, ecobee needed a new identity and access management (IAM) system.

New Product Lines Brought New Security Needs

For years, ecobee maintained its own custom-built authentication solution, but it was not designed to the security needs (and threats) that came with handling private details of customers’ homes. “We were looking for a partner that would enable us to go from good to great really fast,” explains Jordan Christensen, ecobee’s VP of technology. They wanted to reduce the risk exposure for their customers and themselves and add more security features to prevent and detect breaches.

In the hunt for an IAM partner, ecobee compared solutions from multiple vendors, but, says Christensen, “we weren’t really able to find something that would be a whole package for us like Auth0 was.”

“If there was a breach of any kind, we needed to ensure we weren’t exposing user credentials,” Christensen says. “And being able to do things like implement multi-factor authentication [MFA] without needing to effectively reinvent the wheel was very attractive and led us to partner with Auth0.”

Three Use Cases, Millions of Users

ecobee needed a versatile IAM solution that could handle authentication for three classes of users: individual customers, commercial space owners, and its own support staff.

B2C: End customers make up the largest segment of ecobee’s users, with millions of customers and in-home sensors. These customers may use ecobee’s mobile app, web app, or third-party integrations, so ecobee accommodates them by employing a variety of Auth0 auth flows. “We’ve really relied on the Rules and custom database capabilities to do things like enforce a requirement for MFA for anyone who has a camera in their home,” says Jonathan Harlap, ecobee’s engineering director for platform.

B2B: These users own commercial properties or multi-tenant residential spaces but often need to share control of their ecobee products with property managers or tenants. Auth0 has allowed for these control restrictions. Explains Harlap: “You can have a building manager control the environment in all of the empty units of their building, while the tenants who are using the B2C apps control their local environments individually.”

B2E: Customer support staff use Auth0 for administrative access to customer devices. This can include getting system logs off an individual device to debug it, deploying firmware, and guiding customers through self-service solutions. “The simplicity and the risk reduction is amazing for us,” Christensen says. “Previously, the off-boarding process was very cumbersome and very risky. Now, we don’t have that problem anymore.”

Auth0 Does the Work of Four Engineers

Since partnering with Auth0, ecobee has been able to effectively deter security threats. For instance, they have used Breached Password Detection to proactively notify users when their credentials have been compromised. And Auth0’s Anomaly Detection alerted the team to a dictionary attack against users and stopped it after a small number of attempts.

The COVID-19 pandemic struck just as ecobee was launching its home security product, and the team credits Auth0 for being able to roll it out on time. “We considered MFA to be a hard gating factor for that launch,” Christensen says. “It’s possible that product would never have seen the light of day if we hadn’t been able to leverage Auth0, because we weren’t comfortable launching it without MFA.”

Having Auth0 handle authentication has saved ecobee time and resources, and they estimate it would have taken three or four engineers 18 months to build a comparable solution. But the savings with Auth0 go beyond up-front costs. “It’s the security posturing we would have to have and the expertise we would need to run a system like that in-house,” Christensen explains. “It’s being able to rely on experts that are doing it not just for us but for dozens of other customers, because, ultimately, we’re not only buying the Auth0 service, we’re buying the expertise. And that’s been a huge win for us too.”