Case Study
Building a secure multi-brand authentication experience at BT
How do you seamlessly and safely connect millions of customers to multiple high-profile brands with a single authentication?
This was the challenge presented by Roy Corneloues, BT Group’s Enterprise Architect. And with the help of Azure AD B2C, Kocho helped to make BT’s Single Authentication Framework (SAF) a reality.
For any organisation, customer experience and data security are essential. They’re the cornerstones of trust and loyalty.
When you’re a global enterprise with multiple high-profile brands and millions of customers worldwide, it’s critical that you get this right.
For BT this meant delivering a seamless authentication experience that lets customers access and move between every service, app, and brand with ease. A revolutionary change from an existing time-consuming process where users had to register and sign into each service separately.
SAF and a vision for seamless, multi-brand customer experiences
This was the ambition behind the Single Authentication Framework (SAF). The brainchild of BT Group’s Architecture team.
BT Group is a global leader in the telecoms industry. A provider of cutting-edge technology to businesses and consumers around the globe.
It offers a vast array of commercial and consumer services via major brands including: EE, BT, Openreach, and Plusnet. From leading-edge fibre broadband to entertainment, sport, gaming, TV, and mobile services.
And, with around 25 million customers accessing over 100 different services, the organisation had a vision to revolutionise the way it provided this access. To provide a seamless and secure experience for every customer, everywhere. Across every brand and application.
But in order to deliver on this vision, it couldn’t be held back by legacy technology.
Adopting Azure AD B2C to turn SAF into a reality
Following an RFP process that included established providers like Okta, Ping, and ForgeRock, Roy and the team at BT identified Microsoft Azure AD B2C as its chosen technology platform.
With Azure AD B2C, BT had a platform that could deliver seamless, fully-branded customer experiences across each brand and service, while also incorporating essential modern security features like MFA and passwordless authentication.
The ultimate guide to external identity success
A 7-step plan to achieve seamless user access, the highest levels of security, and unrivalled user experiences.
On working with Kocho
While the project was to be led via an internal team, there was recognition that the project would require collaboration and support from a partner with the skills and expertise in Microsoft cloud technology, identity, and cybersecurity.
Kocho was selected for its expertise and understanding of the vision BT was working to deliver.
Kocho was and continues to be recognised as a leading global Microsoft partner for External Identity, and this Azure AD B2C project would prove to be one of Microsoft’s largest B2C deployments to date.
Kocho’s External Identity team worked closely with the BT Group team, upskilling and providing the support needed to establish and action each stage of the project, including:
Creation and development of the SAF.
Migration of all customer accounts.
Adoption as a product.
Refinement and further feature development.
Creating ‘one front door’ for access and authentication
At the heart of SAF is the idea of providing access via a single ‘front door.’
One framework that could be monitored, upgraded, and simultaneously updated across each brand – with no visible disruption to the customer experience.
This framework would consist of event-driven architecture and contain a single suite of experiences and features that could be ‘skinned’ to represent each brand for a consistent end-user experience.
Using the single sign-on feature baked into Azure AD B2C, customers no longer need to retain multiple credentials to gain access to the different apps and services.
A secure customer identity platform built for scale
For SAF to succeed, it needed to be underpinned by a rigorous approach to security and data protection.
Having this one framework also meant that security monitoring improvements could be made, using Microsoft Sentinel to draw security data into a single dashboard for investigation and remediation.
Once the framework had been developed and implemented, the next challenge was migrating users to begin using it.
We get so much telemetry from Microsoft Sentinel about user behavior that we can resolve those situations in real time. We react to those alerts faster than ever before.
Andrew Warner
Identity Product Director, BT Group
A roadmap to migrating 25 million customers
With over 500 applications to migrate and more than 25 million customer accounts, Kocho and BT had to carefully plan the approach to ensure minimal disruption to customers.
First to migrate was the EE brand, with approximately 150 apps, and over 3.3 million active users. This meant finding a solution to securely migrate those users without impacting their usage and experience of the EE application and portal.
Across the remaining 350 applications on the BT side, BT Group and the Kocho External Identity team collaborated to develop a “proxy server” container design. This allowed just-in-time migration to move any users who needed to use the service before migration was completed wholesale.
This involved creating a process where submitted credentials were verified against the existing directory and, if approved, were then created in Azure B2C.
A multi-stage migration process would then be completed to move applications and users to the new platform.
A secure, seamless, on-brand experience with Azure AD B2C
With support from our external identity team, BT are realising their vision of delivering a seamless experience that welcomes rather than deters its customers:
Outcomes that outline the success of SAF
SAF is a long-term vision for the future of secure authentication and exceptional customer experience. And, BT Group are already seeing the significant benefits of its implementation.
Within the first few weeks, BT Group had seen:
5 million customers onboarded
More than 100,000 attacks thwarted
In the months that followed, they have reported:
Monthly active users increased by 1 million customers.
A sharp drop in customer abandonments.
33,000 challenges to anti-bot system stopped in first six weeks using Conditional Access.
Over 1 million IDs processed in 4 minutes during coverage of 2023 Champions League Final.
Our vision was to build a next-generation customer registration experience that could be adopted by every one of our lines of business, yet provide world-class security and modern authentication using open industry standards.
Roy Corneloues
Enterprise Architect for Customer Identity and Access Management, BT Group
Excited by the options and opportunities Azure AD B2C has made available, BT Group has ambitious plans for the future.
These include completing the migration of its remaining brands, applications, and users into Azure, as well as rolling out passwordless and verified ID technologies to its users.
Alongside improving the customer experience and its internal identity and security infrastructure, BT Group has also moved to a much-improved pricing structure. As B2C is billed on a monthly active user (MAU) basis, they will now only pay for usage, rather than per user.
As an organisation with more than 25 million customers, this is a key benefit a key factor in BT Group opting for Azure AD B2C.
It’s now able to confidently expand its offerings and services, knowing that it has a flexible – yet secure – platform on which to build.
Next steps
The ultimate guide to external identity success
A 7-step plan to achieve seamless user access, the highest levels of security, and unrivalled user experiences.
