B2B: Login identifiers in the B2B world
6 min read
Many legacy B2B websites use a username and password combination for user authentication, although some use an email address instead of a username. Use of username seems to stem from legacy architectures where active directory was responsible for provisioning of external users. Typically, user passwords were distributed in plain text over the phone or via email.
The SAP Customer Data Cloud B2B solution aims to modernize and simplify the onboarding of external organization members to your B2B site, and offers different login options to meet different project requirements.
A login identifier is a piece of data which the user provides at the point of authentication to identify their account. Most commonly this is an email address, username or phone number but can be any other identifier that an external identity provider offers.
We will evaluate the different options when using the SAP Customer Data Cloud B2B solution.
Email address is the most commonly recommended option for use as a login identifier for a B2B site, for the following reasons:
- Email address is a mandatory field when inviting external organization members so it will always be captured (email is not mandatory if invitation is sent via SMS).
- Users can easily and securely reset their password by receiving a password reset link to their email address.
- An email address is very easy for users to remember.
- Authenticating with an email address is familiar for B2B users from their B2C interactions.
- All flows are supported out of the box using Screensets.
Of course there are scenarios where using email address as a login identifier is not appropriate, and we will discuss alternatives below.
Username should not be used as the primary login identifier for new accounts. This is because it is not possible to assign a username at the point of user invitation and assigning one would require a separate custom process, which is not recommended.
Usernames are a very poor choice of login identifier because they are easily forgotten and don't offer particularly secure mechanisms to support critical user journeys like password reset.
However, a username can be supported in the context of a migration from an existing system. Where a username is currently the unique identifier for a user, it can be migrated and the user can continue to login with their existing credentials, so long as the Customer Data Cloud configuration is setup to support it. The user should be encouraged to supply an email address which they can log in with as an alternative.
There are examples of B2B sites where multiple people use the same shared email address, for example, firstname.lastname@example.org. This is more typical in smaller organizations where individual users are not assigned their own email address. This creates an issue for the following reasons:
- Where email is the login identifier, two accounts cannot use the same email address.
- Username should not be used as the login identifier for new accounts because there is no way to set the
username during the invitation.
In this scenario, we would recommend to use phone number as a login identifier. As part of a phone number login flow, the user receives an SMS to their mobile device which they could use as a one time password to login with, thus not requiring an email address at all and avoiding the duplicate email issue.
It would be fair to assume that the majority of users would have their own mobile device, even if that device were a personal one. The added benefit of this approach is the user does not require a password on their account and therefore password reset flows are not required.
A external organization member can be invited via SMS using the delegated administration user interface without any customization.
Phone number login will incur additional costs as you must use your own SMS provider account.
Corporate Identity Provider
Bring your own identity allows external organizations to use their own corporate identity provider to authenticate users into your B2B site. In this scenario, the users don't actually have a login identifier at all, as they always authenticate using their corporate credentials.
Bring your own identity is better suited to larger organizations who can easily manage the trust configuration between the providers, but offers a familiar login experience to organization members whilst reducing the user management overheads associated with traditional login mechanisms. It also offers the advantage that the B2B users are not required to remember another password.
Whilst the majority of social networks are far more prevalent in the B2C space, LinkedIn and DocCheck are the most commonly used in the B2B world. Whilst users cannot be invited to join an organization using their social network credentials, a user could link their social network account to their account which would allow them to log in using their social network credentials. This approach won't be suitable in all use cases, but the option is there should the requirements exist.
The SAP Customer Data Cloud B2B solution offers different login options to meet different requirements that exist in the B2B world. Email still offers the most flexible login identifier option and should be recommended in most cases, but where it is not appropriate, phone number login and bring your own identity offer excellent alternatives.