My ID is bringing our products closer together

Log-in and sign-up are among the most basic features of any application. They are often the first things that get built .They are so common that often development frameworks will provide this stuff for free. Customise a template, run a few scripts and ta-da! Job done. But immediately this creates a problem. Every product works differently. Every product has a different concept of a customer. At a large scale this can lead to a fragmented view that is hard to unpick.

Besides this, we might be continually asking our customers to repeat themselves, to provide us with the same basic information like an email address, password, phone number and so on. We know from our customer feedback that this is a major pain point. Juggling multiple accounts and going through complex and unintuitive journeys to connect our products is a surefire way to lose traffic. Customers have become used to technology being seamless.

On top of this every individual log-in page is a target. Bad actors will always target the weakest link, the lowest hanging fruit. At scale this can become incredibly difficult to manage and secure.

What is My ID?

My ID is a customer identity service that has been developed by Sainsbury’s Tech to make it easier for our customers use our products. We want our customers to love to shop with us and My ID helps us to connect our products and create new experiences.

The premise is simple. Sign up once, and be able to log into any of our products. Easy right? Well, as it turns out, no.

My ID aims to solve this by asking customers to provide their details once, and in turn providing the tools that allow products within our ecosystem to securely use those details to identify the customer. Highly sensitive information like passwords are only held in one place and not distributed. Personally identifiable information is only accessible with a cryptographically secure token.

There are plenty of off the shelf products in the marketplace. But we believe in building and owning our tech. We have a lot of great engineering expertise in Sainsbury’s Tech and by building in-house we get a solution that exactly meets our needs.

The challenge

We have a wide variety of products across Sainsbury’s Tech which serve multiple different purposes. Products like SmartShop, Groceries On-line, Nectar, Argos and many more form a huge part of our digital ecosystem. They are all different in many ways, but share one common factor: our customers.

One of the main challenges was to build a platform that works consistently across these products. As a division we use many different technologies and languages and firmly believe in using the right tools for the job. We didn’t want to force too many integration choices and still be able to take on ownership of account management responsibilities from each product we integrate with.

Another huge challenge is that we are making fundamental changes to our major products, which are used daily by millions of customers. It is vital that we do this without causing too much friction. Our engineering and product teams work really hard to build simple and intuitive customer experiences and so we needed to follow this approach.

The solution

From the outset we have felt that tried and tested web standards were the way to go. OAuth 2.0 forms the foundation for sharing identity across our products. Layers on top of this like Open ID Connect, PKCE, JWT and JWKS provide us with a complete toolset which allows us to build a secure service while also being flexible enough to work across our digital estate.

We know that security is hard and yet we wanted to bring the strongest security standards into play. We have adopted the open source tool Hydra, by Ory, to handle the heavy OAuth lifting. This amazing technology dropped into our application stack very easily and now handles all of our OAuth authorisation and token generation while largely supporting all of the OAuth 2.0 IETF specifications.

All of our in-house development is on React front-ends and Spring Boot micro-service back-ends. We deploy all of our micro-services into the Sainsbury’s Tech Phantom EKS platform-as-a-service, while Kafka keeps everything communicating.

We decided early on that we would need a new domain that would allow us to utilise the OAuth spec fully and also enable key security improvements. We created the account.sainsburys.co.uk domain which houses the My ID user interface. This was one of the most fundamental changes as it meant that customers would transition between one of our products and My ID — previously the whole journey would be contained in a single UI. This needed to happen seamlessly and without breaking any existing customer journeys.

One Sainsbury’s technology that made this really easy was the Luna design system. By adopting this at an early stage we were safe in the knowledge that we were using battle-tested components that would feel familiar to customers. Additionally working very closely with the UX team was vital to create a clear and consistent message that customers could easily understand.

A balancing act between security and usability

One of our motivations for creating an identity platform was to make it easier to bring strong authentication standards to our products. We are now able to provide multi-factor & step-up authentication, single sign on and risk analysis into our customer account journeys. But if you pull the security lever too much it can have an adverse affect on the usability dial.

The motivation for increasing security is clear. In the current climate big companies are under constant attack. Credentials are routinely leaked on the internet and it is now becoming cheap and easy to try to utilise them. My ID reduces the attack surface and allows us to bring to bear strong intrusion detection tools that help us better protect our customers’ data.

It’s a difficult balancing act to get right, and there is no one size fits all solution here. But having the levers and dials in one place gives us the ability to experiment and learn.

What next?

We are really excited to look into biometrics. Some of our products already use fingerprint-based log-in. New standards are starting to appear like FIDO/WebAuthN, which promise a consistent way to add biometric authentication options to any application.

We want to continue with the integration journey. We want more of our products to speak the same “authentication” language and to create exciting ways for our customers to shop with us. This has already started — Groceries On-line can now easily and securely integrate with 3rd party products like Whisk. My ID can help to bring the Nectar loyalty programme into our other products.

Please feel free to reach out if you want to know more.