Bluetooth Special

Interest Group (SIG)

Case Study
 CASE STUDY

Bluetooth Special Interest Group (SIG) Case

Study
Learn how a standards-based organization implemented
standards-based authentication via OpenID Connect and OAuth
for improved security, access, and interoperability

ABOUT BLUETOOTH SIG

Formed in 1998, the Bluetooth SIG is the not-for-profit trade association that
oversees Bluetooth® technology. In support of more than 34,000 member companies,
the Bluetooth SIG facilitates the collaboration of its members to create new and
enhanced specifications that expand the technology, drives global interoperability via a
world-class product qualification program, and grows the brand by increasing the
awareness, understanding, and adoption of Bluetooth technology.

INDUSTRY REGION

Non-Profit AMER
auth0.com 01
 CASE STUDY

Bluetooth Special Interest Group (SIG) is a standards-based organization that oversees

the development and licensing of Bluetooth technologies. With over 30,000 member
companies including the biggest names in consumer electronics, the organization aims to
unify, standardize, and drive innovation in the vast range of connected devices. We sat
down with Jeremy Syme, Director of Systems Engineering and Guru Nagaraju, Software
Development Manager, to discuss why they chose Auth0 as their identity provider.

Bluetooth SIG needed a modern identity solution in order to meet the challenges of
expanding collaboration, providing secure access, and ensuring organizational
compliance for over 150,000 users. The organization wanted a standards-based
authentication solution that could meet present and future needs. They decided that
OpenID Connect and OAuth 2 met these requirements.

Security and authentication go hand-in-hand. Ensuring secure access was very

important to Bluetooth SIG due to the nature of their work as well as the requirements of
their members. Auth0 puts security front and center through numerous ways: all
communication is encrypted, passwords are hashed and salted with bcrypt, and attack
prevention and mitigation measures in place to ensure service availability.

Granular access to the various services Bluetooth SIG provides was also needed. Users
are assigned member levels based on their organization. Organizations are grouped into
three member levels:

Adopter – the basic level of membership that allows an organization to license and use
Bluetooth technologies in their products.

Associate – this level of membership allows an organization to participate in Bluetooth

SIG working groups and the specification development process.

Promoter – the member companies that oversee Bluetooth SIG have this level of
membership and act essentially as the board of directors for the organization.

auth0.com 02
 CASE STUDY

Naturally, the different member levels meant different levels of access needed to
Bluetooth SIG services. Adopters, for example, would only need access to view the latest
approved specification, while Associate members would participate in contributing to
working drafts and have privileged access to unreleased documents.

The Bluetooth standards are defined by various working groups within the organization.
A highly granular permissions system was needed to ensure compliance and limit legal
liability. This was non-negotiable and whatever solution the team would recommend
would need to work with the existing system that enforces these roles.

Bluetooth SIG already had a homegrown authentication solution but it was not meeting
the needs of the organization. The engineering team, led by Jeremy Syme, decided that
it was time to implement a modern authentication solution into their ecosystem. The
team evaluated whether to build or buy, and quickly determined that buying was the way
to go. The engineering team did not have the resources or expertise to build and
maintain another homegrown solution, so after evaluating various options decided to
entrust Auth0 as their identity and authentication provider going forward.

“Everything in our organization including authentication was

initially custom built, and ten years ago this made sense, but as
we’ve grown and matured as an organization, the decision to buy
and integrate made much more sense.”

Jeremy Syme
Director of Systems Engineering

auth0.com 03
 CASE STUDY

Challenge

Bluetooth SIG started out with a single homegrown ASP.NET application. At the time,
they used Windows Forms based authentication to provide a secure login experience for
their users. This worked while they had just a single application to maintain, but as the
organization grew and additional services were deployed, it became apparent that this
solution was not going to cut it.

The biggest feature the engineering team wanted to implement was Single Sign On
(SSO). Without this, the various services both homegrown and SaaS would have different
authentication systems, workflows, and users. The overhead of managing all of this
would be highly impractical. Maintaining their own authentication infrastructure, patching
security holes, and fixing authentication related bugs would take time and resources
away from focusing on developing features core to Bluetooth SIG’s mission.

The engineering team evaluated their existing solution to see if they could accomplish
their goals and discovered that it would be a complex task that would still not be
satisfactory in the long term. They needed more than an authentication system, they
needed an identity management platform.

“We could have implemented Single Sign On without Auth0

through workarounds, but we needed a solid identity solution that
followed the OAuth spec and supported our existing access
control mechanisms.”

Guru Nagaraju
Software Development Manager

auth0.com 04
 CASE STUDY

Identity-as-a-Service

Secure authentication alone was not enough. Bluetooth SIG engineers decided that a
modern identity management system was needed. They first evaluated whether to build
a solution in-house, buy or license an existing provider, or configure an open-source
solution. It was quickly and unanimously decided that buy was the way to go.

With the decision to buy established, the engineering team set out to evaluate options
and offerings. The criteria not only included technological capability, but also licensing
and support considerations. Two companies were identified as possible matches, Auth0
and a competitor.

The team reached out to both. Part of the evaluation process was building a
proof-of-concept to demonstrate capabilities with both Auth0 and the competitor. The
competitor fell short by lacking OAuth 2 capabilities and a licensing model that did not
make sense for Bluetooth SIG. Auth0 presented the winning playbook by meeting the
technological, licensing, and support needs.

“Our team is comprised of 17 engineers, while we have work for

over 50. Every minute spent on building and managing identity is
opportunity lost on building software core to our mission.”

Jeremy Syme
Director of Systems Engineering

Winning Playbook With Auth0

Auth0 was chosen as the identity platform for Bluetooth SIG. The platform was chosen
not solely for technological capability, but also for state-of-the-art security, top-notch
documentation, excellent customer support, and a superior licensing model that was a
right fit for the organization.

auth0.com 05
 CASE STUDY

The return on investment for Bluetooth SIG was measured primarily in opportunity cost.
For every engineer that would have been tasked with building and maintaining the
identity solution, would be an engineer taken off of working on a project core to the
organization’s mission.

Technology

On the technology front, Auth0 met all of the needs of Bluetooth SIG. Having the
capability is one thing, but the ease of integration cemented the choice for the
engineering team. The organization already had various applications, both homegrown
and SaaS, and Auth0’s modern identity solution was implemented on top of the existing
technology without any code changes.

With Auth0, the team was able to integrate Single Sign-On (SSO) and modern
authentication on top of the existing legacy implementation. This allowed the team to use
their existing database of users which meant they wouldn’t need to inconvenience their
members with password resets or downtime. This also allowed the engineering team to
define a roadmap for migration that they felt comfortable with and fell in line with their
plans for the future.

“Implementing the Auth0 identity solution took a single digit number of days versus the
estimated months to build a solution in-house.”

– Jeremy Syme, Director of System Engineering

Security

Bluetooth SIG needed an authentication solution they could have full confidence in both
from a security and access standpoint. On the security front, Auth0 met the needs by
providing a secure cloud based infrastructure that supported encryption, password
hashing, and attack mitigation. Support for standards-based authentication protocols like
OpenID Connect and OAuth 2 ensured that Bluetooth SIG would not experience vendor
lock-in.

auth0.com 06
 CASE STUDY

Bluetooth SIG needed a highly granular permissions system for their users. With various
member levels and working groups across the organization focusing on different parts of
the Bluetooth specification, it was important to get access control right. The organization
already had a permissions system defined and Auth0 was able to use these existing roles
and permissions seamlessly.

Documentation

Top notch documentation played an important educational role for Bluetooth SIG
engineers. Authentication and identity management are complex topics by themselves,
but compounded with various standards and implementations it can be a daunting task
to understand and implement correctly.

Auth0 provided quick start tutorials paired with real world code samples which allowed
the Bluetooth SIG team to quickly build and experiment with different features and
configurations. Actual code samples that could be downloaded and run were a key in
helping the team understand how to put all the pieces together and how the real-world
implementation would work for their platform. In-depth guides and blog posts provided
additional knowledge on how-to’s and best practices for optimal security and
performance.

Licensing

Auth0’s licensing model was a perfect fit for Bluetooth SIG. Rather than charging a fee for
every user each month as is typical in the SaaS industry, Auth0’s licensing model is
based around active usage. This means that an organization using Auth0 only incurs a
cost when their users actually log in.

The majority of Bluetooth SIG members fall in the Adopter category. Out of the 150,000
users, the majority typically log in a few times per year to get the latest documentation
and standards released by the organization. A pay per user licensing model did not make
sense in this regard. Paying for active users made much more sense.

Support

auth0.com 07
 CASE STUDY

Bluetooth SIG and Auth0 worked collaboratively to develop a proof-of-concept and

showcase platform capabilities. After the decision was made to go with Auth0, the
customer success team provided quick response times for questions and issues. Issues
were resolved quickly and transparently.

A concern that the management team had with offloading authentication and user
management to a third party was unexpected downtime. Auth0’s track record of
transparency for incidents and downtime as well as community outreach helped put the
management team at ease with trusting a third party with one of the key aspects of their
platform.

“Auth0 allowed us to keep our existing infrastructure in place

exactly as it was before, and we just added the Auth0
authentication layer on top, this was frankly one of the main
reasons we chose to go with Auth0.”

Jeremy Syme
Director of Systems Engineering

Looking Ahead

Auth0 met Bluetooth SIG’s identity needs of today and is also ready to tackle future
needs. Looking ahead the organization is looking to add enhanced security features like
Multifactor Authentication and OAuth 2 implicit flow for greater control. Auth0 supports
both of these features of the box and will be there to assist and support at every step of
the way.

auth0.com 08
 CASE STUDY

Eventually, Bluetooth SIG is planning on migrating their users from the existing database
and moving to a full standards-based OAuth and OpenID Connect-capable infrastructure.
Here too, Auth0 is poised to delight with comprehensive migration tools and support to
ensure a smooth transition.

“Auth0 was able to solve our immediate needs with Single Sign On
and integrating 3rd party applications, but looking ahead into our
roadmap the Auth0 identity platform will help us with future
projects by securing our APIs.”

Guru Nagaraju
Software Development Manager

Conclusion

Meeting the technological needs for modern identity and authentication is important, but
it is not enough to just have the tools. Documentation that clearly explains, shows, and
educates developers on how to implement authentication the right way, support and
transparency for when things go awry, a fair licensing model, and pleasant developer
experience drove Bluetooth SIG and its engineering team to Auth0.

“Being a standards-based organization, it was important for

Bluetooth SIG to implement a standards-based identity solution
for our platform.”

Jeremy Syme
Director of Systems Engineering

auth0.com 09
 CASE STUDY

ABOUT AUTH0

Auth0, a product unit within Okta, takes a modern approach to identity and enables
organizations to provide secure access to any application, for any user. The Auth0
Identity Platform is highly customizable, and is as simple as development teams want,
and as flexible as they need. Safeguarding billions of login transactions each month,
Auth0 delivers convenience, privacy, and security so customers can focus on innovation.
For more information, visit https://auth0.com.

auth0.com 10