Why did we build BBC iD?
You may have noticed that slowly but surely, we're moving all our existing services to a new sign in system, called BBC iD. You might also notice that anything we build from now on uses BBC iD from the start. So far we've migrated all our blogs, nearly all our messageboards, and our three big communities: Have Your Say, 606 and H2G2.
A few people have posted blog comments asking why we've done this, and what what it means for the future. I thought I'd write this to help explain what we're doing and why.
So, why did we build BBC iD?
The simple answer is that our old system - called 'Single Sign On', or SSO - needed replacing. It had been around for nearly 6 years, skillfully powering all the BBC's online services which required authentication, but 6 years is a long time on the web. SSO has been showing its age in some very specific ways:
The technology platform
SSO was built on Perl and MySQL. Good technologies for their time, but the BBC is moving towards a new online architecture (internally called 'Forge') which uses Java and PHP on top of MySQL, Apache and Memcached. Soon, the old Perl-based system will be turned off. SSO would have to have been ported to Forge anyway, so it was a good time to completely refresh it from the ground up.
SSO used a single MySQL database instance. Forge allows applications to have multiple partitioned databases - which helps to make it horizontally scalable. This means that as BBC iD gets used more and more, we can make it perform simply by adding more servers. Until recently, you only signed in to small pockets of the BBC - the odd messageboard here, a one-off application there.
However, with the advent of BBC iD, nearly every page on BBC Online will know if you're signed in or not, and will be able to adjust itself accordingly. This new level of personalisation will allow BBC Online to grow and personalise around you in ways that were never before possible. But this level of integration, and load, will needed a totally new architecture which made heavy use of partitioned (sharded) databases, Memcache, and load balancing.
BBC Online continues to grow its audience internationally, and has a staggering number of language sites. As these sites want to do things like personalisation, they need sign in features in their native language. Adding features like these retroactively to a product is really hard - they have to be built in from the start. One more reason why we knew SSO had to be replaced.
Although the first versions of BBC iD are english-only, under the hood, it's been designed with internationalisation in mind. For example, every bit of text you see isn't embedded into the code, it comes from a language specific package. We're now working on increasing the number of supported locales. This will eventualy include not only the main UK languages like Welsh and Gaelic, but languages with different characters (like cyrillic in Russian) and right-to-left text (persian etc) - in fact, anything you can throw at Unicode.
Since SSO was developed, security techniques and technologies have moved on a lot. For example, a while back it was impossible to support the loads we needed to support and encrypt data both in transit and on disk. Now, that's possible. As such, BBC iD has been built from the ground up with very secure architecture in mind. All personal data is stored on disk encrypted, all personal data is transferred over https, and inside the BBC there are strict access controls put in place to make sure only the staff who are authorised have access to it. While SSO was good for its time, the security model had to be thoroughly rethought.
But why build your own sign-in system at all?
OpenID, Facebook Connect, OAuth - the modern web is full of distributed, decentralised identity systems. We could have just forgotten about building our own system, and just implemented one, or all, of these.
Well, the good news is they're on their way! BBC iD was built from the ground up to be compatible with OpenID and other distributed authentication systems and later this year, we'll be introducing the ability for you to sign in to BBC Online using your Facebook login via Facebook Connect, and your Google and Yahoo logins (and more) via OpenID.
However, we still felt we needed our own base-level sign in system, both for those users who don't have external logins they want to use, and also for those who just don't want these things linked together. As the BBC has a mandate to serve all licence fee payers, building our own standalone system was a necessary evil.
Truly, Single Sign On
The biggest problem with the old SSO system was that, although it was actually a bbc-wide sign on system, almost none of our users realised this. It was mainly down to some user-experience descisions within the SSO interface. While a tiny percentage did use their SSO account for more than one service, nearly everyone created a new SSO account for each BBC service they registered for. We're trying to move BBC Online to become a more social, more coherent website. As such, it's essential that our users realise they're signing into the whole BBC site - not just a part of it.
With the old SSO model, we had ghettos of interactivity which didn't connect with each other or the rest of the site; each had their own users, their own rules and their own user interfaces. This made it impossible to represent users on every part of BBC Online consistently.
BBC iD solves this problem in two ways.
Firstly, you can only have one BBC iD per email address. This is made clear as soon as you try and create a second BBC iD with the same email address. A single BBC iD can be used across BBC Online and a person can have more than one BBC iD, but they'll need a separate personal email address to register with for each one. Contrary to some comments on our blogs, BBC iDs are not limited by IP address, so you can have more than one per household. The email address is the important unique field.
Secondly, we created a 'brand' for our login. We're not the first to do this, Yahoo, Google, Apple all do it. And remember Microsoft Passport? We'd rather not have called it anything, but we did lots of testing that showed that people didn't realise their login was global across our site unless we branded it. We've been careful to keep is a 'soft' brand though. It's represented by colour, language and iconography. This consistent message should remind users where ever they see the 'Cid' symbol (Cid's the bod on the badges pictured above, derived from BBC iD) and the words 'sign in', that they can use the same sign in details they use elsewhere on BBC Online.
By contrast, SSO's sign in and register pages were branded to match the service you came from - further reinforcing the impression that SSO was service-specific sign in.
But it's a pain to upgrade
Yes it is. Transitioning users from the old system to the new system is not easy. We could have just copied all the old user data from SSO into our new system, but that would have meant millions, literally millions, of old, dead unused accounts in our nice, clean, new system. Instead, we chose to allow our users to 'upgrade' their old SSO accounts to BBC iD. While this is a little annoying for some users, it is a one-time only process, and means the users we have in BBC iD have new, clean data - and best of all, it means people can register with sensible usernames again. With 13 million accounts created over 8 years, SSO was full of old, bad data.
We take our users' experiences very seriously, so we've done all we can to make the upgrade process simple, reliable and quick. There will always be some people who experience problems, but we monitor our stats and our help email addresses very closely and try and help each and every one of our users who has problems.
Will it be worth it?
The short answer is, yes.
Change is often disruptive, but necessary. The rollout of BBC iD across BBC Online will allow our site to do incredible new things - more personalisation, better interactivity and provide more security to our users. Without this move to use BBC iD, BBC Online would not be able to build, grow and become a properly modern interactive, coherent site.
Simon Cross is the Product Manager for BBC iD.