Understanding B2B vs B2C authentication

When you have a “user account”, that really means that you are listed in an authentication directory. A directory is basically a list of usernames and passwords. (For simplicity, ignore SSO, MFA and “password-less” for sake of this discussion.)

B2C (Business to Consumer) can be thought of as a “two-party” relationship. When you sign-up for a Facebook account, you and Facebook are the only parties involved in that relationship. Other examples of B2C users are:

  • Instagram
  • Twitter/X
  • Microsoft*
  • Google*
  • GitHub

* These can be tricky because Microsoft and Google also offer B2B accounts.

B2B (Business to Business) can be thought of as a “three-party” relationship. If you’re company uses Microsoft 365, your user account for that involves Microsoft (who hosts the directory), your employer (who administers the directory), and you. Incidentally, this account has to do with Microsoft but isn’t a “Microsoft Account” because that’s the proper name for their B2C offering.

In a B2C system, you (the user) choose to sign up for the account and only you can delete your account. In the case of your job providing you a Microsoft 365 account (B2B), an administrator issues the account to you and, if you leave – they can (and should) delete your account.

Note that there are plenty of times that B2C authentication is used in a business environment. For instance, if you use GitHub to store source code for a work application – you grant permissions (which is authorization as opposed to authentication) to someone’s GitHub account, which they created themselves and wasn’t issued to them by your company, so – B2C.

Some larger companies have “approved vendor lists”. Instead of being able to purchase from any vendor, you are limited to approved vendors. This is kind of like B2B authentication. In a B2B authentication system, you can only grant permissions to users listed in your corporate directory. Note that – just like being listed on the approved vendor list doesn’t mean that anyone has bought anything from you, being part of the B2B directory doesn’t grant you permission to access anything – it’s a necessary first step.