Do not write your own Identity Management solution for your product (unless your product is, itself, an Identity Management solution). Identity Management is hard and risky, and there are many proven off-the-shelf solutions supported by companies who retain teams of dedicated experts in the field.
Why not? Well, when you get Identity Management right, no one really notices, but if you get it wrong enough, you’ll get to handle angry customers, potential lawsuits, and redirecting development resources to resolve the issues. You might even get a free, permanent advertisement on haveibeenpwned.com.
Identity Management is something you’re expected and trusted to do well, at minimum. No one published articles about how well you handled authenticating your employees and customers. But everyone wants to hear about the next big breach and how many email addresses, passwords, and other personal information was leaked. Your customers are trusting you with their personal and financial data—the least you can do is make sure it’s protected by state-of-the-art technology and practices.
Why can’t this be easy?
The best practices for Identity Management are an ever-moving target: Computing power is increasingly easier to obtain and mobilize for attacking the endpoints on your networks, driving the need for more sophisticated encryption and hashing algorithms to stay ahead. It can take millions of years of compute time to break the currently recommended encryption standards. But sophisticated hackers don’t need to spend all this time cracking codes when they can find clever (or surprisingly NOT clever) ways of getting them direct from the source. Social engineering tactics and sources are becoming more targeted and effective due to the increase in oversharing on social media. If you ever posted anything that gives clues about your first pet, the street you used to live on, or your favorite vacation spot—you may have given hackers the information they need to break through common password security gates.
Passwords are the weakest link in Identity Management systems: you can’t always trust your end-users to keep their passwords complex enough to be effective against attacks. However, you can set them up for success by offering multi-factor authentication (SMS, email, hardware keys), device or browser detection, and captchas. Each of these features needs to be developed and tested to cover whatever situations your requirements dictate, taking time away from your team working on features that create value for your customers.
Luckily, there are many existing Identity Management solutions that account for all these features and make it easier for your users to be security responsible. However, there are some questions you should ask when considering the right one. It’s important to consider usability, compliance, customization, and cost: Usability is speed, compliance is risk-mitigation, customization is handling, and cost is always a major decision-driver!
How quickly can our development team implement the solution?
Developer usability (or productivity) affects quality and time-to-market. This can be improved by example code, training materials, or access to an implementation team. Complex authentication schemes or integrations can be impossible to configure without a deeper understanding of the Identity Management solution. For example, Azure AD B2C provides the most common scenarios out of the box, but if you need to customize further, you’ll need to dig through layers of XML files that only the application engineers at Microsoft fully understand.
Can the hosted screens be customized to our branding language, and how hard is it to do?
Good security tends to have a bad User Experience (UX). The more protections you put in place against hackers, the harder it gets for the legitimate users to access the system as well. Comfort and familiarity of the look and feel help to build the users’ confidence in securely entering their credentials and help them spot potential phishing attempts.
The user experience is not as challenging if you’re relying on social logins for your authentication since those services already provide a comfortable and familiar experience for end-users. But when hosting your own customized Identity Management, recognizable branding is essential to building trust with users and reducing the chance they’ll enter their credentials into a scammer’s page.
How and where is personal data stored, and are certifications covered?
When dealing with personally identifiable information, or more sensitive data like medical records, you need to be aware of how your data is being handled. Compliance standards can be hard to understand, and you should consult your legal team—or experienced consultants—to produce a compliance test that will guide your questioning of the Identity Management vendor.
The EU’s General Data Protection Regulation (GDPR) is an example of a complex concern that your organization must define compliance with. Some countries may require personal data to be stored in-country rather than globally, and others will require you to disclose exactly where the data is stored. Certain customers could request their data be removed from your systems, and you’ll need to be sure you can do that.
Are my required custom flows or federation needs supported?
If your company deals in more sensitive data, you may have more complex authentication needs, such as using a hardware key as a second factor or integrating with another system for managing sessions. AWS Cognito, for example, allows you to set up custom code triggers at certain points in the authentication pipeline to support advanced behaviors. Azure AD supports many multi-factor options including an Authenticator App which is less likely to be tampered with.
What are the annualized costs for my user count?
Identity Management solutions are usually licensed based on tiers of user counts: There are even free or low-cost tiers if the demand on the hosted solution is low. Usually, you can choose a lower tier to start and then upgrade to the higher tiers when necessary. “Low” in this space can be as low as 7,000 users (in the case of Auth0) or 50,000 users (in the case of Azure AD B2C or Google Identity), and with only the basic authentication and token management capabilities. The “advanced” features you may need, like federation, might require opting into the higher tiers.
How do I get started?
Once you’ve done your research and selected a vendor, run a pilot project to prove that the solution will work and fulfill your needs. As with any complex software project, new critical requirements will be discovered as soon as your end-users get their hands on the real thing. Changing established Identity Management solutions can be very complicated (but not impossible), as most of these solutions are designed to restrict access to personal data.
Here’s a rundown of some of the common Identity Management solutions we work with:
- Azure AD B2C: You probably already have Azure ActiveDirectory in your network. Adding B2C (also known as “external identities”) on top of it will let you secure your customer credentials the same as your employees and set up a single sign-on for everyone. Azure AD B2C has a free tier and supports more advanced federation and multi-factor options, though you need to work directly with Microsoft to configure more complex scenarios.
- Auth0: This service is very easy to configure visually, or with automation tools like Terraform. The developer tooling is very straightforward and quick to set up with a lot of examples, and the documentation and training guides are short and easy to understand. Pricing includes a “free” tier and up-front explanation of different features and levels. If time-to-market is your main driver, then Auth0 is a solid solution to evaluate.
- AWS Cognito: If you’re already using AWS for your application hosting, consider looking at Cognito. The “free” tier is as generous as Azure AD B2C, but doesn’t have the same depth of features. The documentation and examples nudge you into using AWS Amplify as a “happy path,” but you’ll need to dig into the language-specific SDKs for anything useful. You may need to author Lambda triggers to perform customization tasks as the configuration user interface doesn’t provide much.
- Duende IdentityServer: The previously-free IdentityServer is now a commercial product with commercial support. IdentityServer is the de facto on-premise Identity Management solution in the .NET space. If you need to issue your own custom tokens, then Duende will be the most flexible and customizable solution that can be deployed with your own .NET developers (and the documentation is very good). It can easily be embedded in an existing application or self-hosted.
- Google Identity: Most people have a Google account, and many companies use G-Suite to host their corporate accounts. Google’s Identity Management UX is one of the simplest and best in the business. It easily supports multiple identities and defining applications and scopes with minimal development effort. Since the customer is bringing their own Google account, the multi-factor authentication is already configured for them. If social logins are acceptable, Google provides the easiest and nicest out-of- the-box solution that is both developer and administrator-friendly.
- Okta: If you’re looking for a complete Identity Management platform that can span multiple cloud providers, social logins, and provide support for a huge user-base, then Okta may be right for you. It integrates with Auth0 and provides a more administrator-friendly set of tools, automations, and documentation around the entirety of Identity Management. It can be a more expensive solution per user compared to Azure AD B2C, but is significantly easier to configure and understand, and it enables you to implement more complex workflows yourself.
Identity Management is the trust between you and your end-users, and also the weakest link in the cybersecurity chain. If you’re thinking of building your own, keep in mind all the considerations that go into choosing an off-the-shelf solution and the effort required to implement all those factors securely, and verify them completely. It’s best to leave this work to the security experts and focus your resources on your core business instead.