Don’t charge extra for single sign-on

When your customers suffer a cybersecurity breach, it is often the result of poor password or user management. Users might irresponsibly store, share, or reuse passwords, administrators may forget to disable accounts for former employees, or users could fall for a phishing attempt and give their login details to an attacker by accident. Passwords are a major point of failure in the realm of cybersecurity, and yet they remain the most common form of authentication employed by software-as-a-service products.

The best way to reduce password and user management risk for your product is to eliminate passwords altogether. There are a few ways to achieve passwordless authentication today, and all SaaS businesses should support one or more of these methods on all plans.

Single sign-on

The most obvious way to enable authentication without passwords is single sign-on. Single sign-on is a technology that allows users to log into your SaaS application with their account from another SaaS application. For example, in a world where all SaaS apps support single sign-on, businesses that use Microsoft 365 or Google Workspace1 could enable their employees to sign into all apps using their Microsoft 365 or Google Workspace account. This dramatically simplifies password management for users, making it easier for them to manage credentials responsibly.

Automated account provisioning and de-provisioning are added benefits of single sign-on. As long as an employee has an account with the identity provider, they should be able to access each SaaS app that supports single sign-on (and has permission to access). This goes the other way too: when an employee loses access to their account because they have left the company, their access to peripheral SaaS apps is removed too. It is common for small businesses to forget to disable accounts for staff, which can pose a serious cybersecurity threat.

Email-based authentication

Email-based authentication (also known as magic-link authentication) is a flow where users can access an application using only their email address. In this flow, users enter their email address, after which they are emailed a soon-to-expire link that they can click to instantly login.

This flow is easy to implement and successfully eliminates passwords from the flow. In a roundabout way, it can also automate provisioning and de-provisioning: access can be enabled based on the domain of their email address (e.g., you can only access a McDonald’s portal with an [email protected] email address), and if their email account is disabled, they won’t be able to receive the magic link anymore.

Web Authentication

Web Authentication is a new open standard that ties access permissions to a user’s device, often using biometrics (e.g., facial recognition or fingerprint). Essentially, a user’s phone or laptop works with the application to determine who the user is and whether they should have access. Apple and Google tie this to your iCloud and Google accounts, respectively, which allows you to access Web Authentication accounts from all of your devices.

This is a fantastic authentication method for B2C apps because the authentication flow is effortless for users, and most users keep their iCloud or Google accounts for a very long time. This method is limited for B2B applications, though, because personal iCloud and Google accounts are rarely managed by an individual’s employer (though I’m sure the various single sign-on providers will find a way to offer a pleasant user experience for Web Authentication eventually).

Why you need to offer one of these methods free of charge

It is now common for B2B SaaS applications to charge for single sign-on (if they offer it at all). This can cost customers hundreds of dollars per month per SaaS application. While this practice might help SaaS companies to better monetise their large customers who require single sign-on, it forces small and mid-sized businesses to compromise their security practices. These costs rarely align with the cost of providing these features.

As a SaaS vendor, table-stakes cybersecurity functionality should not be an upsell opportunity. Your customers deserve to be empowered to follow best practices. It’s also bad for you, as a vendor, to have your customers constantly suffering cybersecurity incidents due to your policies.

Cybersecurity is a big enough risk that I think all B2B SaaS companies should:

Virtually any other approach is user-hostile and irresponsible. It also leaves opportunity on the table:

In B2B SaaS, we often look to other B2B SaaS businesses to justify our practices (pricing, hiring, engineering, security). This helps best practices spread throughout the industry and is the basis for much of the content on this blog. But, sometimes, things catch on that don’t make sense or are outright bad for users. Charging for single sign-on is one of those things, so I think it is time to buck this trend.

Footnotes

  1. Other single sign-on providers, like Okta, are also available. ↩︎

  2. Slack does offer magic-link authentication, though. ↩︎

Subscribe for advice

Free weekly advice covering product strategy, development operations, building teams and more.

More advice

Great startups lean into chaos

Most managers in early-stage startups think that chaos is inversely correlated with results. That is, they think that chaos breeds bad results and an unhealthy environment, while order breeds good results and a more harmonious environment. This perception is wrong.

 
Salespeople need decisive decision makers

The best salespeople have great intuitions for which prospects are most decisive, and how to get access to better contacts. Everyone else wastes their time talking to people who will never buy, no matter how appealing they make it sound.

 
Startups must work smart and hard

To win, startups need to lean into their advantages because they’re a decade away from the kinds of moats enjoyed by established corporations. This means they need to work smart (i.e., mostly do the right things) and work hard (i.e., execute at a pace and with intense risk tolerance).

 
Privacy and terms

I will only use your email address to send you this newsletter or to reach out to you directly, and you can unsubscribe at any time. I will not share, sell, or rent your email address to any third party, though I do store it the software I use to dispatch emails.

The information provided on this blog is for informational purposes only and should not be considered investment advice. The content on this blog is not a substitute for professional financial advice. The views and opinions expressed on this blog are solely those of the author and do not necessarily reflect the views of other organizations. The author makes no representations as to the accuracy, completeness, currentness, suitability, or validity of any information on this blog and will not be liable for any errors, omissions, or delays in this information or any losses, injuries, or damages arising from its use. The author may hold positions in the companies or products discussed on this blog. Always conduct your own research and consult a financial advisor before making any investment decisions.