Don’t charge extra for single sign-on
When your customers suffer a cybersecurity breach, it is often the result of poor password or user management. Users might irresponsibly store, share, or reuse passwords, administrators may forget to disable accounts for former employees, or users could fall for a phishing attempt and give their login details to an attacker by accident. Passwords are a major point of failure in the realm of cybersecurity, and yet they remain the most common form of authentication employed by software-as-a-service products.
The best way to reduce password and user management risk for your product is to eliminate passwords altogether. There are a few ways to achieve passwordless authentication today, and all SaaS businesses should support one or more of these methods on all plans.
Single sign-on
The most obvious way to enable authentication without passwords is single sign-on. Single sign-on is a technology that allows users to log into your SaaS application with their account from another SaaS application. For example, in a world where all SaaS apps support single sign-on, businesses that use Microsoft 365 or Google Workspace1 could enable their employees to sign into all apps using their Microsoft 365 or Google Workspace account. This dramatically simplifies password management for users, making it easier for them to manage credentials responsibly.
Automated account provisioning and de-provisioning are added benefits of single sign-on. As long as an employee has an account with the identity provider, they should be able to access each SaaS app that supports single sign-on (and has permission to access). This goes the other way too: when an employee loses access to their account because they have left the company, their access to peripheral SaaS apps is removed too. It is common for small businesses to forget to disable accounts for staff, which can pose a serious cybersecurity threat.
Email-based authentication
Email-based authentication (also known as magic-link authentication) is a flow where users can access an application using only their email address. In this flow, users enter their email address, after which they are emailed a soon-to-expire link that they can click to instantly login.
This flow is easy to implement and successfully eliminates passwords from the flow. In a roundabout way, it can also automate provisioning and de-provisioning: access can be enabled based on the domain of their email address (e.g., you can only access a McDonald’s portal with an [email protected] email address), and if their email account is disabled, they won’t be able to receive the magic link anymore.
Web Authentication
Web Authentication is a new open standard that ties access permissions to a user’s device, often using biometrics (e.g., facial recognition or fingerprint). Essentially, a user’s phone or laptop works with the application to determine who the user is and whether they should have access. Apple and Google tie this to your iCloud and Google accounts, respectively, which allows you to access Web Authentication accounts from all of your devices.
This is a fantastic authentication method for B2C apps because the authentication flow is effortless for users, and most users keep their iCloud or Google accounts for a very long time. This method is limited for B2B applications, though, because personal iCloud and Google accounts are rarely managed by an individual’s employer (though I’m sure the various single sign-on providers will find a way to offer a pleasant user experience for Web Authentication eventually).
Why you need to offer one of these methods free of charge
It is now common for B2B SaaS applications to charge for single sign-on (if they offer it at all). This can cost customers hundreds of dollars per month per SaaS application. While this practice might help SaaS companies to better monetise their large customers who require single sign-on, it forces small and mid-sized businesses to compromise their security practices. These costs rarely align with the cost of providing these features.
- Atlassian has a dedicated product for single sign-on (bundled with some other security features) that it charges at least US$30 per month per user for.
- Slack restricts single sign-on to Google on the cheapest paid plan2. I suspect this is related to Microsoft Teams being a competitor. Microsoft’s anti-competitive behaviour doesn’t make this any less user-hostile, though.
- Officevibe offers single sign-on for free.
As a SaaS vendor, table-stakes cybersecurity functionality should not be an upsell opportunity. Your customers deserve to be empowered to follow best practices. It’s also bad for you, as a vendor, to have your customers constantly suffering cybersecurity incidents due to your policies.
Cybersecurity is a big enough risk that I think all B2B SaaS companies should:
- Offer single sign-on on all plans.
- Support and enforce multi-factor authentication by default (if you support password-based authentication).
- At the very least, offer magic-link email-based authentication. This is a good option companies yet to achieve product-market fit, who can’t justify the investment in more complex authentication flows.
Virtually any other approach is user-hostile and irresponsible. It also leaves opportunity on the table:
- Given the standard is to charge for single sign-on, it could give you a competitive advantage to offer it out-of-the-box.
- Centralised user management is a significant selling point for the Microsoft 365 ecosystem. If you compete with Microsoft and don’t offer the best security standards, you give customers another reason to stick to the Microsoft ecosystem. Sometimes, to compete, you need to make some ecosystem concessions such as this.
In B2B SaaS, we often look to other B2B SaaS businesses to justify our practices (pricing, hiring, engineering, security). This helps best practices spread throughout the industry and is the basis for much of the content on this blog. But, sometimes, things catch on that don’t make sense or are outright bad for users. Charging for single sign-on is one of those things, so I think it is time to buck this trend.
Footnotes
Privacy and terms
I will only use your email address to send you this newsletter or to reach out to you directly, and you can unsubscribe at any time. I will not share, sell, or rent your email address to any third party, though I do store it the software I use to dispatch emails.
The information provided on this blog is for informational purposes only and should not be considered investment advice. The content on this blog is not a substitute for professional financial advice. The views and opinions expressed on this blog are solely those of the author and do not necessarily reflect the views of other organizations. The author makes no representations as to the accuracy, completeness, currentness, suitability, or validity of any information on this blog and will not be liable for any errors, omissions, or delays in this information or any losses, injuries, or damages arising from its use. The author may hold positions in the companies or products discussed on this blog. Always conduct your own research and consult a financial advisor before making any investment decisions.