Authentication as a Service Security Due Diligence Tips

Within today’s software development ecosystem, third-party vendors are a common part of system architecture.

Specifically, Authentication-as-a-Service (AaaS) is growing fast. Their out-of-the-box capabilities enable engineering teams to focus on building features valuable to business rather than spending time and resources on reinventing the wheel of securing application access.

But outsourcing isn’t as simple as it sounds. Vendor management is time-consuming and can introduce significant risks to the business if due diligence isn’t observed.

This blog post is an excerpt from Performing Due Diligence on Authentication Vendors.

The need for due diligence

The 2017 Equifax data breach consumed many organizations, including mine where I was on the information security (Infosec) team. The breach exposed the personal data of hundreds of millions of people: social security numbers, names, addresses, and more. Thankfully, our organization had the right policies in place to safeguard the personal data and no data was compromised.

If you do outsource authentication capability, then putting in your due diligence is a must.

Due diligence is a series of steps that requires research and testing the capabilities of a third-party vendor. Going through this very intentional exercise is absolutely crucial before you onboard an AaaS into your system, as it can prevent future issues with security, performance, engineering, and pricing.

Think about the security standards of the authentication provider

Security is at the top of the list of due diligence tasks and should come as no surprise. Letting unauthorized parties get access to systems leads to loss of consumer confidence and financial penalties from regulators. Putting in effort to make sure an AaaS offers proper security is critical.

Authentication providers should have strong guardrails to protect your users’ confidential data and minimize the possibility of security breaches.

Work with potential authentication providers and your internal stakeholders on the following items to ensure security standards are met before integrating a vendor’s offering:

There’s always more to do with security, but the items above should be a good place to start.

What else should you consider?

While important, there are other aspects to consider when performing due diligence. Various other areas you should be checking into for a potential AaaS include:

To learn about those aspects and more, read Performing Due Diligence on Authentication Vendors.

Originally published at

Auth for built for devs. Installs on any server, anywhere in the world. Integrates with any codebase.