Outsourcing auth: how to get buy-in from your team

You lead a team of engineers, and your team is responsible for building out a new customer-facing product that could have a huge impact on the trajectory of your company. Lately you’ve been considering whether or not rolling your own authentication system is a good idea. You’ve spent a lot of time and effort carefully weighing the pros and cons, and you’ve come to the conclusion that home grown auth is not in the best interests of your company.

How do you go about talking to all the relevant stakeholders about this choice?

Not all orgs are the same, but many companies have similarities. Who to talk to and what to emphasize will be contingent upon the size and structure of your company, so you’ll have to adapt this article to your own circumstances.

However, I’m going to go through the main categories of stakeholders you might have, and suggest ways to talk to them about outsourcing your auth system. Even though you’ve convinced yourself that you’ve found the best course of action for your company, everyone else has to believe it too (or at the very least not actively oppose it).

You’ll have to talk to each type of stakeholder on their own terms in order to achieve the best outcome for your company. For each person in each type of role you’ll want to emphasize what the benefits are to them and how it’s going to help the company as a whole.

Each of the following sections addresses a different stakeholder. If you’ve been in your current role for any length of time, you’ll know which roles exist in your org. If not, your boss can help. For each stakeholder type, I’ll make suggestions on how to help them see what you see.

Your boss

With that in mind, emphasize a few points:

  • Speed to market: Depending on the features you need, it could literally take months to implement auth in-house, whereas it could take less than a day to incorporate an outsourced solution.
  • Cost: There are a few things to consider here, which are covered in the “Cost of in-house vs outsourced auth” section of my post “Why outsource your auth system?”
  • Mitigating risk: Two of the scariest things to an engineering leader are the risk of implementation time ballooning out of control and the risk of serious security breaches. Outsourced auth can help mitigate both of those concerns. Here, talking through the benefits in detail will be very helpful.

Your developers

If you convince every other stakeholder but fail to convince your devs, many of the benefits of outsourcing auth will be severely reduced. More importantly, if you try and ram through your agenda without adequately conveying your vision, you can lose hard-earned trust.

This is the ‘lead’ part of ‘leadership’ — in this instance your job is not to dictate, it is to motivate and guide. Your team is smart, and if plugging in an external auth component is the most appropriate way forward for your specific use case you’ll likely be able to forge consensus.

If not, take a long hard look at your situation and ask yourself if you need to reconsider based on new points of view! What have you missed that they have seen? All of your reasoning should be laid before the team, but in particular emphasize:

  • The minimal maintenance required by an outsourced system: The vendor will be continually improving the system so you don’t have to.
  • Support from the vendor: Documentation, engineering support, and best practices should all easily be obtainable from your vendor of choice, which will greatly speed implementation and mitigate long-term risk.
  • The ability to work on more interesting features: With the implementation time savings developers will be able to work on more interesting core features, which will also likely give them more visibility and resume-building achievements than re-implementing auth for the Nth time.
  • Stress reduction: Having a vendor be responsible for some of the high-security aspects of the product will help reduce developer stress.

Project management

Thus, when talking to project management about outsourcing your auth system it’s important to emphasize the benefits of speed of implementation and reduction of scheduling risk. With pre-built components and vendor support it’s unlikely that you’ll be blowing up your schedule with this choice.

Product management

Product management will probably also appreciate the fact that outsourced auth has a large feature set out of the box — you can point out all the functionality that your proposed auth system already has for which they won’t need to draft requirements. This conversation might even remind product management of things they need to ensure have been specified in the main product, like internationalization and localization.

Legal

Legal will likely appreciate the fact that you want to use a tried and tested solution rather than building something brand new. Legal will also appreciate that your proposed auth solution will help you comply with data protection laws like the GDPR, COPPA and the CCPA, as opposed to your team debating adding such support in a last minute sprint.

Quality Assurance

They especially don’t want to miss a crucial test and then have stakeholders across a panicked company asking them why a production auth system wasn’t tested thoroughly enough.

Talk to them about how your proposed auth solution has been pre-tested and battle-hardened (if it has been). Talk to them about the large community using the components and how the vendor responds to bugs; do they release a fix quickly or does the bug linger? Talk to them about how they can treat it like any other third-party component, which will let them focus on other concerns, like testing the features customers pay you for!

UX and Design

Talk to them about how they don’t have to reinvent the authentication flows, they just have to tweak them. Have them review vendor documentation about how to customize existing auth flows and screens. That will also inform you on the flexibility you have (or don’t) when doing such customization.

Security

In talking to people in this area, it still doesn’t hurt to emphasize:

  • The monitoring benefits provided by a dedicated auth system.
  • Standards certifications that your proposed auth system complies with (ISO 27001, SOC2, HIPAA BAAs, etc).
  • Actual laws that your proposed auth system can help you comply with, as mentioned in the legal section above (GDPR/CCPA are big ones!).

Infrastructure

It might also be that your infrastructure team is young and they’re just considering a company-wide auth solution. They might appreciate you doing the legwork here. The infrastructure team might even be where you work!

Talking points of concern to this role mainly focus on the benefits of single sign-on. The benefits are numerous, but some of the big ones are reducing help desk tickets, increasing productivity and security (fewer password post-its floating around), and just generally making life better.

Above all else, emphasize spending time doing new things

Don’t spend your time reimplementing boilerplate functionality that already has robust solutions. Auth is like a datastore; yes, you could build your own, but that’ll only make sense in specific circumstances.

Get your team excited about pushing your product forward with new features that will solve problems for your customers. Outsource what already has tried-and-true implementations.

Originally published at https://fusionauth.io.

Auth for built for devs. Installs on any server, anywhere in the world. Integrates with any codebase.