How to pick an identity as a service (IDaaS) provider: A guide for busy startups

Identity is an important problem, but solving it is outside your core skill set. Lucky for you, and with apologies to Steve Jobs, there’s a SaaS for that.

Employees at startups have to take on all kinds of roles outside their core skill sets. Though you may have come from a role as a dev at a BigCo, at a startup, you might be a Frankenstein of roles that stitches together engineering, sales, people ops, and more. Your focus might be on the next big feature, but you’re routinely pulled aside to help a deal come together or interview a new hire.

Now, you’re the head of IT. Even if you don’t technically have the title, that’s effectively what you’re doing. Your company’s product is finally gaining traction, and deals are starting to feel less like pulling teeth. But your founder (assuming your founder is, as they should be, leading sales) discovered a flaw: identity.

Your deals are running aground on one of the most boring features imaginable. Even though stakeholders have bought in, and points-of-contact are excited about what your product offers, your prospect’s IT department gives you a firm “No.” Your product is good, but it doesn’t integrate with your prospect’s identity stack. That means your prospect can’t ensure that their users will be secure when they use it — and that threatens the security of the entire company.

So you can see why deals might fall apart. And you can see why your founder “volunteered” you to figure out identity.

But for a startup with precious few engineering resources, it simply isn’t worth your while to build out your own identity solution. Pick the right IDaaS provider and you’ll get best in-breed-identity that can scale with you.

The problem isn’t building identity; it’s finding the best identity provider out there.

1. Understand the market: What is identity as a service?

In a sentence, identity refers to the technologies companies use to confirm users are who they say they are, and IDaaS refers to a category of services that bundle these technologies and provide them as service. Identity is really a nest of technologies that include features like single sign-on (SSO) and multifactor authentication (MFA), as well as products like mobile application management and enterprise mobility management.

To understand what IDaaS really is, let’s dig into what technologies make up that bundle and how that bundle is shaped by wider market forces.

IDaaS is a bundle of identity technologies

I hope you’re prepared for a whole swarm of acronyms.

IDaaS is a part of identity access management (IAM), an umbrella of technologies that include the following:

• Mobile application management (MAM): Services that control internal and commercial mobile apps
• Enterprise mobility management: Services that companies use to secure data on employees’ devices (both personal and company-owned)
• Customer identity and access management (CIAM): Services that companies use to manage and authenticate users
• Provisioning and access control: Services that companies use to provision and deprovision user accounts

IDaaS is narrower than IAM. IAM solutions, at the broadest level, help companies define and manage user access and authorization for both internal employees and external customers. IDaaS is the identity portion of that technology packaged as a service, typically an API, that companies can use to provide authentication to their customers. IDaaS is essentially the tool through which companies outsource their authentication needs.

IDaaS is also closely associated with features many IDaaS providers tend to offer, such as:

• Single sign-on (SSO): A feature that enables users to access a range of services through one login, creating a more secure and more fluid user experience
• Multifactor authentication (MFA): A feature that lets companies lock down access to users who can’t provide multiple authentication methods, such as password and security question or retinal scan or fingerprint scan.
• Biometrics: A particular form of authentication that uses biological and physiological traits to prove identity, such as fingerprints

IDaaS is some of these and all of these. Some IDaaS providers will offer everything we’ve described here and more; some will home in on a feature like SSO.

Two market forces shape the IDaaS industry

The IDaaS market is shaped by two larger industry shifts: the shift toward outsourcing and the shift toward zero trust.

In increasingly competitive markets, companies benefit from focus. A startup that has few employees and fewer funders shouldn’t spin up an identity solution that won’t differentiate them from their competitors. The market is cutthroat—every ounce of energy needs to be dedicated to understanding and solving your users’ problems.

Outsourcing no longer refers exclusively to big companies shipping jobs overseas. Nowadays, even the smallest company can outsource functions and features to another company. Your cousin who sells jewelry? She plugs into Shopify (which itself plugs into Stripe), enabling her to focus on jewelry design while Shopify focuses on maintaining her online storefront.

The same principle applies to startups.

By outsourcing noncore functions to specialty service organizations, startups can maintain a ruthless focus on what differentiates them from their competitors. With APIs, it can take only a few lines of code to outsource a function. Why spin up your own SMS functionality when Twilio can do it in minutes? Identity is in the same bucket, and because it’s both important and outside most business’s focus, it tends to be a top target for outsourcing.

The other force shaping the movement toward using IDaaS is zero trust.

Traditionally, companies focused on perimeter-based security. This meant that IT would treat companies like homes and set up safeguards around the network that would block access to unauthorized users. The problem with perimeter-based security is that it creates a single point of weakness, a large attack surface, and a high-reward scenario for hackers. If intruders can break through that perimeter, then they have everything.

All that has changed in a world dominated by bring-your-own-device policies, SaaS tools, and mobile apps. The better security stance has proved to be zero trust. Zero trust starts with authentication and allows user access only after identity is confirmed. Users, especially through features like SSO and MFA, have to authenticate before they can access anything.

IDaaS benefited from this shift to zero trust because this stance places identity (and thus IDaaS) in a central role.

2. Study IDaaS use cases to see where you fit in

Everyone needs identity, but not everyone needs IDaaS. If you see yourself in any of these three scenarios, you need IDaaS.

Your prospects’ IT teams are stakeholders

Navigating enterprise deals is as much about politics as it is pitching. You might have the CTO, the CEO, and a host of developers on board, but for many companies, if IT says no, then the deal doesn’t happen. IT might love the product otherwise, but if it doesn’t gel with the company’s identity stack, then it’s a no-go.

This might be frustrating at first, but please, empathize with IT.

IT teams are frequently overloaded with password reset requests. In a NIST study, participants experienced 23 authentication events per day. That’s 23 times an employee might have lost their sticky note and had to interrupt IT’s day to get access to your app. Allowing “just one” app that doesn’t integrate isn’t a small problem — but it could lead to many requests recurring across many employees. That’s a big problem, in aggregate.

IT is already in the midst of a decade-long battle with shadow IT. The so-called “consumerization of the enterprise” has meant a rise in companies moving bottom-up into the enterprise and employees adopting apps without IT permission.

The success of the deal and your continued relationship with an enterprise might rely on satisfying the IT team. The right IDaaS provider can integrate seamlessly into what an enterprise IT team already uses.

Your prospects have distributed workforces

According to FlexJobs, there was a 159% increase in the number of employees working remotely between 2005 and 2017. COVID-19 has only accelerated that shift, and analysts predict this trend isn’t a trend at all — it’s here to stay.

The dominance of remote work and distributed workforces means startups, especially ones selling B2B business tools, are moving into an entirely different market. A distributed company needs even more tools than a local one, and certain tools may keep the entire business afloat. Just look at whatever happens when Slack goes down.

An app without a solid identity is an app effectively ready to go down. If employees can’t access it, it might as well be down. The right IDaaS can enable your customer to manage your offering amid all its other ones, meaning employees can easily access it and use it alongside their other apps.

Your prospects have strict cybersecurity and compliance policies

Data breaches are on the rise. In 2019, there were 1,506 data breaches and 164,680,000 records exposed — a record only surpassed in 2017.

Your customer, especially an enterprise customer, may choose their products based in large part on how secure they are. They may even knowingly choose a product with worse features if it promises better security or compliance. (Just think about how many times enterprises have chosen Microsoft over the startup Microsoft copied).

Don’t be on the losing end of that deal. With an IDaaS, you can leverage the trust that IDaaS has earned and promise your prospects security and compliance on their behalf. That way, those security-conscious stakeholders don’t have to worry about whether your new startup will expose all their data; they can trust BIG BRAND NAME IDAAS instead.

The same principle applies to compliance. Especially considering sweeping policies like the GDPR, it’s best to work with an IDaaS that can provide compliance out of the box.

3. Take a prospect-focused approach to choosing the right IDaaS providerTake a prospect-focused approach as you shop around for an IDaaS.

Think through which identity solutions will work for your current customers and your future prospects. This requires a little educated guesswork, but if you don’t think ahead, you’ll lag behind your customers’ needs. If you focus too much on the customers right in front of you, you’ll pick whatever identity solution works for those customers and miss planning for all the deals that lie in front of you.

A prospect-focused approach has three tiers: flexibility, scalability, and security. Each future-proofs your IDaaS decision so you can satisfy current and future prospects. You can think of the ideal IDaaS as living at the intersection of these three considerations.

Flexibility: Does the IDaaS integrate with all the tools your prospects are likely to use? Can your prospects configure IDaaS features to their needs?

The IDaaS you choose needs to be able to work with the infrastructure your prospects’ IT teams use. A cheap option from a small company might appeal to you now, but if the solution doesn’t integrate with common identity stacks, like Microsoft Active Directory, or common protocols, like SAML, then your prospects’ IT team might still say no.

Scalability: Will your IDaaS provider scale its offering as your company grows? Do its SLAs cover your projected growth? Do the pricing plans make sense?

One of the key reasons companies outsource is to get scale without needing to do the scaling themselves. When you consider an IDaaS, figure out if they can handle scaling with you as your need for identity grows. Consider, too, its SLAs and pricing plans. Many companies will promise scale, but fewer will make scale practical for you. Don’t trap yourself into working with a company that’s going to gouge you just as you start getting traction.

Security: Does your IDaaS provider have a proven track record of stopping data breaches? Does it offer the security features your prospects are likely to want?

Remember to root your purchases in the fundamental reasons for which you need them: A product without identity is a vulnerable product. Examine your IDaaS options carefully, and select for ones that have robust (and demonstrable!) security.

Authentication is important (but not that important)

All else being equal, the startup that focuses the most relentlessly will win out over the startup that drifts from distraction to distraction. A good IDaaS provider enables focus, and even a harried dev/salesperson/head of IT can find the right one.

Identity sits at the intersection of important, but not that important. What we mean by this is, on the one hand, you absolutely cannot skimp on identity. Your prospects need it, meaning your business needs it. On the other hand, it’s not core to your business. So outsource it. Find an IDaaS. Just remember these three considerations: flexibility, scalability, and security. Happy shopping!

Curious how you can work with partners to achieve greater focus? Check out how Webflow implemented SSO in a matter of hours with WorkOS.