I would like to discuss a topic that comes up often as I talk to development teams regarding what they should do about identity requirements for their application. Development teams are in the unique position where they can truly choose whether to build or buy the functionality they need for their application.
The usual trade-offs often apply here, as there is rarely an answer that satisfies all scenarios. Often it comes down to “it depends.” Nevertheless, this is an ongoing debate where your mileage may vary, depending on an array of context that is hard to capture in a blog. Here are the typical arguments of a company grappling with a build vs. buy decision, and the high-level pros / cons.
Should you buy or build your identity services? A quick overview of the differences between the two approaches:
Building a Solution
Buying a Solution
Now this is intentionally generic, but I would like to take this a step further for specific cases when a development team is considering building their own identity service.
For the past two decades, a number of companies have chosen this path because their requirements were unique—and frankly, no product out in the market could meet their use cases. And for those teams that did choose to buy, as their service matured and the business required support for more use cases, they built on top of the COTS products to meet the requirements.
I want to highlight a few of the challenges faced over the years as a “warning” to those considering embarking down this road.
Top identity challenges
Identity is complicated Walking through all the permutations of an identity service can make your head hurt. From registering new accounts while providing verification, to allowing some users to log in with one factor or social login while allowing others to elect to use two factors occasionally, to handling situations where users forget their passwords....not to mention enabling users to change their passwords and usernames, or manage their second factor. Then there’s creating and enforcing password policies, managing account lifecycles, and locking accounts out after failed attempts.
The days when you could start building your application with just a form that accepts username / password and a user table are gone.
Security is hard The scenarios covered above are the positive, typical use cases and what your system will mostly see. In addition, you have to protect against attacks, such as registration bots creating dummy accounts and hackers brute forcing password attacks, or detect when a user’s account has been hijacked through account recovery because their email account has been compromised.
Then you have to consider when an identity is successfully authenticated and determine what they are authorized for. You have to look at what profile data can be shared or which applications they can have access to. Authorization rules can be based on groups, roles or attributes, or business proprietary logic, depending upon your business needs.
Building this adds to the complexity and time to bring your secured application to market.
Authentication is changing fast New standards are hitting the market to improve the security of authentication, like FIDO2, and are organizations like NIST SP 800-63-3 are updating the best practices for identity and access management (IAM). Questions like the following arise: “How do I introduce the concept of assurance levels into my identity service?”
And these days, ideas like passwordless authentication are buzzing around your business counterparts, who are asking you when can you build it. Customers and employees alike will want to not have to enter, remember or change their password again!
Getting identity right at the start As a development manager you have a lot to take into account, both in the short term and looking down the road, when considering either building or buying an identity service. Outside the typical trade-offs around build vs. buy, over the long haul it will pay off to find a trusted partner to build your application with. A company that understands where you are today and has a path for you to mature into will help you do identity right from the beginning—a necessity, because unwinding a poor choice can take years.