Given the historical hacking of major cloud based Authentication and Authorisation providers, like Okta and Auth0 , I think CISO’s and CTO’s need to seriously reconsider the risks they are exposing themselves to by utilising such services, and how them remaining a focus of hackers is almost certain as they keep adding on features and services that keep increasing their respective security surfaces. Add to that the ongoing tendency for all businesses to grow in their own internal usage of 3rd party SaaS services (which any CISO will fully understand, a new essential “must have” service seems to crop up once a week) and you will see I’m not exaggerating in my analysis. If you don’t believe me I defy you to find a major commercial cloud Auth provider who hasn’t suffered some form of harmful breach in the last 2 years…
Now I know the cloud based Auth providers will say they can be trusted to be secure, but there is no getting away from the fact that you are trusting a third party who operates in the cloud with a core security function, namely authenticating people (and systems) with access to your internal services. Plus you can be using the same provider to also authenticate your own SaaS services as well. I think at the very least you need to seriously consider the risk you are placing yourself in by using one sole supplier for all your authentication needs, at the very least second sourcing arrangements need to be in place and you need to keep public and corporate focussed authentication systems separate and isolated from each other.
Now if you add to that the ongoing cost base, which is usually around $70 USD per month per 1000 active users and it doesn’t take long for the cost to get into 4 or 5 figures. If you require more advanced features (such as multifactor authentication, fine grain roles, etc) then you can be looking at North of $400 USD per month per 1000 active users and costs escalate even quicker. At that point you should be seriously considering the cost/benefit ratio in this whilst also also factoring in the following:
- Data privacy controls – where exactly does your data sit? What its lifecycle? What government regulations apply to it?
- System resilience – What is their uptime? What happens if they go down? What is the plan B?
- Supplier Dependency and second sourcing – How easy is it to change provider? Have you integrated with them in a way which allows that?
- Internal Competencies – Should your organisation have stronger in house security skills? What other risks could you manage in house?
The 4th point above is perhaps the most significant, if you keep offloading critical elements of your security infrastructure to a 3rd party, you are denying yourself the ability to build internal competencies, and not just with security but with general technical development abilities as well – which could deny you competitive advantages going forwards (i.e. no ability to usefully differentiate or innovate). In effect you don’t know what you don’t know and this can be a very expensive form of ignorance. Now add into this that Open Source is actually quite mature in this space, its no longer a question of having to hand code such services, they often come pre-packaged with extensive support and documentation.
You will note I have also added in VPN’s – again there are lots of commercial solutions available, which again use the per seat per month charging model. To me the security of your VPN solution is just as critical as your AuthN and AuthZ solutions, a failure here would provide unfettered access into your corporate systems.
Open Source Solutions
To prove the point I will list a few open source authentication libraries/systems that can do the job for you.
1) Keycloak – full framework
Keycloak is free to use and allows you to provide a Single-Sign On solution to allow authentication to multiple applications from one space. You can choose between various Identity Providers for Keycloak to access to determine ID, such as: OpenID Connect, SAML 2.0 compliant Identity providers, Kerberos or even social networks (Google, GitHub & Facebook). You can even use your corporate Active Directory, LDAP or a DB.
Keycloak comes with extensive account management, including allowing users to set up two-factor authentication. Admins can control all features and set up fine grain policies.
Installation can either be direct on a server or it can be run from a container, it runs in the OpenJDK environment. This could hosted be on your local network or in your cloud environment as a completely stand-alone self-managed solution.
Keycloak is ideal for wrapping a Single-Sign On solution around existing apps and services that have the right hooks to allow you do so.
2) ZITADEL – full framework
Zitadel is an open-source authentication framework that supports out of the box multi-tenancy, so allowing you to use this for a SaaS application that would support multiple customers each with a set of logins they need to manage and integrate into their Single-Sign On framework. It supports OpenID Connect, OAtuh2.x, SAML2 LDAP, Passkeys/FIDO2 and OTP. Also includes JWT Profiles, Personal Access Tokens (PAT) and Client credentials for machine to machine auth. It also has an API to allow custom integrations and event propagation.
Can be installed to run natively on Linux, MacOS, and within containers under Docker, Knative and Kubernetes. You can also their ZITADEL cloud solution for a fee.
3) Hanko.io – app framework
Hanko is an open-source authentication framework that employs passkey-based authentication. It consists of a set of API’s and UI components that allow you to quickly build Authentication into your applications. Authentication is supported using: passkeys, passcodes, mobile biometrics, FIDO security keys, OAuth SSO and passwords.
You can choose to either self-host or use their Hanko Cloud offering for a fee…
4) SuperTokens – app framework
SuperTokens allows you to add secure login and session management to your apps. SDK’s are available in many languages and front-end frameworks; it consists of three main parts: the Frontend SDK, the Backend SDK and the SuperTokens Core, allowing flexible integrations with minimal coding.
SuperTokens support authentication via: Passwordless, Social, Email Password and Phone Password. Multi-Factor authentication is also supported as well as Multi Tenancy and Organizational support.
SuperTokens is Java based and is available as a prebuilt binary or docker image for deployment.
5) Pritunl – OpenVPN gateway
Pritunl is an open-source VPN gateway with lots of useful features. Its security features include TPM and Apple Secure Enclave device authentication, dynamic firewall, SELinux policies and a dual web server design. It will work with multiple cloud providers to deliver VPC Peering.
You can also set up Two-Step Authentication using either Yuico PubiKey, a Duo Hardware Token, push notification to a mobile phone via an app and the Google Authenticator app.
Installation is via packages that available for most Unix platforms. VPN clients are available for all major OS’s.
Pritunl also supply Pritunl Zero, an open source BeyondCorp server that provides zero trust security for privileged access to ssh and web applications via user public keys. Roles can then be assigned to users using either Auth0, Azure, Google, Okta, or OneLogin Sign-On. Again secondary authentication can be performed via Doe, OneLogin Push or Okta Push.
Conclusion
So please, stop putting all your auth eggs in someone else’s basket, take back control of your authN and authZ. It will likely reduce costs and reduce your security surface at the same time. This also improves your inhouse technical security skills.
Also, did you know that if you are on Microsoft Azure or Microsoft 365 cloud subscriptions, Entra ID Free is included which provides: MFA, SSO and self-service password change. Yes for free, in fact Microsoft goes out of their way to provide wizards and documentation to make it as easy as possible to get SSO going. For a small to medium sized business this is a true gift.
BTW if you are on Google Workspace, you can also set up SSO.
Addendum
We should also not forget that there is a number of SaaS products that charge significantly more for just turning on SSO integration support, just have a look at the SSO Tax website. For just having SSO turned on you get charged anywhere from 1.5 to 10 times as much as the non SSO rate. Remember, once SSO is implemented in the product code base, there is literally near zero cost to make it available to all customers, its not as if a whole new distinct code base is required to support SSO – if an application can support HTTPS without charging more it can support SSO as standard for no extra cost. I suggest you demand SSO is included as standard and vote with your feet.