In this article, product managers can learn more about SaaS authentication best practices and how to secure their applications while focusing on providing the best user experience.
What is a SaaS business model?
The Software as a Service (or SaaS) business model uses a software licensing and delivery method in which software is offered on a subscription basis and is centrally hosted.
The SaaS model brings several business advantages, shifting from traditional client-server applications (which require installation of software on users’ devices) to Web applications (which only need a web browser to use). In addition, SaaS services can utilize a multi-tenant architecture, in which the application serves multiple businesses/users and partitions its data accordingly.
SaaS also has a flexible business model, allowing companies to pay based on setup time, usage, low-cost user provisioning, easy customization, and instant deployment — transforming SaaS business into the most common delivery model for business applications. Today, office, messaging, accounting, human resources, development, gaming, virtualization, and many other software applications are delivered under the SaaS model.
Who is responsible for SaaS security?
The responsibility of securing end-users data is shared between the public cloud vendors and organizations. SaaS providers maintain infrastructure and app security while organizations are responsible for securing data and access to it.
Given the universality and market segment of SaaS applications, understanding the security responsibilities of SaaS teams and acting by international security standards are vital in protecting a company’s reputation and gaining customers’ trust.
Below we address the most commonly asked questions from security, IT, infrastructure, and product teams about how to implement SaaS authentication and secure their SaaS-based organization and products.
What is SaaS authentication?
SaaS authentication refers to account protection of applications where providers can opt for various account security measures like Single Sign On (SSO), Security Assertion Markup Language (SAML) coupled with 2FA/MFA flows, identity governance, and administration (IGA) solutions to enhance security and avoid account takeover.
How do I protect my SaaS application?
94% of enterprises use the cloud, and companies handling sensitive data and business processes such as records, transactions, or pricing information must implement proper security policies, access control, and risk management systems.
Understand risks and mitigate them
A first step in securing your SaaS application is understanding the risks your business is exposed to. Ranging from account takeovers, phishing, identity theft, up-to-date security standards, zero-day attacks protection, compliance, audits, and even the ack of security knowledge of workforce and customers. Once you’re clear on the risks, create a security review checklist and constantly invest efforts to eliminate or minimize the exposure wherever possible.
Educate employees and adopt strong IAM policies
Protect your employees by educating them through extensive training programs, adopt a zero-trust policy, enforce data loss prevention (DLP) technologies and follow identity and access management processes. Through risk- or role-based authentication, 2FA, or security awareness programs for your workforce, you can drastically reduce access to valuable company assets and information.
Implement encryption on transmission (encryption in transit) and stored data (encryption at rest) to protect it from unauthorized or inaccessible users. Encrypted data guarantees (before supercomputers will become accessible) that even if malicious actors gain access to it, they will not be able to decrypt it without the encryption keys. Additionally, make sure all interactions with the servers take place over TLS (Transport Layer Security) transmission.
Top 5 popular authentication methods
Typing biometrics or keystroke dynamics is a type of behavioral biometrics that relies on analyzing users’ typing patterns. The typing patterns differ from one individual to another, and particularities can be found when looking at the duration of pressing a key (“press time”) and how long it takes a user to find the next key (“seek time” = key1 down to key2 down). Typing patterns are determined based on keystroke dynamics analysis of the 44 keys used most of the time. Typing biometrics can also be coupled with other technologies and incorporated sensors.
Authentication based on typing biometrics comes with a multitude of benefits for end-users. The seamless user experience in the authentication process relies on an inherent factor that does not require any particular actions performed by the user. Also, the prevalence of keyboards, be it on mobile or desktop environments, makes the adoption accessible at a very large scale.
Benefits of using TypingDNA Verify 2FA
TypingDNA’s biometrics-based technology enhances account security while minimizing friction for customers and employees.
Users demand better UX in the authentication process. More and more, data shows how a burdensome onboarding experience can generate early-stage churn. With TypingDNA Verify 2FA, your users will be able to authenticate in less than 5 seconds by typing four short words.
Verify 2FA solution can be set up in less than 10 minutes, which means you won’t need to tie up valuable development resources. Scroll through our step-by-step tutorials and see how you can create a secure authentication flow in no time.
No hardware needed
Our typing biometrics-based technology works without the need for special hardware or sensors, nor do your users have to install any app on their smart devices to log in.
Free for 1000 users
Try Verify 2FA with our new Starter plan and authenticate 1,000 users each month at no cost. And when you’re ready to scale-up your user base, you’ll pay just 1 cent per user, with unlimited authentications. Sign up here or try a live demo.
Time-based One-time Password (TOTP) via SMS
SMS 2FA is one of the most used verification methods in authentication flows. However, users have to find their phone, wait for the SMS to arrive, and then manually type the one-time passcode into their computer — and do it all before the time-sensitive SMS OTP expires. This method is also one of the least secure as more and more reports have shown how easily SMS OTPs can be hacked or compromised. SMS authentication should therefore be one of the other multiple factors to be used and never the only additional factor in any circumstances. Regarding the ease of use and speed of authentication, this method drastically lags behind, especially since users have to switch devices and manually introduce codes, which creates a burdensome user experience and can lead to increased churn rates.
Time-based One-time Password (TOTP) via Email
Like the SMS OTP, the Email OTP is valid for a limited time. However, instead of receiving the code via SMS, the user has to provide a valid email address associated with the login. Unfortunately, this method is one of the least secure due to the sensitive information contained in most email accounts. If an intruder hacks into an email inbox, they’ll potentially compromise all other accounts associated with it, including those using OTP for identity verification.
Hash-based Message Authentication Code (HMAC) or HMAC-based One-time Password (HOTP) is a code generating algorithm used by hardware tokens like YubiKey to provide codes for identity verification. The generated code will be active only until the subsequent authentication request, while the code generator and the server must be synced to validate the code.
The method is considered highly secure and often complies with FIDO protocols for standard public essential cryptography techniques to provide stronger authentication. Still, the downsides come from the lack of adoption outside the desktop environment (most hardware tokens are connected via USB) or the high costs associated with every device, sometimes reaching even 50 USD for each token device. This makes the HOTP devices an option for corporations, but the most unpopular authentication method among the elderly or consumer-based products.
QR code authentication
QR code authentication is usually used for logins in apps or transaction validation. QR code-based authentication is part of 2FA or MFA, and the method only differs from SMS or email OTP by creating a new medium of communicating the code. Most authenticator apps generate time-based, one-time passcodes (TOTP or OTP) and usually six digits that refresh every 30 seconds. The generating algorithm falls under the same HMAC-Based One-Time Password (HOTP) standard.
Authenticator apps must first be installed by the user on a smart device equipped with a camera capable of scanning the QR code that pops up during the login process or transaction validation. This method has gained momentum in the past year, being more and more popular among consumers.
Security is never 100% guaranteed, no matter the authentication method chosen. Therefore, when choosing an authenticator app, users should ensure the app has an encrypted backup to restore the data once the device is lost or unavailable. Also, unlike Android, which prevents screenshots from being taken when an authenticator app is open, be aware that iOS allows screenshots, and users are not protected.
What is the least secure authentication method?
Single-factor authentication is the least secure. Usually, username and password pairs are the easiest to compromise to access user’s accounts. Brute-force attacks or “password spraying” are the most common methods used for account takeovers. Credential stuffing is a form of cyberattack in which a list of credentials obtained from a data spill becomes available for sale or free download. Credential stuffing comes from the large-scale testing (i.e., stuffing) of mass-stolen credentials (i.e., usernames and passwords), usually on top-rated popular social media platforms, food delivery services, and transportation apps. Verizon estimates that 81% of hacking-related incidents are due to compromised passwords.
Adding a second factor (or “method”) of authentication makes it harder for malicious actors to gain access to accounts. While adding SMS OTP as a second factor may help, it is still insecure due to the following vulnerabilities:
- SIM swapping: malicious actors contact a phone company and (using the personal information they have collected about a target, like an SSN) request that a phone number be transferred to another phone
- SIM hacking: malicious actors can spoof cell phone towers by intercepting signals and SS7 hack systems and access information contained in private messages
- Social engineering attacks: attempts to convince targets to unknowingly hand over their personal information and passwords—including SMS codes
In its Digital Identity Guidelines, the National Institute of Standards and Technology recommended that companies and government agencies revoke the use of SMS as the channel for out-of-band verification, acknowledging the vulnerabilities of such authentication methods. Instead, other factors like biometrics or smart cards, and other hardware tokens are recommended. Therefore, we strongly advise using SMS OTP only as an additional secondary factor and not a de facto authentication factor.
Best practices for SaaS authentication
Ideally, best practices for SaaS authentication combine robust access control with identity management. After creating user identities, IT departments will have to consider the depth of access to various portfolios of apps. Implementing single sign-on is the first step to managing authentication. The next step is assessing who will access which data, defining the user’s role, and deploying cross-app authentication and sophisticated account protection like 2FA and MFA.
Best practices in SaaS applications authentication will consider various security measures like Single Sign On (SSO), Security Assertion Markup Language (SAML) coupled with 2FA/MFA flows, identity governance, and administration (IGA) solutions to enhance security and avoid account takeover.
Authentication as a service or Identity Access Management as a Service (IDAS)
Authentication as a service (AasS) refers to providers that enable organizations to deploy identity and access management for their applications and servers. Among the SaaS authentication solutions in the cloud, AasS provides 2FA, MFA, or SSO and password management in the cloud.
Authentication as a Service solutions ensure data protection and privacy by applying different protocols and encryption algorithms like Lightweight Directory Access Protocol (LDAP), SSH authentication, and Security Assertion Markup Language (SAML) based authentication.
If your company already uses a popular IAM provider, check out the Built with TypingDNA integrations page to see how to easily add typing biometrics-based authentication to your flow.
Bonus in our latest tutorial, you’ll see how to quickly add TypingDNA Verify 2FA to your Okta account: