Thinking about rolling your own user management system? It’s not as easy to get right as you might expect, and getting it wrong could spell disaster for your application. Consumer loyalty is dropping, and users are becoming more sensitive to privacy and security concerns relating to their personally identifiable information (PII). As these user concerns grow, so do the risks associated with a failure of your user management system.
All customer-facing applications require a common set of basic features to facilitate access or authentication. These features typically include account creation, session management, and password reset. Along with authentication, applications also need to define and enforce varying levels of user access control, or authorization. User management describes the entire Identity ecosystem, from authentication and authorization to the storage and security of user data, as well as more advanced features like single sign-on, unified Identity, connection to Identity systems like Active Directory, and social login.
With many developers still electing to “roll their own” user management services, we’d like to explore some of the most common mistakes made when planning such a mission critical aspect of your application.
When scoping user management for a new application, many teams focus on authentication. This can lead to overlooking the complexity of developing sophisticated and secure authorization protocols, which are inherently more complex to build and require an order of magnitude longer to implement.
Within your application, you could have a variety of user groups and roles or a permission-based schema. You might need to authorize a user for twenty different resources when they log in, or maybe the application you’re building needs to support multi-tenancy. Building a sophisticated and sound authorization scheme is incredibly difficult; we have seen many teams underestimate this work and find themselves late in a project plan, struggling to implement a complicated user model.
Profile management focuses on managing the lifecycle of the user’s identity data. It includes such capabilities as creation, validation, augmentation, maintenance, usage, and end-of-life, as well as authorization data like roles and permissions. The customer lifecycle begins with your first user and your system needs to be ready for what your application knows about them to grow.
If your doors aren’t open, you aren’t making money.
A failure of user management in your application can similarly disastrous results: users flee to your competitors. And, if that flight is the result of a security breach you can expect to incur significant costs in fines and recompense.
Consumer loads for registration and login are inherently unpredictable, and customers are highly sensitive to application availability, not just ease of use. Today’s web and mobile users require identity features that don’t simply account for total user volume, but also factor in peak usage vs. capacity, so they can log in when it matters to them.
For example, Walmart’s mobile development team focuses on Cyber Monday, when a peak volume of visitors hit their app. Consider similar scenarios within your user community and plan to manage surge volume to multiple nines of availability, and scale infrastructure with your user base. This includes double and even triple redundancy as well as provisions for seamless upgrades and maintenance designed to ensure zero service interruptions.
Password hash maintenance is one of the best examples of an underestimated burden of homegrown systems. The accepted recommendation is that password hashing algorithms are updated at least annually. We rarely see an incoming client with a homegrown system who has committed even one update to their hashes. Solutions here are simple: commit to constant updates to the latest password hashing algorithms, or turn to a user management service like Stormpath, whose core business function is user security for your application.
It’s that simple. Application infrastructure like user management doesn’t command the best, or frequent, engineering attention. This remains true in maintenance mode.
Our best advice is to plan ahead. Launch a system that can grow with your organization and application for years to come, either through fully scoped homegrown services, or a dedicated Identity service. If you do build in-house, keep these two important elements in mind:
More and more, customers demand mobile. Whether or not you’re not planning to launch with a dedicated mobile version of your web app, you need to plan for a unified multichannel user experience. When you begin to scope your user management protocols, don’t overlook the importance of consistent consumer experience when it comes to self-registration, login, profile management, password reset, etc. Even if you haven’t built a mobile app yet.
User management, specifically building authorization functions, is one of the highest-risk areas for cost overruns, because these complexities are so often underestimated. Before a launch, corners get cut, which leads to costs exploding in maintenance. Even teams who succeed at accurately estimating development costs may overlook maintenance costs, such as updating social login or SAML integrations for changes in the underlying platforms.
Even with the heavy resource burden, risk, and complexity, many companies still choose to build these services in-house. It’s certainly an achievable prospect, but it’s also extremely expensive. For example, Salesforce and LinkedIn each have over 25 dedicated specialists on staff to manage their homegrown solution, and that’s just maintenance, not the engineering resources required for the initial build. Even with this investment, LinkedIn is still suffering from the repercussions of a costly security breach.
Enter third-party user management services like Stormpath, and a bonus mistake: The belief that the decision to roll your own is irrevocable.
The majority of our clients come from this exact position. They started with a homegrown system and eventually discovered that it didn’t scale, wasn’t secure enough, or was simply outside their capacity to maintain, so they switched to Stormpath.
At the end of the day, the basics of authentication might be simple, but advanced features require considerably greater effort to build: roles, permissions, single sign-on support, customer data partitioning, token authentication, two-factor authentication, social login, and LDAP/Active Directory integration.
We offer an advanced, developer-centric service that can be implemented in minutes. The Stormpath REST API lets developers quickly and easily build a wide variety of functions they would otherwise have to code themselves, including:
- Sophisticated authorization support, with caching for maximum performance
- Token authentication and revocation with JSON Web Tokens and OAuth2
- Native support for multi-tenant applications, with pre-built partitioning of customer data
- Comprehensive documentation and commitment to customer care—even for free developer accounts
- Robust and highly idiomatic SDKs
Management can rest easy knowing user data and workflows are handled the right way, while users get a seamless, secure experience across applications. Check out our REST API Product Documentation, download our Build vs. Buy whitepaper, or sign up and get started right now!