We all use Software-as-a-Service (SaaS), whether it’s for work or in our personal lives. From Dropbox to Salesforce, cloud services have been replacing their offline variants for nearly two decades now. Especially in the last 10 years, the deployment of SaaS has skyrocketed in business, making accounts easily accessible from any number of devices, and boosting productivity in the enterprise as more employees are able to work remotely, access their data from mobile devices… and share information. The problem is, once we start sharing information it’s only a short cry from sharing the accounts themselves, and then we can quickly lose track of who is actually using the accounts that have our names attached to them.
Accountability and Attribution
There are two critical problems when we start sharing our SaaS accounts: Accountability and attribution. When we start sharing access to our business SaaS accounts with coworkers, our employers lose the ability to track who’s doing what work, and providers are unable to accurately track their number of users – an issue that is complicated by per-user payment models.
An additional problem that spawns from SaaS account sharing is that the users themselves can become confused about what work is being done by whom. This can cause data redundancy and further confusion, such as skewing sales numbers.
Of course, for SaaS providers, this is a bigger concern because it means they can’t accurately bill or track users for sales and growth projections.
Solving Account Sharing with Authentication
The reason SaaS accounts can be shared so easily is that they often only rely on usernames and passwords for credentials, or at best, two-factor authentication (2FA). But when a user shares their credentials, they can share the One-Time Password (OTP) generated for 2FA just as easily. Just like an actual security breach, the security that a password and OTP provides is negated, and you no longer have any way to attribute the work being done on the account. That’s why we need strong forms of authentication for account logins.
One way to eliminate this problem is to integrate multi factor authentication (MFA) with biometrics for user login. Instead of typing in a password to access their SaaS account, users would need to authenticate with their fingerprint or face, for example. This can be used in conjunction with other factors, including a password, for MFA, but even as a stand-alone authentication factor biometrics provides the one thing missing from SaaS – irrefutable proof of who the person logging in is.
Eliminating passwords using biometrics is a way to optimize security that also provides legal non-repudiation, proof beyond-a-doubt that the person performing an action is who they say they are. Adding this level of authentication to SaaS can solve all of the problems mentioned above while adding a new level of security and convenience to the service.