2 Sep, 2020 | 3 min read

Identity and Access Management for Startups

  • Kushan Bhareti (Intern)
  • Job Title - WSO2

Image credits: cottonbro from Pexels

Startups can be somewhat small to large scale businesses and they can vary between different fields of interest. With entrepreneurship becoming one of the hot trends of the decade, a lot of startups have shown up on the records. Many innovative ideas are converted into businesses. Some of these startups excel in large businesses whereas any meet the end of their line in a very short span of time. But this doesn’t keep entrepreneurs from capturing business opportunities. Startups keep showing up each day.

New job opportunities are created as a result of the rise of startups. And along with that comes a client base. Staff and clients become the stakeholders of the business, each with their identity. Over the last decade, records have moved from paper to digitized forms. Many software solutions have been introduced to solve the many problems that are faced by businesses. Different problems are solved by different solutions, by different vendors; and managing these solutions can be complicated.

Modern companies are encouraged to move towards adopting a digital infrastructure. These services require access to data which may include sensitive information. Proper security measurements are a must for protecting data from possible attackers. Convenience, in addition to security, is also an important consideration. This is where identity and access management (IAM) comes into play.

Before starting off on the “how” aspect, I’m going to talk about the “what”. So, what exactly is IAM? In simple terms, just as the words say, it’s all about managing different users and defining different methods that these users can access different services. The access can be obtained using different authentication methods that can differ according to the requirement of security. I’ll be discussing some of the features made available by WSO2 Identity Server that will be useful for startups.

User Account Management

All stakeholders of a business are users if they take part in the virtual representation of the business. Even a startup needs to have proper infrastructure that can manage these users and give relevant access to data required by these users. It might be an internal system that keeps track of all records of jobs that are done or an online store that is maintained by the startup. Using an IAM tool can always give an upper hand when managing users.

WSO2 Identity Server offers a user management feature that can be implemented into various systems. While giving the system admins the right to add and manage users, it also has a feature that allows self-registration where the user will be able to complete the registration process by themselves. WSO2 Identity Server maintains a high standard on user account passwords as it’s the first point of vulnerability to an attack. The admin has the ability to set an expiry period for the password entered which can be an added precaution to protect from attacks. A higher level of security can be obtained by using advanced authentication methods such as multifactor authentication (MFA) and adaptive authentication.

Single Sign On

Depending on the domain of a startup, there might be a number of services that can be used. These services might be developed in-house or distributed by a 3rd party developer or vendor. Accessing these services need the creation of accounts. If a number of apps are used, a similar number of accounts need to be created. Remembering a lot of passwords can prove to be difficult and writing down or saving them can end up resulting in a data breach. The goal of single sign on (SSO) is to be able to access multiple services using the same credentials bringing in a large convenience factor into the equation. An added value is that once an account is created for a user in one application, the access to all the other applications will be granted automatically or can be granted by the admin with ease. WSO2 Identity Server allows the user to create an account in one of the given applications available for SSO of which the credentials could be used in any of the other apps that are there in the connected network.

Federated Authentication

When you go into a website or application which requires a sign up, the most convenient method of creating the account is signing up with Google or Facebook, isn’t it? Federated authentication allows users access to any provided service using existing accounts. This can be considered even more centralized than SSO. WSO2 Identity Server offers a number of accounts that can be used to login to an app. These include Google, Facebook, Twitter, LinkedIn, and many other platforms. Startups that work through services such as Google would find this feature very useful when delegating access.

Multifactor Authentication

Two factor authentication is a well known security measure taken by a number of large service providers. It increases security by breaking the authentication process into two parts, commonly sending a secret code to either your phone or email address. MFA takes it to the next step by adding a few more steps to the authentication process. There are the 3 types of ways you can prove your identity with:

  1. Things that you know (passwords, pin numbers, etc.)
  2. Things that you own (phone, email, etc.)
  3. Things that you are (biometrics)

WSO2 Identity Server offers a number of authentication methods that can be set as the steps to create a multifactor authentication flow. For apps that contain sensitive information, it is advisable to have additional security layers implemented. These additional authentication methods can vary from one time passwords (OTP) through SMS or email to secret questions to biometric authentication such as a fingerprint. This way, even if an attacker finds out the password to one of your applications, they still have to find other credentials that may be impossible to find, enhancing the security of the system.

But additional security comes at a cost. Adding more authentication methods will result in a lower level of convenience so it’s important to find the right balance between security and convenience. Having good security measures is never a bad thing. Therefore, enabling MFA for apps connected to your startup could restrain the possibility of a data breach.

Adaptive Authentication

Adaptive authentication is a method of overcoming the convenience issue that is brought up by MFA while keeping the additional blanket of high security. It has the ability to delegate the steps followed for authentication depending on various factors such as the role of the user or the location the service is accessed from. For example, the level of security required at a café (connected to a public wifi network) can differ from what’s required inside an office building (secure network). This is where adaptive authentication comes into play.

You get to decide who should be using a fingerprint scanner to login and if MFA is required when accessing a service outside of the secure office network. Still confused? Adaptive authentication lets the level of security required to be set depending on the scenario at hand. Even in a startup, there can be roles that contain or have access to sensitive information which will need to be given extra layers of security. With an increasing number of employees working from home globally, there can be security breaches with working on possible unsecured networks. Having an additional layer of security for authentication can save a startup from the leakage of sensitive information which may lead to an eventual downfall.


Having an IAM system for a new company from the start itself can be very useful in the long run as it helps to move ahead with a solid infrastructure that has the capabilities required for expansion, avoiding any unnecessary identity silos. It also acts as a blanket of security that protects the data from possible attackers. WSO2 Identity Server offers the features mentioned above and more. The most important thing for a startup that’s looking for a proper IAM system at a low cost is that WSO2 Identity Server is open source and can be downloaded freely for a number of platforms.

But all free things come with minor setbacks, and the setback here is that you will have to set up the WSO2 Identity Server by yourself. Not to worry. WSO2 provides material that can be used to learn how to set up WSO2 Identity Server and the different authentication methods which can be found on Udemy as an introduction to this product. But if you’re willing to bear a cost, there’s a subscription-based model for which WSO2 will set up WSO2 Identity Server and provide support to fulfill any requirements that show up along the way. Check out WSO2 Identity Server today!