Auth Needs From MVP to IPO: The Different Stages of User Authentication
The authentication requirements of a product change over time. When you first start out, you may only want to let a select set of beta customers into your product. Later on, you may need to worry about onboarding all the employees at a large customer onto your product at once.
If you’re thinking about using an external service to manage your authentication or developing one in-house, you’ll need to make sure it can efficiently support all your changing needs as your company grows.
Below we compiled some of the common stages of authentication that products tend to go through, along with the bare minimum features you’ll need in each stage. By understanding your long-term auth requirements in the beginning, you will be able to avoid choosing an auth provider that limits your ability to scale or rebuilding your auth at every stage.
Stage 0: The Waitlist
There’s almost no reason to skip the waitlist step. They’re a great way to drum up support for your product and find your initial beta users. However, most auth providers require significant custom code to add on this feature, so early stage startups will need to dedicate time to building a waitlist or go without.
The main properties you want in a waitlist are that it’s easy for a user to join and it’s easy for you to contact users. Here are some example setups we’ve seen:
- Using Zapier to push waitlist entries to a spreadsheet like Airflow or Google Sheets
- Using a CRM with a form that users can use to submit their emails
- Using Next.js API routes to save email addresses to a database
With PropelAuth, you can add a waitlist to your site without writing any custom code and within minutes, refocus on developing your MVP.
Stage 1: Invite-only signup page
Once you have your initial MVP built, you’re going to want to start onboarding users. However, many founders prefer to limit initial signups at first—that way, they can work closely with their initial users to make product improvements.
If you’re at this stage, you only need a few things:
- A public facing login page
- A way for potential customers to show interest, for example a “Request a demo” button on your marketing site. If you previously set up a waitlist, you might just leave it up during this phase and invite users a few at a time via email
- A tool for you to create accounts either manually or via an invite-only option for them to create their own accounts
Stage 2: Simple login with public signups
Once you’re ready, it’s time to let anyone sign up. Often, this looks like a basic sign up page with email/password login as the main option for users.
The general goal we see here is to get something up and running as quickly as possible and to fill in the gaps later.
It’s up to you to decide what’s best for you and your end-users, but at the very least you’ll need:
- A public signup page
- A public login page
- Basic authorization (Note: if you’re building a B2B product, you may need to skip to Stage 3 sooner)
You may decide you will want these additional features, although we’ve seen many founders decide they’re not necessary at this stage if you can provide them manually:
- A variety of social login options
- A perfect reset password flow
- A way for users to change their username or email address
Stage 3: Advanced Authorization (RBAC and Organizations)
As your product evolves, your access control/authorization needs will evolve too. This often starts with the desire to have different types of users—such as if you want Admins to have more access than everyone else.
If you’re building a B2B/multi-tenant product, you will need a way for all the users at a company to use your product together. Within those organizations, you need to know who has the permission to remove other users from the organization, who can invite people, who manages billing, etc.
We’ve seen a few simple approaches here, like having everyone within a company share a single account/password or manually adding users to organizations. However, as you accumulate more users, making this self-service becomes increasingly important in order to reduce your support burden and improve your customer experience.
Stage 4: Increase conversion rates
Once you’re ready, it’s time to optimize your sales/marketing funnels. A few ways to make it easier for your users to log in include:
- Providing social login options like “Login with Google” or “Login with Azure”. It’s important to pick the right options for your customer base—like providing GitHub for developers.
- Providing passwordless magic links, where a user can enter their email and get a link to log them in. You can also augment or replace your forgot password flows with magic links, so people that often forget their password no longer need to worry about it.
- Make it look nice! A sketchy looking signup page is an easy way to lose some customers
Up until now, we’ve made the stages sound pretty linear. There are, however, some features where different types of companies add them at different stages.
Supporting larger customers/enterprises
For many B2B startups, your initial customers are other small companies. Over time, you will likely need to support larger customers, and the nature of user onboarding usually changes.
Large companies have more complex needs when it comes to making sure their employees have access to the software they need—and can’t access software that they don’t need. Because of this, they will usually have a tool, such as Google Workplace or Rippling, to help them manage permissions. Once you begin supporting customers of this size, you’ll need to integrate with these products directly, instead of asking them to go outside of their usual workflows to use your onboarding flow. These integrations often use protocols named SAML/OIDC.
In addition to allowing your customers to easily onboard all their employees, there are additional protocols that allow your customers to easily offboard their employees.
When thinking about security, early-stage startups will need to store passwords properly and protect important tokens from timing attacks. But there are some issues that can deprioritized until your company grows.
For example, many startups don’t offer 2FA in their early stage, but often need to add this extra level of protection later.
Similarly, small businesses usually avoid brute force or credential stuffing attacks initially but can become a target as they gain more customers.
PropelAuth works for every stage
At PropelAuth, we understand each of these stages very well—in fact we’ve designed our product to solve these B2B needs.
Using PropelAuth, you can have an authentication experience up and running in no time, regardless of whatever stage your company is currently at or will be. We’ve focused on making it easy to modify your authentication flows, so there’s no need to go back to the drawing board every time your company hits a new milestone.
We didn’t shy away from supporting more complex use cases either - if you’re a B2B company, you’ll find easy to use tools to allow your users to invite their teams, manage permissions and more.
Plus, we have all those security features available from day 1. We provide enrollment UIs for your end users so they can enroll in 2FA without you writing any additional code. We protect your users from brute force and credential stuffing attacks. Our goal is to take care of as many aspects of authentication as you need.
If you want to check us out, you can sign up here or view our docs here.