Auth for B2B SaaS: it's not like auth for consumer software

Summary

Auth for business software (B2B) shouldn’t look the same as auth for consumer software (B2C). In many cases, it actually can’t work the same way. I’ll cover three important buckets of differences between B2B auth and B2C auth: Logical isolation and tenancy models Priorities and trade-offs Protocols and features By the way – let’s use auth loosely here and let it subsume related stuff like user management. Similarly, let’s just imagine away the vague grey area between consumers and businesses (e.g., software for sole proprietors) and focus solely on obvious consumer apps and obvious enterprise products. A simplified model of the world helps make things clear. Logical isolation and tenancy models In B2C software, your customers are your users. They’re individual people that control their own accounts. Things don’t work that way in B2B software. Businesses want to control their users’ access; and within a given business, not all users should work the same way. This has pretty significant implications for auth. Let’s first look at tenancy in consumer software and then take a glance at business software. Users: First-class tenancy in consumer software In a consumer application, we primarily care about individual users. To illustrate what this looks like, I went to Club Penguin Legacy and created an account for myself. Signing up for a CPL account is pretty easy. Aside from email verification, all you need is a username and a password. Club Penguin associates all of my data with my penguin. I get to edit some of my penguin’s data if I want. For example, each penguin gets an igloo. I get to edit my own igloo. No one else gets to edit my igloo. If I want to upgrade my igloo, Club Penguin checks to see how many coins I have. This is a property that’s associated with my user account. Regrettably, I do not have enough coins to purchase the undersea igloo theme. None of what I’ve covered here should seem surprising. This all seems kind of obvious – kind of normal – doesn’t it? ...