This one is a strange topic: ask any site owner whether they think it’s important to manage their users’ login data effectively, and you’ll get fervent agreement that it’s absolutely critical, both for a business’ security as well as its reputation.
However, ask how much effort is being put into creating a robust, self-owned system which scales, and most responses tend to be close to “none at all”. This is a common problem, and as an area tends to get sidelined as we all chase bigger revenue-based priorities: until it simply can’t be put off any longer. Unfortunately, by that time it tends to be more complicated to manage than it would otherwise be.
It’s admittedly a tricky area to prioritise as a business grows, and its perceived relevance to daily operations really varies: however, getting it right at the right time has a myriad of benefits in the long term, not least of which is the reassurance that personal data is being managed securely and appropriately. It’s also an important opportunity to design a great user experience: sign-in and authentication is literally a barrier to what a user wants to achieve, so ensuring that the process is as smooth as possible makes sure we start our visitors’ journey off on the right foot.
Let’s have a look at some of the benefits of effective identity management, then dive into what you can do about it for your organisation and how to identify the best time to do it.
Get to know your visitors on your own terms
Online privacy has been given a lot of importance over the last few years as it continuously hit the headlines across the globe: more and more internet users are becoming significantly more sensitive to how their data is being managed, stored, used and, in some cases, misused.
One of the biggest steps in giving people more control over their own digital identities was the infamous introduction of GDPR legislation in Europe in 2016: its detail around exactly what responsibilities companies have in this area completely changed how we interact with the topic. However, GDPR was only the first step, and opened up the gates for many areas which will continue to evolve over time: the recent ruling of a Munich court that the use of Google Fonts on a website constitutes a violation is a clear example of how legislation will continue restricting how sites can store, process and utilise user data, which identity management is a critial subset of.
Our relationship to technology is changing significantly, too: as more people take steps to block cookies and we move closer towards these becoming a thing of the past, the way site owners understand what site visitors and readers are interested in becomes much more challenging, especially as third-party data becomes less and less reliable.
Within this picture, having a robust Identity Management system for your digital assets can really make a huge difference. A self-owned, well-built database collecting and storing the right identifying information means site owners will be able to efficiently and safely build rich user profiles of their own.
This is of course ideal: direct ownership of customer profiles means you can legally and accurately use it for effective targeted advertising, both on and off your own website. Particularly for advertising bought directly on your website, being able to leverage your own first-party data with advertisers helps you add trust with your business partners and increase your success through effective targeting, ultimately benefiting your revenue and bottom line.
Beyond advertising, however, having your own rich, identifiable user data is also important to help drive editorial and business decisions, as a good database will be invaluable in understanding what your visitors actually like and want to see more of. This can be used to drive critical decisions including:
- how to design your UI for better usability and more stickiness with your readers
- what events to organise which fit the widest audience numbers
- what type of content to prioritise according to what your readers prefer
- what gaps exist which you could fill by creating specific products for your audience
While analytics tools do deliver a smaller selection of similar data to some extent, this tends to be significantly less accurate and useful as it can easily be overridden and tainted by bot traffic data, skewing your view of your real visitors patterns and preferences. We should therefore look at a more reliable source of data for answers.
Identifying the significance of identity management for your organisation
A common starting point for most businesses is WordPress’ inbuilt system: out of the box, this tends to be sufficient for scenarios where the only users who need to sign in are people working directly on the site itself – editors, authors, contributors, administrators. Where your website only needs a handful of people to keep it ticking, the default system WordPress comes with does a great job of handling the data effectively, even though its flexibility is limited.
However, most sites quickly outgrow this as their needs evolve. This tends to happen when requirements start piling up: multiple sites which people need to log into, thousands of users, and multiple versions of the same sites. One of the most common points where the default system becomes an obvious problem is when sites are cloned for effective management (e.g. for staging, production and UAT). WordPress handles each of the databases for these instances completely separately, and that means the replication of user data between the sites becomes a nightmare to manage. Multiple problems can arise: from the sheer size of keeping three separate copies of the same database, to your users having to have separate logins for each site copy, to huge difficulties in ensuring full compliance with GDPR’s right to be forgotten legislations when deleting a user across all of the site’s clones.
As a CMS, WordPress has made huge progress across many areas, but its default identity management system has also not really been built or optimised to effectively handle scale. For example, rights management entails the whole database being loaded in a single dropdown for selection: with thousands of users, not only does this become impossible to navigate, but can also crash your browser and make it unusable. There are a few creative ways around these problems, but hacks and fixes are not really the appropriate solution for scaling up in the long term.
How much time and effort should be poured into identity management should clearly centre around where an organisation is in its growth path, and how many people are being interacted with on a daily basis through its online presences. There are a couple of things to look out for which can clearly signal it’s time to look for solutions which can scale effectively alongside your business:
- Is work being repeated endlessly? For example, are your team members having to delete / update users multiple times in different places?
- Are you struggling with compliance? Are you sure all the user data is stored exactly where it should be, safely and securely, at all times, and no copies of the database are being downloaded to local machines for testing, for example?
- Is your organisation growing at speed, and the need for more user accounts multiplying exponentially?
- Do you have multiple sites which your users need to log into regularly, and would a single login introduce more efficiencies across the organisation?
If your answer to any of the above is yes, then it’s definitely time to move on to a better solution.
Should you build your own identity management system?
The short answer to this is no. There are multiple problems which can arise while developing a bespoke system, not least of which is the amount of time and effort which need to be poured into it, which are usually grossly miscalculated.
Getting it done right is also very complicated and takes significant effort while being extremely easy to get wrong, to usually very serious consequences. It’s therefore always best to defer this to specialists whose area of expertise lies in staying a step ahead of the game, and whose business relies on understanding the most common problems in the area and solving them effectively.
The most successful and efficient third-party systems take user management out of the individual site databases and treat user data as a single, centralised, effectively-managed platform. Done well, this platform then handles the whole process of authentication and rights management directly, communicating with as many assets as necessary within an ecosystem, keeping everything streamlined and constantly updated as a single source of truth.
Picking the right solution
There are a couple of options to take into account when considering new systems, starting with whether you should go for a commercial system or not. Off-the-shelf systems typically handle the whole process end-to-end against a predefined subscription price. They’re usually extremely efficient and effective, although they may have their own workflows which don’t fit specific needs and cannot be changed, meaning updates to own processes and systems may be necessary. Since they get constantly updated and upgraded, systems you build based on these may also need regular maintenance to function properly. These solutions are however robust, reliable and relatively easy to get started with.
There’s also the option of going open-source: a number of extremely well-developed solutions are available which can be freely adapted and run on a privately-owned server directly by your team or as a managed service. This would typically require a higher level of hands-on involvement, but can have equally effective results.
To help you make the right decision, we’d recommend starting by getting answers to the following sets of questions first.
- What does the system’s typical performance look like, and what are its limitations? Speed should be a significant factor in your decision as your sites will greatly depend on response times.
- How easy is it for your systems to integrate and talk with that service? What support is offered for successful integration?
- What options are available for integration, and how flexible is it?
- What interface and architecture does it use? SAML? REST API?
- How easy is it to use, reskin and restructure for your specific needs?
- What is the pricing model? Pricing based on total users vs pricing based on active users/month can have a very different impact on your bottom line.
- Is the system being kept up to date, with functionality being added as it comes available?
- Does it have 2FA, and what authentication mechanisms does it depend upon?
- Are new hashing algorithms being added and implemented regularly?
- Does the system offer proactive breach detection?
- How secure is its data infrastructure?
Most importantly, explore the developer experience of using the product. Proper setup and maintenance will require your dev team to interact with the product extensively: ease of use of the system, extensive documentation and great APIs will help make the process as efficient as possible. How well it is able to integrate thanks to a great developer experience also has an impact on the end user: a well-designed system should enable your team to make it as undetectable and seamless as possible, which is the ultimate aim.
Outsourcing an identity management system is a big decision and also comes at a significant cost: if the net benefit isn’t of savings in time and money for your organisation by way of time and effort, then you might be looking at the wrong system.
Should you have one system to rule them all?
One additional question we get asked a lot is whether to use a single centralised system for all forms of identity management needed, integrating staff access rules to those of your front-end users. The reality is that while this sounds more efficient, it’s a significant security risk: a hacker getting into any of your user data or it being lost is bad, but the whole dataset including your staff’s access rights being breached is absolutely catastrophic.
It’s therefore best practice to have two completely separate systems: one for your end users, and one for your internal clients, as an extra layer of hedging around your most sensitive data. There are ways of bridging these databases which can be explored without their being combined, but keeping them completely separate means that the chances of both failing at the same time are greatly minimised.
Time for a new Identity Management system?
There are therefore significant benefits to taking care of this topic in detail at the right time, many of which can have a direct impact on your bottom line. Ask yourself:
- Are you making it easy for your users to access your sites while maintaining a very high level of security? How is your current system impacting user experience?
- Are you sure you are fully compliant with all user data regulations, particularly in a remote-first world with multiple members of staff spread across the globe? Have you kept on top of where your data is being stored and accessed from every time?
- Are you experiencing growth which will make this turn into a problem in the foreseeable future? Are you ready to scale?
In general, the most important point to focus on in the short term is ensuring you’re in line with GDPR and all data protection acts in your jurisdiction, while being in complete control of where your user data is being stored and accessed from at all times. A great identity management system will make it easier for you to keep on top of things, meaning you can worry about one less thing on your priority list!