| > externalize that liability/risk Regulators love to remind: you can't outsource your risk. Your firm is accountable if customer data is stolen, which is what would happen if the passwords are compromised. Even if it's "only" lost creds, your firm will still absorb the full "reputation risk" hit. No customer or reporter is going to say "well, but you didn't really lose your customers' passwords, it's the third party provider you chose." They'll hold you accountable. That said, using a "Sign in with Microsoft" button means some 70%-80% of SMBs can use you without you having to have or outsource their creds, since they can just sign in as their emails/passwords from O365. For most of the rest, "Sign in with Google" picks them up. And, of course, get a majority of US consumer "wallet share" with "Sign in with Apple". A small (and big) business sign in page would look like this (maybe without the GitHub): https://login.tailscale.com/login As another example for consumer logins, with FB, Discord, Twitter, along with the business domain logins: https://www.xsplit.com/user/auth The important one for small businesses trying to be compliant would be Continue with Microsoft for 0365 companies, while Continue with Google also gets you everyone in Google Workspaces. "Real" SSO option could come later, as shown above Tailscale doesn't even have it. But these buttons are SSO as far as the typical user is concerned. By using the logins the business users already have, nobody has to store creds for your B2B users but themselves. |