Please validate my idea!

My main SaaS business deals with patient information, and I not only made sure it was HIPAA compliant, but also implemented some additional security features.

I’m in the process of extracting 2 of these features into a simple API so I can build a product around them. Both are ways to enhance user authentication for SaaS apps:

1. 2-factor authentication as a service: this one would handle the 2nd authentication step, either using time-based tokens or SMS. I know it’s nothing new, there are a couple of services doing this. I would just try to position it a little bit differently and make it dead simple to implement.

2. Suspicious login detection: this is a simple API call. After you authenticate your user, give me their user id and IP address and I’ll let you know if that login is suspicious based on their login history, geo location and other heuristics. You can choose what to do next. Based on your settings, I can even handle emailing the user with an unlock token or warn them of the unusual activity in their account.

These 2 features could save a few days of development and ongoing maintenance. Would you pay to add this extra layer of security to your SaaS? If so, how much?

Thanks in advance!

I do not work in this industry, but I were to run a business that operates on sensitive data like this, I think I would spend the extra few days or even weeks and get this right myself. Unless you establish a standard like HTTPS or HIPAA, otherwise the things you mentioned sound easy enough to do.

If I’m not mistaken, the 2FA part and the data storage part is separate - I can even use Google’s 2FA service and it’s pretty easy to set up.

Thanks for the feedback! I wouldn’t be targeting HIPAA compliant businesses. I think these security measures are becoming expected because the big providers offer them. For example, when you try to access gmail from a different country/state/city, it will either force you to authenticate your phone number, or send you a warning email.

I think every B2B should be able to offer great security, even when not dealing with patient records or credit cards.

I didn’t know Google offered 2FA for non-google accounts; I’ll have to look into that. Either way there seems to be a market for it, because authy.com (owned by Twilio) does it.

I think the unique feature would be the suspicious login detection, because, AFAIK, no one offers it, and it’s harder to build than 2FA. You need access to an up-to-date geo location database and a relatively smart algorithm to detect it, avoid false positives, etc.

If my SaaS wasn’t dealing with patient records, I would never have bothered building it, but I would still have liked to have it as an extra security layer if it took me 20 min to setup and a few bucks per month.

Having had the pleasure of creating systems like these from scratch for a HIPAA-compliant, HITRUST-certified project, I know for a fact I would’ve used services like the two you proposed. We searched high and low for dead simple API-based services, and, at the time (back in 2007) they just did not exist.

Sorry to say—since we’ve already built all of that infrastructure from scratch—I’m not a potential customer.

But, I can heartily disagree with Erica’s prior reply, and validate that I would’ve been a customer of API-based microservices like this.

Yeah, like Erica wrote above, I’m a developer and I can tell you fifteen or so different approaches to doing these kinds of things on my own. But, thinking like a CTO and a business owner instead of a coder for a minute, you realize there is much to gain from avoiding the Not Built Here Syndrome and integrating a few pre-built building blocks where it makes sense. Don’t reinvent wheels, spend your time and brain glucose on something more worth your time.

Greetings

1. If your customers are running B2C businesses, wouldn’t it make sense for them to integrate with Google/Facebook/Microsoft auth services

2. If your customers are running B2B businesses, they would likely want to integrate with federal ID services like OneLogin. It could make senses to add 2 factor auth as an authentication provider to federal login providers, though as to whether there is a gap there, more research would be required.

3. If you offering two-factor auth via SMS, then there could be a nice revenue model there. Say you could just add a margin on top of SMS wholesale minutes. The user buy packages consisting of a certain number of auth requests.

4. In my opinion, your idea needs to be expanded. A bigger vision needs to be outlined. There is not enough meat in your service.

1. How many customers have you spoken to?
2. How many said “Yes” when you asked them to buy it?
   (after they say yes, you can say “it’s not ready yet, but you’ll be the first to know” OR you could use Tilt.com and “charge” them (with hefty discount) but the charge doesn’t go thru until the beta is released.