Feature - Allow User Authentication without Passwords

As "reset password" requests eat up IT service desk dollars, and most passwords remain insecure, it is time for authentication protocols that do not depend on passwords for user login.
Many such methods are available today, these include Apple Touch ID, Multi-factor authentication and authentication using TOTP.

Microsoft security blog  has a post describing their goals and different techniques to ensure users are able to use devices and software without worrying about passwords. However, all these techniques have two things in common:
  1. They either need your biometrics (fingerprint, face, eye etc.) or 
  2. They validate the token or security key generated by an app on a mobile device

Imagine a typical use case

A user likes to browse the web, and shop at different e-commerce sites, check his account balance, join forums and personalize his browsing experience.
For her, the vast majority of login screens will still ask for a password. 

There are some secure websites that send a TOTP (time based one time password) instead of asking you to enter a password, however they are not widely adopted.
Social login (e.g. login using Facebook) has major privacy issues, so that is a solution with limited use.
And if you use a solution like LastPass, then all you are doing is moving your passwords from your mind, to another app on your mobile.

The only solution appears to be with the website owner, or the enterprise providing the service. If they start offering secure authentication without passwords, and allow other secure websites to confirm the user identity, then the process of login will become easier and more secure.

For this, a key factor is to eliminate passwords from registration forms. With this approach, and using techniques such as adaptive risk based authentication, the user experience at registration and login can be vastly improved, without compromising on security.

Identity & Access Management for Cloud Applications

If you have a SaaS offering, fundamentally, you need to adopt a security posture that is much more stringent than that for on-premise applications. This includes user life cycle management, identity and authentication services, authorization to use key features and log management for audit and compliance.
Here is a conceptual cloud security architecture from the Cloud Security Alliance.


This gives a great overview of the potential points of concern for any CISO.
To read more about how to secure your applications or design secure applications in the cloud, head over to their website, and take a look at the research resources they offer.

Calculating TAM (Total Addressable Market) for a SaaS firm

If your firm or start-up does not have a full time strategy team, then the founders will use different resources to calculate the potential market size for their firm. Here are some key methods to calculate the TAM, and create a product launch and marketing strategy.
  1. Use Data from Research Reports

    Many research firms put out their estimates about the TAM for different products and services. For example, there is a category of products called Next Generation Firewall (NGFW)
    Research reports such as this and this, indicate that the NGFW market size is about $7.4 billion in 2017, growing to $12.5 billion by 2022. 

    Using such numbers, from a creditable source, can give a good estimate of the market size, as well as the sub-segments within the market. Adding to this data, you can make some projections on your own, to identify which verticals, geographies and customer profiles will be a good fit for your products and solutions. Add to this the range of growth rates expected, and you can have a very good range of TAM, for planning and budgeting.
  2. Create a "Bottom up" Estimate

    This is a more accurate method, however, it takes more effort, and requires expert level skills to make good projects. In this method, you first identify the total number target firms per vertical, geography and revenue/employee size. This data is available from public sources and databases. For example, if you want to target only firms with a firewall spend of over USD $1 million, then you are probably looking at an annual IT budget in the range of  $15-50 million. Which indicates that the firm size is over $1.5 billion (estimating IT investment budget range from 1%-3%). 

    The next step is to select 10-20 priority verticals (healthcare, government, retail, manufacturing, mining etc.) where you see a good fit for your product over the next 2-3 years. In these verticals, you then identify the firms with a size above the cut-off. Let's say that you come up with a list of 250 firms. Making projections of their IT spend, you can estimate the size of your addressable market for the first 2 years. The key advantage of this estimation method is that it incorporates your corporate constraints and is customized to your current capabilities.

    There is another way to estimate TAM, which is based on the current ticket size per sale of competitors and come up with an estimate for your firm. Ticket size multiplied by potential buyers can be another estimate of the theoretical TAM. Unless you are a marketing guru, this is not recommended.

    Bottom Line

    Estimation is a necessary activity, when you want to make a business case for new investment. Using either of these methods, any product manager can project the TAM for his products and services. And as always, you must document your assumptions behind these estimates.