Delegated access management

Hosted Login

Multifactor Authentication

Passwordless Authentication

Audit Trail

Identity Brokering

Platform

Service Accounts

Features

Easy integration

B2B (Business to Business)

Self Service

Existing identities

Secure authentication

Use Cases

Learn how to install, setup, and use ZITADEL.

Documentation

ZITADEL Cloud

Self-hosting

Trust center

Examples and Guides

Github Repository

Develop

Get Started

Contribute

Roadmap

Changelog

Read the blog

Sign up

Login

Pricing

Jobs

Blog


Perhaps no other emerging technological advancements have shaped our society as rapidly as the phenomenon of digitalization. With the possibility of reaching people from around the globe, it is evident that the cyber-world also functions as a globalized melting pot of businesses: Practicing e-commerce allows companies to **heavily expand their customer base, thus going from a local organization to a worldwide supplier**.

A common misconception about digitalization and cloud storage services is that the saved information is just floating around in the cyber-world, independently of physical borders. In reality, however, **the storage, security, and managing of your data is the responsibility of so-called data centers**, housing businesses’ data at nearly 8000 worldwide locations.

Unfortunately, having your crucial data stored at a specific location alone does not automatically equal guaranteed protection: Due to such a large number of data centers, it is no surprise that not all of them are equally capable of fulfilling your organization-specific data-management needs. Therefore, when choosing a region of residency, you must make sure your location of choice **provides an optimal web environment based on your business's requirements and circumstances** and has the potential to **reach your entire audience**. This article will explain the role of data residency and centers in greater detail and list the factors you might want to consider when choosing a center region.

## All about data regionality and centers

AAs the name suggests, data residency describes **in which country or region an organization's data is stored and processed**. With the help of infrastructure providers offering various data regions, organizations using Software as a Service (SaaS) or other cloud deployment services can **store their data in multiple locations**, thus benefiting their teams with **seamless collaboration and their global users with high performance in any country**. Once you have chosen a region (for example, Switzerland), **all your data traffic is sent to a dedicated data center** to ensure it is managed in the selected location.

Since the ability to select data regionality has not been a deciding factor when choosing a service provider for many organizations, numerous contracts are signed for a pre-determined term. Unfortunately, this decision is often made unknowingly of the fact that the selected data regionality can have a significant impact on the fate of businesses: As the lifeblood of the modern global economy, data must be **handled by the right hands to avoid potential breaches, legal and data protection issues, or their complete loss**.

But what is precisely the problem with keeping the default regionality if universally trusted? Absolutely nothing, provided you have reviewed the region and found it fits your organization's needs and circumstances. However, **when it comes to data processing, there is no "one size fits all"**; different businesses tend to have their main customer base, offices, and headquarters at distinct locations. Accordingly, should the default data region be in Australia, whereas the majority of your platform's users are located in the US, they might struggle with high latency, making the quality of service suffer in the process.

**To sum it up, the benefits of choosing the fitting data residency include:**

- Improving the performance and flexibility of your cloud-deployed application/site wherever your customers are located
- Compliance with ever more stringent global and regional data protection regulations
- Seamless collaboration with employees working abroad and enhanced workforce mobility
- Better availability and disaster recovery options
- Facilitated access to public cloud operators

## Choosing the right data region for your company

Now that it has been elaborated upon why choosing the right data region is crucial, it is worth discussing what factors should be considered when making the decision in question. In addition to location and security, the compliance and availabilty of a future technology partner should be carefully evaluated.

### 1. Location

One of the most significant elements to consider when picking a data region is the physical location. Since the geographical position of a data center directly impacts **several other vital factors in the colocation process**, it is worth carefully looking into the attributes of the available regionalities. If your service provider offers a variety of possibilities covering several continents, the key is to **look at traffic patterns on your network to determine high-demand areas** that could benefit from more coverage. For example, if most of your customers or users reside in western Europe, choosing that data region would ensure low latency for your primary audience when using your platform. This proximity to your platform's users, alias the most common locations from which it is accessed, can be retrieved from various analytical tools, such as Google Analytics.

Another location-related attribute you might want to consider is your **business's residence(es)**; should your IT team need to examine the center or perform maintenance or updates in person, it is advised that it is located within an easily reachable distance.
Obviously this depends on your business's delivery model and the increasingly rare occasions, e.g. in highly regulated or sensitive industries, where businesses operate their own infrastructure.  
Furthermore, **your staff will benefit from low latency** if their data is stored and processed close to their office.

### 2. Security

Another crucial factor when choosing data residency is the **strength of the center's security system**. For an institution responsible for handling all your company's data and apps, a **breach might prove disastrous**. This fact is especially noteworthy since data centers are still a prime target for cybercriminals. For example, in 2019, six of [CyrusOne's](https://www.zdnet.com/article/ransomware-attack-hits-major-us-data-center-provider/) managed service clients, primarily located in their New York data center, have **suffered availability concerns due to a ransomware program encrypting specific devices** in their network. Therefore, it is strongly advised that the centers of choice use the latest security features and protection software.

Furthermore, besides using high-profile Software and technology to safeguard your assets, data centers should have **robust overall security**. Adequate protective equipment of both virtual and physical nature will not only keep your data safe from cybercriminals but also real-life ones.

### 3. Availability

Within the field of data centers, **availability is measured by the host's uptime**: The percentage of time your platform is up and running, alias functional. According to [Hostingadvice](<https://www.hostingadvice.com/how-to/uptime-guarantees/#:~:text=It's%20generally%20understood%20that%2099.9,and%20up)%20is%20the%20ideal.>), **99.9% uptime is a hosting industry standard**, whereas five nines or better (99.999% and up) is the ideal.
The required redundancy to guarantee the availability of a single location is typically achieved by running three physically separated data centers within the same region.

In the case of a **multi-region** application, such as ZITADEL, your data is **automatically protected against a region-failure**, regardless of the specific residency you have chosen. Accordingly, should your region of choice suffer from complications, traffic will be redirected to other locations (if permitted by the user's data location preference). This degree of redundancy is however not available within single region and single availability zone applications.

### 4. Compliance

Data compliance refers to the process of adhering to numerous requirements and standards to **ensure the integrity and availability of regulated data and sensitive data**, thus protecting them from unauthorized use. There are a plethora of industry-specific and location-specific standards governing data security and privacy; one of the most well-known ones is the European Union's General Data Protection Regulation (GDPR), which **specifies how businesses should handle the personal data of any of their customers** who reside in the European Union. Accordingly, every organization with customers in the European Union is subject to GDPR, with severe consequences of non-compliance that can put your company's long-term viability in peril.
Moreover, not only the location of the data center, but also the residency of the infrastructure provider needs to be considered for data compliance.

### 5. Cost

The **cost for storage and compute can vary greatly between different regions** and countries.
Some regions for cloud storage might be up to 75% more costly than other regions due to various factors that drive the cost to operate and maintain the required level of service and security within that that region.
Balancing the previous mentioned factors with the cost of operating in a specific region is a key challenge for companies.

## New: Data redirection based on your customers' locations

At ZITADEL, we firmly believe that **a fitting data residence should be an asset and not a liability**. The SaaS (public cloud service) solution of our identity and access management platform pledges provides the highest possible protection of our user's data; this includes supplying housing options that are true to our security and performance standards.

As of Version 2, ZITADEL will start by offering **three data regionality options** to choose from:

- Switzerland
- Global
- GDPR-compliant regions

These options, however, include more than what meets the eye. To facilitate our customers' decision in choosing the right data center, our "Global" and "GDPR-compliant" options **automatically select three housing regions based on the locality of end-users**. In the case of the former option, this can include any country that fulfills ZITADEL's privacy requirements, while the latter works in a near-identical fashion, with the region pool only including [GDPR-compliant regions](https://reciprocity.com/resources/what-countries-are-covered-by-gdpr/#:~:text=The%20GDPR%20covers%20all%20the,Slovenia%2C%20Spain%2C%20and%20Sweden.).

Not only does the automatic redirection of your data save you a tremendous amount of time and effort by not having to research the residence of your customers and the attributes of various regions, but it also **ensures that your data is housed by centers that fulfill all the location, security, availability, scalability, and compliance requirements** of your organization: With the help of ZITADEL's highly distributed and **redundant system** spanning across **multiple regions** (multi-regional), as well as the use of serverless containers, we can guarantee **fast and easy scaling** to accommodate even the highest burst traffic with a short scaling time.


This article explains the role of data residency and centers in greater detail and list the factors you might want to consider when choosing a center region.

The Ultimate Guide to Choosing the Right Data Residency


Even if you have not heard of magic links, the chances are that you have already encountered them when signing up for third-party applications or websites. Simple yet effective, this **passwordless method** is convenient for end-users to confirm their identity and easy for developers to implement: Instead of having to enter a password, **a simple click is all it takes to log you in**.

Given its foolproof infrastructure and widespread use, one might think it would be unnecessary to change a winning team. Scratching beneath the surface, however, it soon becomes evident that **this method also has limitations**. While **we strongly recommend implementing password-free authentication** for every organization, as a relatively old passwordless method among ever-changing digital innovations, **magic links might no longer be the most secure alternative** for this purpose.

With this article, we aim to determine whether magic links are still viable as an authentication method or if you are better off using newer passwordless alternatives.

![](/blog/2022-06-22-magic-links-01.gif)

## What are magic links? – The Origins

"Magic Links" describe a **passwordless authentication method** that allows users to log in by **clicking a one-time link mailed or messaged to them rather than using their password**. This link is automatically sent to the provided email address upon toggling a login request on the platform. This simple but innovative process of users authenticating themselves by merely clicking a button may seem magical to some, thus the name.

Though no official record of the first use of this method seems to exist, research suggests that their **concept dates to [the early 2010s](https://lea.verou.me/2010/08/automatic-login-via-notification-emails/).** In the following years, as the problem with passwords started to arise slowly, various platforms started implementing two-factor authentication: In addition to entering a password, **2FA provides a secondary layer of security** by requiring the user to verify their identity via a second (passwordless) factor. One of the most used secondary factors at the time was a code sent via SMS or email. [In 2014](https://hacks.mozilla.org/2014/10/passwordless-authentication-secure-simple-and-fast-to-deploy/) however, a revolutionary new method started gaining traction that promises the same **high-end security features like 2FA,** **but by only relying on a single factor: Passwordless**. Since biometric characteristics were not yet as widespread as they are now (partially due to the older smartphone models), the most straightforward and low-tech solution proved to be the implementation of one-time links – or, as we call them today, magic links. Thus, in the mid-2010s, various platforms started to experiment with passwordless, one of the most notable examples being [Medium](https://blog.medium.com/signing-in-to-medium-by-email-aacc21134fcd), which sparked a debate regarding the legitimacy of this newly discovered login method.

## How do they work?

Contrary to what the name implies, magic links are only seemingly magical – in reality, they **operate using code, tokens and hash functions**. Akin to any other login process, it starts with the user visiting the respective platform or application with the desire to access it through their profile. The platform requests the user's email address upon navigating to the login page. Immediately **following the email submission, a token is generated and the magic link is formed**, which is automatically sent to the address in question. By clicking on the link, the user enables the application to **receive the query at its endpoint**, and thus the authentication process is completed.

## The advantages

Considering their widespread use, it is no surprise that **magic links have significant advantages for developers and end-users alike**. While the strengths of passwordless over password usage have already been discussed in greater detail, this list will merely focus on the pros of magic links over alternative passwordless methods.

- **Easy and affordable implementation**: Due to magic links' near-identical functionality to password resets, implementing them is merely a matter of making a few slight modifications in code. Thus, you do not have to worry about extra costs either.
- **Not device-dependent**: Unlike biometrics, which generally require devices capable of scanning the users' physical characteristics (f.e. fingerprint or face), or hardware tokens that must be plugged into a specific port, sign-ups via magic links have no such resource demands. They are therefore viable on any device with an internet connection.
- **Familiarity**: Since this technology has been used for password resets for a long time, end-users are likely already familiar with the functionality of magic links. This familiarity makes for an easy and transparent sign-up and login process.

## The disadvantages

While they have many advantages, **magic links are also not without their shortcomings compared to other passwordless options**.

- **Email Security**: If you frequently use magic links to log in, it is vital to also keep an eye on the security system surrounding your email account: Should someone gain access to another user's inbox, they simultaneously receive the keys to logging into profiles that run on magic links. Therefore, a single cyber-attack on your email could lead to unwanted activity on many of your utilized virtual services.
- **Email Provider**: Apart from the measures you take to protect your email account from unwanted access, the reliability of your used service is also worth evaluating. Since logins via magic links are heavily reliant on the user receiving the link, it is essential that the provider actually manages to deliver the awaited email.
- **Less convenient than other alternatives:** Apart from security, magic links also fall short compared to other passwordless methods in terms of login convenience. While the process is faster than MFA, magic links still require the user to leave the login screen instead of alternatives like biometrics or physical tokens.

## In conclusion

To answer the notorious question this article has posed regarding the viability of magic links; the answer is unfortunately not black-and-white. While magic links might still be considered a **safer authentication method than using plain passwords**, they ultimately seem to pose **more security risks than other passwordless options**.

Most of this method's disadvantages correlate to the fact that magic links **rely on a third-party service to handle a significant part of the authentication process**. Accordingly, even if the developer has made no mistakes in implementing a magic link-based login system, complications could still arise on the email provider's end. Additionally, while authentication processes via biometrics or physical tokens are dependent on specific device resources, they still have the **advantage of being either non-replicable or more challenging for other people to access**.

To sum it up: If you have a device capable of **authentication via a biometric factor or a physical token**, you might want to gravitate towards those options for maximum login convenience and account security. Alternatively, magic links are **still a relatively safe option for a familiar and facile login process**. In that case, however, it is strongly advised to protect your email account via highly secure authentication factors, to avoid unwanted activity on a multitude of your utilized virtual services.

Join the [GitHub Discussion](https://github.com/zitadel/zitadel/discussions/2075) if you are interested about the state of magic links in ZITADEL. Today ZITADEL supports Passwordless with FIDO2/WebAuthN and support of the upcoming Passkeys, this should give your users a secure and convenient alternative to classic magic links. You can send an email with a link to pair and onboard a FIDO2 compatible device or request a QR code to pair and onboard a FIDO2 compatible device.


Are magic links are still viable as an authentication method or are you better off using newer passwordless alternatives?

Magic Links – Are they Actually Outdated?


In 2010, only two years after Facebook's social login launch, 250 million users and two million third-party websites started using this new login alternative. With the introduction of many contemporary social identities over the years, it is no surprise that more and more platforms are continuously expanding their supply of available authentication options. The popularity of the social-login method is evident, given its convenient and user-friendly nature: It saves its users valuable time by not requiring the completion of a registration form and also spares them the effort of remembering yet another password.

As an authentication platform with the goal of the best possible user experience, ZITADEL strives to eliminate login inconveniences by **heavily expanding the number of its Identity Providers**: Very soon, every user will be assured a comfortable login via their preferred social identity. Whereas, thus far, ZITADEL has exclusively supported OIDC-compliant providers, it will soon remove this restriction to provide a **broader range of options, such as Apple ID, Microsoft Live, Github, Gitlab, and Microsoft Tenants (AzureAD).**

Besides the obvious advantage of increased login convenience, social logins were also proven superior in **enhancing business growth**. To adequately explain this unexpected correlation, it is essential to know how social logins work and how they benefit end-users and companies alike.

## How do social logins work?

Though there are many different providers for social logins (such as Facebook, Google, or Twitter), they all provide authentication in a near-identical fashion.

For them to work, the user must follow these simple steps:

- Upon entering the application or website, the user can **choose his preferred social network provider** (for example, Facebook).
- The website or app sends a **login request to the selected provider** directly, or ZITADEL relais this request to the chosen identity provider.
- Once the social provider confirms the user's identity, the user will **get access to the application**, and the registration process is completed. The selected method can now be used to log in at any time.

![](/blog/2022-06-15-social-logins-01.png)

## The benefits of social logins 

Implementing social logins can heavily enhance the user experience of an application. Some of the most notable **benefits for end-users** include:

- **Easy sign-up and sign-in:** Logins via Apple ID, Microsoft Live, or other identity providers are simple and only involve clicking a few buttons. This method is more convenient for the user than filling out a long registration form and manually logging in.
- **Less password reliant:** We all must remember an overwhelming number of passwords. Using a social login means users don't have to create and keep track of even more credentials. Thus, failed login attempts will be heavily reduced, and users will be less hesitant to sign up.
- **Raise trust:** A social login on your page provides a recognizable and uniform login method. Users will feel more comfortable sharing their data with unknown pages via identity providers they already trust.
- **Better mobile experience:** Dealing with passwords and usernames on your smartphone can be frustrating. Social logins help to make the mobile experience more enjoyable.

Due to its many perks, it is no surprise that countless end-users prefer to confirm their identity via a social login option: According to a study by ["loginradius,"](https://www.loginradius.com/blog/identity/social-login-infographic/) 70.69% of people aged 18-25 prefer social login over the traditional registration form. Accordingly, this simplified login method **can significantly enhance business growth by helping companies increase the number of customers creating accounts, thus** expanding their potential customer base. Not only are Social Logins effective in gaining new users, but also in retaining the existing ones: As claimed by ["Janrain" and "Blue."](https://paperform.co/ebook/Industry-Research-Value-of-Social-Login-2013.pdf), **65% of consumers are more likely to return to a website that automatically welcomes them through social login**.

Apart from higher conversion rates, **social logins further help your company by:**

- **Reducing stress on Support Teams:** The support team will spend less time dealing with security alerts or password requests from failed login attempts by switching to passwordless with social login.
- **Increasing login verification:** Social Logins add a layer of verification to login attempts by requiring confirmation from the chosen identity provider. Accordingly, it is more resilient to spam or harmful logins.
- **Reducing bounce rates:** Customers are more likely to abandon a site if they must fill out the traditional long registration form. The bounce rate can be reduced by making social login a possibility.
- **Simplifying Checkout:** For e-commerce applications, the simplicity of social logins can heavily increase the checkout experience. Thus, enabling them can lead to fewer abandoned carts and more purchases.

## Social logins via ZITADEL

Since every user has a preference for social networks, it is crucial for authentication solutions, such as ZITADEL, to provide a **broad selection of social identity providers**. By introducing a heavily expanded selection of social login templates, ZITADEL allows your application's users to sign in or up with just a few clicks, using their preferred identity.

It is advised to integrate your applications with an identity management platform like ZITADEL, which **can broker to many different identity providers out-of-the-box** instead of integrating providers individually in your apps. When using a central identity broker, you don't need to worry about maintaining your code across different technology stacks, as well as you get the added benefit of a central audit log and user repository.

ZITADEL will support **seven identity providers** (Google, Apple ID, Microsoft Live, Github, Gitlab, and AzureAD) that users can **individually configure and enable**. To maximize the previously mentioned benefits of social logins, it is advised to set up more than just one sign-up option on your platform.

These formerly mentioned social login methods are included in ZITADEL's basic plan and are therefore **entirely free for all users**.

Furthermore, the software doesn't require you to fully integrate every login provider separately: As an **[identity broker](https://zitadel.com/features#brokering)**, ZITADEL acts as a **trusted intermediary service** c**onnecting your projects with different identity providers** so that you only have to link the external identity providers to it. This feature is especially beneficial since embedding numerous Identity Providers directly into your apps is complex to maintain, time-consuming to set up, and hinders single-sign-on of users.

## The Takeaway

Social logins provide benefits to both your organization and your users. It boosts conversions, reduces the stress on your support teams, and simplifies the checkout for e-commerce brands. By expanding the number of supported identity providers, ZITADEL will ensure that all your users can effortlessly sign up for your platform with their preferred social identity.

We would love to hear your input on [which social logins](https://github.com/zitadel/zitadel/issues/2998) we should integrate first.

Should you have questions regarding social logins or any related (or unrelated) topics, please contact us anytime on our ZITADEL Discord Server. Alternatively, you can reach us on our Twitter, Linkedin, Github pages, or our website.

Don't forget to give us a star over on GitHub if you like the project. Thank you for the support.


Besides their obvious advantage of increased login convenience, social logins were also proven superior in enhancing business growth. To explain this correlation, it is essential to know how social logins work and how they benefit end-users and companies alike.

Social Logins: The Unexpected Drivers of Business Growth


<div className="my-4">
  <YouTube videoId={"eEhQ24EEjuc"} containerClassName={"youtube-container"} />
</div>

## We did it! 🎉

We are thrilled to announce the successful closing of our seed funding round led by <a href="https://nexusvp.com/" target="_blank">Nexus Venture Partners</a>!

This is our first time raising money, and we are stoked to have a fantastic partner on board for the next part of our journey. The newly gained funding and expertise in open source product-led solutions will help us bring a much desired open source alternative to Auth0 to the market.

Big thanks to Nexus VP for the faith and trust in [our team](/team) and product.

We want to sincerely say thank you to all the **supporters**, **early adoperts**, and **valued customers** from the whole ZITADEL team!

![](/blog/2022-06-08-fundraising-nexus-01.jpg)

## Press Release

**ZITADEL secures $2.5M to enhance its developer-first, open-source identity management platform**

**St. Gallen, Switzerland - Jun 1, 2022 -** ZITADEL, innovator of a transformative identity management platform, announces $2.5M in seed funding led by Nexus Venture Partners. The funding will help ZITADEL provide developers with a much-needed open-source alternative for their identity management needs and evolve its solution, scale sales growth, and nurture the open-source community. The current market landscape consists of established but closed-source players, including Auth0, Okta, Firebase, AWS Cognito, and others.

ZITADEL’s founding vision was based on the creation of a streamlined, cloud-native identity management platform to speed time-to-market for software projects. Focused on the simplicity of integration, ready-to-use self-service features, a customizable and secure login with first-class support for passwordless authentication, and an API-first strategy, ZITADEL’s unique turnkey platform offers developers unprecedented flexibility.
Developers often spend countless hours creating, configuring, and operating complex authentication and authorization systems. ZITADEL, which is built mainly in the Go programming language, solves these problems with easy-to-use integrations in multiple languages and frameworks. This flexibility enables developers to utilize prebuilt features provided by ZITADEL to dramatically improve their productivity. In addition, ZITADEL’s capabilities address existing open-source projects which were not built for a cloud-native and serverless environment.

The ZITADEL team is working towards further enriching the solution’s enterprise-readiness. New capabilities include multi-tenancy, unlimited audit trails, improved ability to self-host, and support for serverless deployments, plus the potential to extend ZITADEL’s breadth with custom code created in WebAssembly. Combined with its cloud-native architecture, ZITADEL’s self-hosting capabilities allow privacy-focused customers to own and control their data by running a dedicated version. ZITADEL’s flexible model, with its span of smart efficiency enhancements, is already the go-to solution for numerous marquee enterprise customers.  
The generous free tier of ZITADEL’s cloud-hosted offering allows anybody to create a ZITADEL instance in under five minutes—without a credit card. In its ongoing commitment to deliver GDPR support to its customers, ZITADEL Cloud also provides the capability to define the country or geopolitical region in which to store their data.

“Amidst today's complex software projects, ZITADEL provides a turnkey solution that allows developers to get started easily with a secure login, user management, multi-factor authentication, social logins, authorization management, and great APIs. With ZITADEL, we provide an important component to improve the overall security of a project while reducing your time-to-market,” said ZITADEL Co-Founder and CEO, Florian Forster.
“We’re delighted to break new ground partnering with Florian and the ZITADEL team, our first-ever investment in a Swiss company. We believe the future of digital identities is passwordless. ZITADEL takes a developer-first, open-source approach to solving identity management. Its simple and easy-to-integrate building blocks help developers build secure authentication into their applications without requiring deep in-house expertise and resource commitment.” said Abhishek Sharma, Managing Director at Nexus Venture Partners. “ZITADEL is the latest addition to the Nexus family of over a dozen marquee commercial open-source companies,” added Sharma.

### About ZITADEL

ZITADEL is the modern open\* alternative for Auth0, Firebase Auth, and AWS Cognito, as well as Keycloak, built for the container and serverless era. It provides customers a wide range of out-of-the-box features, including secure login, self-service, OpenID Connect, OAuth2.x, SAML2, branding, Passwordless with FIDO2, OTP, U2F, and an unlimited audit trail to improve the life of developers and developers. With its legal incorporation in Switzerland, ZITADEL is in the unique position of providing its cloud services even to customers with the strictest GDPR requirements. For more information visit [https://zitadel.com](https://zitadel.com), follow <a href="https://twitter.com/zitadel" target="_blank">@zitadel on Twitter</a>, or star the repository <a href="https://github.com/zitadel/zitadel" target="_blank">on GitHub</a>.

### About Nexus Venture Partners

Nexus Venture Partners is an early-stage venture capital firm partnering with extraordinary entrepreneurs to help build product-first software companies. With $2 billion under management, Nexus operates as one team across the U.S. and India. The Nexus portfolio includes Apollo.io, Aryaka, Clover Health, Delhivery, Druva, FingerprintJS, Hasura, H2O.ai, Infra Market, Kaltura, MinIO, Observe.ai, Postman, Pubmatic, Quizizz, Rancher, Rapido, Sibros, TileDB, Turtlemint, Unacademy, WhitehatJr, and Zepto. For more information, visit <a href="https://nexusvp.com/" target="_blank">nexusvp.com</a> or follow <a href="https://twitter.com/NexusVP" target="_blank">@nexusvp</a> on Twitter.

Contact:  
Florian Forster  
florian@zitadel.com  
+41 43 215 27 44

## Press Coverage

- <a
    href="https://venturebeat.com/2022/06/07/zitadel-targets-developers-with-open-source-identity-management-platform/"
    target="_blank"
  >
    VentureBeat - June 7, 2022: Zitadel targets developers with open-source
    identity management platform
  </a>
- <a
    href="https://www.startupticker.ch/en/news/american-vc-invests-2-5m-in-swiss-cybersecurity-startup"
    target="_blank"
  >
    startupticker.ch - June 9, 2022: American VC invests $2.5M in Swiss
    cybersecurity startup
  </a>
- <a
    href="https://finance.yahoo.com/news/zitadel-secures-2-5m-enhance-094800684.html"
    target="_blank"
  >
    yahoo!finance - June 10, 2022: ZITADEL Secures $2.5M to Enhance its
    Developer-First, Open-Source Identity Management Platform
  </a>


ZITADEL, innovator of a transformative identity management platform, announces $2.5M in seed funding led by Nexus Venture Partners. The funding will help ZITADEL provide developers with a much-needed open-source alternative for their identity management needs and evolve its solution, scale sales growth, and nurture the open-source community.

ZITADEL secures $2.5M to enhance its developer-first, open-source identity management platform


IMO = In My Opinion is a blog format where a author reflects his own opinion

As the release of ZITADEL v2 comes closer, I was working on getting the DNSSEC setups ready for our new domains (besides zitadel.com there are more) and I did wonder how the DNSSEC adoption turns out today?

## DNSSEC reputation

I know that DNSSEC has an arguable reputation and [this Stack Exchange article](https://security.stackexchange.com/questions/21121/if-dnssec-is-so-useful-why-is-its-deployment-non-existent-for-top-domains#:~:text=%40JasperWallace%2C%20Google%20is%20implementing%20things,not%20being%20fast%2Fcheap%20enough.) sums it up nicely. Although I agree with a lot of the criticism, I also think that one point is over exaggerated. This being the risk of a government entity taking control over the keymaterial of a domain at the registrar level. “Had DNSSEC been deployed 5 years ago, Muammar Gaddafi would have controlled BIT.LY’s TLS keys.”, cited from [this article](https://sockpuppet.org/blog/2015/01/15/against-dnssec/). While this holds true, it does not reflect the fact that even if the keys were managed in a different way that the control of the domain ultimately still resides with the Libyan government's registry. If we follow down this route of argumentation, the single risk we currently all take is the ICANNs control over the whole system. How ICANN counteracts this concern with public and transparent processes can be read in [this entertaining article](https://www.cloudflare.com/dns/dnssec/root-signing-ceremony/) from cloudflare .

Leaving all this aside makes me still think that a second trust anchor to the TLS PKIs is not a bad thing to consider. By separating the keymaterial from TLS and DNS (let's not talk about DANE for now) from each other, brings the additional value of making it difficult (maybe more time consuming) for an attacker to compromise two separated organizations. The “price” to pay for this is reasonable and it provides some small security improvements.

With the additional rise of DNS over HTTP (DoH) and DNS over TLS (DoT), the security of DNS based attacks should improve over time.

## How we deploy DNSSEC

For quite a while we were running DNSSEC on our domains hosted with Cloudflare. But with the recent changes in our architecture we wanted to reduce the number of companies that process our traffic, this to reduce risks associated with GDPR. With that said we settled for Google's DNS (Cloud DNS) and registrar (Cloud Domains) because we already run many of our services with Google. If you are interested in what we are using from whom checkout [our trust page](/trust).

As a side note, running the DNS server with the same provider as the registrar and TLS CA conflicts with my statement above, where I argued that separating those parties might add to the security. But we think reducing the number of sub-processors and companies involved is worth this trade-off.

## Who else uses DNSSEC

Out of curiosity I wanted to quickly brush over some of the big providers out there and see if they deploy DNSSEC. Let's say the results are confusing, because there does not seem to be a clear pattern of who deploys DNSSEC.

### No DNSSEC deployed

- [Microsoft Login](https://dnssec-analyzer.verisignlabs.com/microsoftonline.com)
- [Microsoft](https://dnssec-analyzer.verisignlabs.com/microsoft.com)
- [Google](https://dnssec-analyzer.verisignlabs.com/google.com)
- [Auth0](https://dnssec-analyzer.verisignlabs.com/auth0.com)
- [Okta](https://dnssec-analyzer.verisignlabs.com/okta.com)

### DNSSEC deployed

- [Akamai](https://dnssec-analyzer.verisignlabs.com/akamai.com)
- [Cloudflare](https://dnssec-analyzer.verisignlabs.com/cloudflare.com)
- [Login.gov](https://dnssec-analyzer.verisignlabs.com/login.gov)
- [Swiss Government](https://dnssec-analyzer.verisignlabs.com/admin.ch)

## Discussion

It is interesting to see who did deploy DNSSEC and who didn't. I think some of the tested sites hold off on deploying DNSSEC because they fear a potential user impact on a large audience. Notwithstanding, I think for security oriented services like a login provider it does not exactly feel like a great way to not enable DNSSEC. We think each element we can use to protect our customers is worth looking into. To be honest DNSSEC is definitely not the silver bullet for DNS security but still it is a minor improvement.


As the release of ZITADEL v2 comes closer, I was working on getting the DNSSEC setups ready for our new domains and I did wonder how the DNSSEC adoption turns out today?

IMO - DNSSEC


Whether it is your social media profile, your favorite streaming service, or your work email, the usage of passwords is the most common way people access their virtual identities. However, in recent years, a **new alternative has been seeing traction in the web**: passwordless authentication. Although this method would have seemed like a supernatural concept a decade or two ago, today, it is commonly praised as **the future of authentication**: According to the technology research firm [Gartner](https://www.gartner.com/smarterwithgartner/embrace-a-passwordless-approach-to-improve-security), 60% of large and global enterprises and **90% of midsize enterprises will implement passwordless methods** in more than 50% of use cases by the end of 2022.

To grant an insight into the newly found popularity of passwordless, this article will explain its concept, describe its reason for existence and elaborate upon its advantages over regular passwords.

![](/blog/2022-05-25-passwordless-01.png)

## What is passwordless?

The term passwordless refers to authentication methods that **confirm a user's identity without entering a password**. Instead of relying soley on a knowledge factor, passwordless utilizes alternate authentication methods, ensuring a more convenient and secure way to access your virtual identities.

The most popular passwordless authentication methods include:

- **Possession factors**: An object, such as USB Devices (FIDO2-compliant keys), physical tokens, or your smartphone
- **Biometrics**: Physical traits (f.e. Fingerprint scanning or Face-ID) or other characteristics, such as voice recognition
- **Magic links**: A link sent to the entered email address
- **One-Time-Passwords**: A code sent via text message or an authentication app
- **Software Tokens**: A virtual possession factor granted by an authentication software

Which of these methods a platform implements, depends on their individual preferences: To ensure their users the possibility to authenticate themselves via their preferred factor, many applications **utilize multiple passwordless options**. Platforms akin to ZITADEL, which work with sensitive data, generally implement open standards such as FIDO2 that allow users to use at least one of the listed methods.

Not to be confused with passwordless is **[Multi-Factor Authentication (MFA)](https://zitadel.com/features#multifactor)**. While the latter commonly utilizes a **passwordless factor in addition to the regular username-password login** method, it is ultimately not the same as the complete omission of passwords as done by the passwordless approach. For example, an MFA-based system might request you to enter your password and then use Face-ID as a secondary authentication factor, whereas a passwordless-based system would solely rely on Face-ID to confirm your identity. Although both of these methods undoubtedly surpass traditional password-based logins in terms of security, **passwordless systems are less susceptible to phishing and cyber-attacks** due to their complete waiver of passwords. Moreover, **passwordless is less time-consuming and memory-reliant nature** generally makes for a more convenient user experience.

![](/blog/2022-05-25-passwordless-02.gif)

With this said, the existence of the passwordless authentication alternative might pose the obvious question: Why should it be used? To answer this question, it is worth looking into the issue it means to eliminate: the **increasing problems with passwords**.

## The problems with passwords

One of the most apparent reasons for the popularity of the passwordless alternative is the **increasing dissatisfaction with the traditional username-password login method**. While the usage of passwords has been the industry standard for decades, the evolution of technical knowledge amongst the public also opened the door for more and more cybercriminals who take advantage of the simplicity of this authentication method.

Even when used in combination with Multi-Factor-Authentication, **passwords are more prone to phishing attacks**. This phenomenon occurs largely due to the fact that people tend to set a simple word or pattern as their passwords, since they are supposed to be easily recallable. Evidently, a complex combination of multi-case characters, numbers and symbols is harder for hackers to guess, but unfortunately, they are also harder for users to remember.

To protect their data from potential risks, numerous companies order their employees to change their passwords periodically. While on paper this measure might sound like an optimal solution to the password-problem, in practice however, it **increases the chance of the user losing track of them**. Moreover, people tend to use the same password for multiple virtual identities; accordingly, if a hacker should get a hold of your password, it would **grant them access to each profile that uses the same login credentials**.

Whether you buy into the passwordless journey or not, **always enable two-factor authentication** and use different passwords for each service. Use a password manager to ease the pain of multiple passwords and even creating and rotating new passwords.

## Benefits of passwordless

To **replace the previously mentioned risky password management practices**, a new alternative had to be developed that does not tie the authentication process to a singular phrase: Thus, the passwordless method came into existence. Standards such as FIDO2 entirely rely on **public-private key exchange between a user's device and the server** that authenticates the user, thus passwordless not only **eliminates the inconvenient practice of remembering complicated passwords** but also ensures **highly secure access** to all your virtual identities. Moreover, switching to passwordless is highly beneficial for the users of an application and its developers: Due to the high cost of managing and maintaining passwords, the alternative generally poses a **lower total cost of ownership (TCO)**. While the implementation of passwordless might seem expensive at first glance, its price does not even come close to the **fines and losses incurred due to a cyber-attack**.

The most significant benefits of using passwordless authentication instead of passwords:

- **Security**: Highly reduced risk of cyber-attacks
- **UX**: Higher customer satisfaction due to its convenience
- **Cheaper TCO**: No need to invest in maintaining passwords
- **More Sign-ups**: Not having to create a new password makes the registration process smoother, thus increasing customer satisfaction and sign-up rates

## Why should a PIN be more secure than a password?

When using passwordless, users are generally prompted for a gesture such as FaceID, Fingerprint, or even just a PIN. At first glance, it might seem illogical how this method should be more secure than multi-factor authentication. The vital difference is that **this gesture only unlocks a software or hardware-based “vault”** where the keys are stored for authenticating. The personal credentials, such as biometrics or the PIN, itself were **not shared across the network or even across devices**.

Drawback of this method is that each device has to be enrolled individually in the service. For most users, this is confusing and creates additional friction in onboarding and managing users. However, [according to the FIDO alliance](https://fidoalliance.org/apple-google-and-microsoft-commit-to-expanded-support-for-fido-standard-to-accelerate-availability-of-passwordless-sign-ins/), this issue will be solved with **multi-device credentials, known as “passkeys”**, within the current year.

## ZITADEL and passwordless

As an identity and access management platform, ZITADEL holds the security of its customers and their end-users to the highest value: Accordingly, to **replace security threats with highly modern login convenience**, the inclusion of passwordless methods is indispensable. ZITADEL offers a wide variety of **passwordless authentication options via FIDO2** for logging into its console itself and for the login form of the customer's application: They can use their **fingerprint, security key, or any other [WebAuthN compatible](https://webauthn.guide/) authentication method to log in**. Regardless of which approach the user chooses, ZITADEL's passwordless authentication **protects them effectively against data breaches**, thus eliminating a significant attack vector.


To grant an insight into the newly found popularity of passwordless, this article will explain its concept, describe its reason for existence and elaborate upon its advantages over regular passwords.

Why You should Switch to Passwordless Authentication


In the 21st century, a significant share of our conversations is held virtually, via text messages. Not only does this fact apply to interpersonal conversations between acquaintances or friends, but also service-related negotiations such as parcel deliveries, newsletter subscriptions, or even payment requests. Due to the normalization of these sorts of messages, people tend to be less hesitant when clicking on links that come from a seemingly trusted sender. A serious problem arises, however, when the attached URL redirects you to a malicious site. In this article, I will discuss the phenomenon of smishing and how to protect yourself from falling victim to it.

## What is smishing?

The word “smishing” is derived from a combination of “SMS” and “phishing”. “Phishing” describes the phenomenon of being deceived into giving sensitive information to a disguised cybercriminal and “SMS” indicates that the deception is carried out via text messaging. Smishing is therefore essentially a newer breed of the infamous spam emails, however, due to the perceived intimacy of a personal text message, SMS scams have a higher chance of going unnoticed.

To further take advantage of your confidence in text message safety, attackers tend to assume the identity of well-known companies people are used to receiving legitimate messages from, such as DHL, Netflix, or Apple. Smishing text messages usually depict a situation that due to their urgency, are known to grab the victim’s attention, such as a package delivery notification, a purchase confirmation, or a credit card suspension notice. The ultimate “goal” of smishing is to trick unsuspecting people into giving away their personal or financial information. In many cases, simply clicking the provided link can initiate a download process of viruses or malware, which the cybercriminal can use to access all data and information stored on your phone.

![](/blog/2022-05-11-smishing-01.png)

## The most common threats of smishing texts

Based on what we already know about this phenomenon, smishing is more than a simple prank-SMS. What some people do not realize, however, is how severe the risk of clicking a simple URL can be. Most commonly, the attacker will exploit the acquired data for one or more of the following purposes:

### 1. Stolen money

The most obvious reason a criminal would want to access your online information is to defraud you out of money: The attached link is therefore often used to intercept a one-time passcode (OTP) most banks use for step-up authentication. Alternatively, they might simply send their unsuspecting victims a warning about an unpaid bill in favor of a fake recipient. Sadly, many attackers found success in this “business”: [The median of the loss reported by complainants was $800.](https://www.aarp.org/money/scams-fraud/info-2020/smishing.html)

### 2. Identity Theft

Theft does not exclusively happen to tangible objects; it can also happen to a person’s entire identity. Some scammers use the accessed data to claim the identity of their victim, for various diverging causes apart from stealing money, such as filing phony health insurance claims, committing tax fraud, or even reselling your data to other criminals.

### 3. Installed Viruses

Another threat smishing poses is the installment of unsolicited malware. The message might encourage you to download a seemingly trusted app, which could be used to collect sensitive data from your phone, such as credit card details stored in other apps. Additionally, a phone infected with malware or viruses can become completely unusable.

### Pegasus: A real life smishing example

To showcase just how dangerous the consequences of smishing can be, we are taking a look at the real-life example of the “pegasus incident”. Pegasus is a spyware that can be installed on any kind of smartphone device, intending to harvest its data from apps. While the software was intended to be used to investigate potential terrorists and criminals, multiple cases of its misuse to surveil anti-regime activists, journalists, and political leaders have been reported.

As software capable of zero-click exploit, Pegasus requires no user interaction to operate: As an example, the spyware could be covertly installed on the phone of a [technology lead at Polygon](https://citizenlab.ca/2022/04/catalangate-extensive-mercenary-spyware-operation-against-catalans-using-pegasus-candiru/), by taking advantage of a previously unknown security vulnerability in Apple’s iMessage. The Pegasus infection link was disguised as a boarding pass link for a Swiss International Air Lines flight the victim had purchased. As a result of a simple click on the URL, the spyware was granted unlimited access to every information stored on the iPhone.

![](/blog/2022-05-11-smishing-02.png)

While this incident of a fraudulent boarding pass link would likely fly under the radar for many, luckily, more **amateurish smishing attempts targeted at civilians are easier to identify**. In the next chapter, we discuss some common signs of a potential smishing attempt.

## Signs that you are getting “Smished”

To protect yourself from smishing, it is essential to be able to recognize the threat coming your way. Luckily, there are some signs to look out for, when receiving a suspicious text message. If the text is guilty of at least one of these common signs of smishing, that is a warning signal that you need to take measures to protect yourself:

- The message is asking you to click on an URL with a domain that does not correspond to the company name. Furthermore, shortened URLs (f.e. starting with bit.ly, cutt.ly, and shorturl.at) are generally not trustworthy in the context of SMS messaging.
- The message is very generic – Legitimate senders generally include the package number, your bank’s name, or your name/nickname, depending on the context.
- The message contains spelling- or grammatical errors - Texts from service providers are usually automated, so the possibility of a typo would be extremely low.
- The number of the sender and that of the service provider they claim to be, do not match. Moreover, when you receive a message from bigger service providers, (f.e. banks, post offices, or delivery services) they will mostly have their company names displayed instead of their numbers.

![](/blog/2022-05-11-smishing-03.png)

## How can you protect yourself?

Whether you already received an illegitimate message or not, smishing can happen to everyone. However, there are plenty of measures you can take to protect your data; if you have received a suspicious message, keep these simple tips in mind to avoid falling prey to text message fraud:

- Do not open the attached link
- Replying or calling them is counterproductive – Doing so confirms that your number is in use, making you a potential target for more attacks
- Never share any of your data (passwords, address, etc.) via text
- Limit sharing your phone number on social media to decrease the number of potential scammers getting their hands on it
- Block the number and/or report the scammer to your country’s Trade or Communications Commission or the police
- When in doubt, ask the service to confirm the delivery of the message in question. However, make sure to do so via the contact information you can find on their official website; do not call the number that sent the message.
- Enable [Multifactor Authentication](/features#multifactor) to prevent unwanted logins to your account.


What if a text message you received is not what it seems?  This article discusses the phenomenon of smishing and how to protect yourself from falling victim to it.

Smishing - How to Recognize Dangerous Text Messages


One of the most common tasks when developing a software is establishing an authentication and identity management system. Whether that system only consists of a sign-up form and a login page or a more complex infrastructure, **the number one priority should always be a** **seamless functionality**: Errors in the implementation can have **catastrophic consequences**. To assure that your software is secure and working as intended, your **identity management system should be implemented and managed by experts** with in-depth knowledge on the topic.

Companies on the lookout for an authentication server have the possibility to **buy functionality from third-party identity and access management (IAM) solutions**, such as ZITADEL. Most of these vendors consist of highly qualified IT-experts who are universally entrusted to **guarantee a safe and error-free IAM system** for software products. Despite a large supply of these purchasable solutions, some firms still choose to build their own authentication server in hopes of saving money or due to distrust in pre-built applications. While a **self-developed solution** might work for some, there are various **potentially unknown drawbacks** that companies should consider before settling for this method. In this article, I will discuss the risks and disadvantages of building your own authentication server.

## Common shortcomings of self-built Authentication Servers

### 1. Security Issues

The most significant risk of building your own authentication server lies in its generally **higher probability of security issues**. Since keeping your users’ data safe is among the greatest responsibilities of a platform and the primary task of an IAM server, it is essential to make sure an adequately established security system is a given. One of the most obvious advantages IAM vendors have over DIY developers is the possession of a **dedicated team with IT and engineering expertise**. The members of these teams can utilize their knowledge to create the **best possible security system** based on their diverse experiences. Additionally, IAM vendors commonly offer **advanced security features**, such as support for multi-factor authentication (MFA) and security keys. Another security aspect where third-party IAM solutions prevail is **error prevention**: They can **prevent attacks more easily due to their large user base**, whereas a custom-made solution does not possess enough data to recognize suspicious patterns.

### 2. Not as cheap as you think

Contrary to popular belief, you will likely find that **building your own authentication server is not cheaper in the long run**. While you initially save some money by not having to purchase the solution itself, it will quickly be **compensated by the cost of development, maintenance, troubleshooting, upgrades, and the resources** themselves that are needed for these procedures. It is also worth noting, that since your main product is likely in an unrelated field to the IAM itself, the inevitable **shift in your working context would entail additional costs**. When considering a handcrafted solution, it is therefore beneficial to evaluate if the needed investments over the lifetime of your product are ultimately less than the amount you would have to pay for the one-time fee of the purchasable alternative.

### 3. Complex and Time-consuming

When creating anything from scratch, you should probably reckon with a lengthy production process. The same principle applies to developing a server; given that authentication solutions **require lots of API programming and complex security features**, fully building one might take at least a year as a full-time job. Since the server will handle sensitive data, the development of an adequately functioning security system also involves **constant testing and optimizing**, which should not be neglected to save time. The need for handcrafted features also extends to the product phases beyond the initial development: Keeping your application functional and up to date requires you to **additionally establish a maintenance system** that will serve this purpose. Purchasing an already established IAM solution would therefore likely **save you several years of time, and money spent on essential resources**.

## What you can do instead

In conclusion, even if you are an experienced programmer or your company possesses a dedicated IT-team, you will likely find that **your time and effort will be better spent developing and optimizing your main product**. Afterall, facilitating the job of software developers by not having to worry about building a dedicated authentication server on top of programming every other aspect of their application is the primary reason third-party IAM solutions exist. **Buying functionally is therefore our clear recommendation if you strive for maximized security and wish to save time and money**.

Should you be worried about being restricted by the ready-to-use features of a third-party IAM platform, **ZITADEL customers** have the possibility to choose a **self-hosted deployment option**. While this method still requires more resources compared to the software as a service alternative, it allows you to have full control over your authentication system without having to create a whole server from scratch.

## The Takeaway

If you wish to receive a pre-established IAM solution instead of having to handcraft it yourself, **ZITADEL ensures** **the best possible authentication server** with its flexible pricing options, diverse deployment options, generous range of features, guaranteed high security and unlimited identities for all instances.

Should you have questions regarding authentication servers or any other related (or unrelated) topics, feel free to contact us anytime on our ZITADEL [Discord Server](https://zitadel.com/chat). Alternatively, you can reach us on our [Twitter](https://twitter.com/zitadel), [Linkedin](https://www.linkedin.com/company/zitadel/) or [Github](https://github.com/zitadel/zitadel) pages or on our [Website](https://zitadel.com/contact).

If you like the project, don't forget to [give us a star over on GitHub](https://github.com/zitadel/zitadel/stargazers). Thanks for the support.


Despite a large supply of purchasable solutions, some firms choose to build their own authentication server. While this solution might work for some, there are various potentially unknown drawbacks that you should consider before settling for this method.

The Truth About Building Your Own Authentication Server


<a
  href="https://money-key.ch/"
  target="_blank"
  rel="noreferrer"
  className="hidden dark:block"
>
  <img
    src="2022-04-27-success-story-money-key-02.svg"
    width="80%"
    alt="Logo of money key"
  />
</a>
<a
  href="https://money-key.ch/"
  target="_blank"
  rel="noreferrer"
  className="dark:hidden"
>
  <img
    src="2022-04-27-success-story-money-key-01.svg"
    width="80%"
    alt="Logo of money key"
  />
</a>

[Money Key](https://money-key.ch/) is a digital web and voice application that allows entrepreneurs and financial managers easy access to their financial information. Due to the interconnected nature of the business relationships, Money Key uses ZITADEL as the identity platform to provide authentication, self-service and delegation of authorizations to their B2B customers.

## Key outcomes

- Small invest in identity management by using core B2B features
- Using Organizations for each customer to enable SSO and self-service
- SaaS service with data location Switzerland

## Challenge

Money Key is a digital web and voice application that connects to your accounting system. Fiduciaries and companies log into their web solution to review financial information via interactive reports and voice chat. The hierarchical relationship between trustees and their customers poses some challenges with regards to multi-tenancy and self-service.

The proof of concept used a social login provider to authenticate users with the application. As the maturity of the product evolved, it became clear that there needed to be a better solution, not only for authentication, but mainly also for authorizing the different B2B customers. A decisive criteria was a provider from Switzerland and ideally hosting of the SaaS in Switzerland.

## Solution

![Screenshot of Money Key application showing liquidity KPIs of a demo account](/blog/2022-04-27-success-story-money-key-04.png)

When looking for alternative solutions, the option to build an own solution was out of the question. The investment would have been too high and taken away valuable time in creating core business value.

ZITADEL was introduced to Money Key by their initial implementation partner, [Paixon](https://paixon.ch/), who has been using the identity platform for other solutions already. It seemed like the ideal solution for the B2B use case in addition to being a hosted cloud offering from Switzerland.

Money Key likes the fact that ZITADEL is organized around the concept of Organization, which can delegate access management to other Organizations and the flexibility of how ZITADEL Organizations can be used.

The solution required delegation of access roles through a hierarchy of Organizations where a product owner can administer the primary customer group, that is the trustees, who can self-manage their own company customers.
The application’s business logic creates new Organizations and internal users for new customers programmatically by connecting to the ZITADEL Management-API.  
The big advantage is that each entity has the possibility to act as its own administrator and set/edit the different users on different levels. Hence Money Key keeps its focus on offering new features and on the other hand its clients get the flexibility to manage the users on their side.

Money Key relies on the ZITADEL state-of-the-art security and benefits from features like two-factor authentication and password reset, which is easy to use as a consumer as well as administrator. It is possible for customers to use a social login (e.g. Google), as originally intended, which is related to ZITADEL identity management via Account Linking.  
At the moment they are missing the option to use their own domain for login and in emails to customers. This feature will be released to the Public Cloud service in May 2022.

## Result

Money Key was able to get a first working version of their B2B service within six months, with first customers using the application since the end of 2020. Following the success of the initial feedback, development continues with ZITADEL as the identity platform.

During the early phase it is quite important that the costs are only a small part of the overall product revenues. The availability guarantees and the pricing was convincing and Money Key is happy to have the option to buy additional support after initially scaling their growth.

## Future Plans

With a strong IT team at their disposal, Money Key is working towards integrating with various accounting software providers, such as Sage (Infoniqa), Bexio or Abacus, but also growing strategic partnerships to make life as data-driven entrepreneur easier. The goal for 2022 is to expand in the german-speaking part of Switzerland, soon followed by the german-speaking countries around.

## Testimonials

<img
  src="/blog/2022-04-27-success-story-money-key-03.jpg"
  width="30%"
  alt="Portrait of Ernest Ukaj"
/>

> “We needed a better solution for authorizing customers. We did not want to build this on our own, but focus on our core competencies.” - Ernest Ukaj, Founder and CEO

## About the solution

Money Key is a digital web and voice application that connects to your accounting system. The financial manager tool is a fiduciary and financial assistant in one and provides quick and understandable insight into your company's finances through intuitive usability.

## About Money Key GmbH

Money Key GmbH  
Industriestrasse 28  
CH-9100 Herisau  
[money-key.ch](https://money-key.ch/)

Money Key GmbH is currently part of the MYK Group, that offers fiduciary, audit and tax consulting services, with a special focus on SMEs and start-ups. Right now they are finalizing agreements with further Business-Angels/Investors. Currently Money Key has 5 employees and productizes their solution not only in Switzerland but also internationally.


Money Key is a digital web and voice application that allows entrepreneurs and financial managers easy access to their financial information. Money Key uses ZITADEL as their B2B identity platform.

Money Key built a financial manager tool for fiduciaries and entrepreneurs with ZITADEL


At ZITADEL every customer is granted **their own virtual instance with unlimited identities**, that allows them to **fully configure their instance policies**. This includes choosing a deployment option which is most suitable for the unique needs, security requirements, budget, and resources of each individual organization.

In this article, we will discuss our Software as a Service (SaaS) deployment option, alongside our self-hosted alternative to help you find the right solution for your project or business.

_We are currently working on version 2 of ZITADEL, as described in our [last Blog “A Serverless Future”](https://zitadel.com/blog/a-serverless-future). With this new version of our cloud service, customers will get their own virtual instance of ZITADEL. In the meantime we are more than welcome to provide you with a dedicated installation manually. Get in touch with us._

## Software as Service (SaaS) – For the need for convenience

Our public cloud option is ideal for any user who is intrigued by the idea of a **hosted** deployment model that is **ready-to-use** the moment you obtain it: Unlike the self-hosted alternative, SaaS is **pre-configured and automated**, thus sparing you the time and money spent on implementing, managing, and maintaining your platform. Accordingly, a virtual instance will **automatically upgrade** with new product improvements, and security fixes without your intervention.

You also do not have to worry about expanding your infrastructure when your service gains new customers or sees usage spikes. Thanks to the SaaS model of ZITADEL **both scaling and resource allocation are being handled by us**. Another notable benefit lies in the possibility of **global or regional deployment**: An infrastructure built to manage traffic from a global audience or constrain data to only a certain location, depending on your needs. Both scenarios are possible through our SaaS service, while we optimize and guarantee **low latencies and high availability**.

With the cloud service you benefit from the **operational security** aspects, such as DDoS and DNS protection. ZITADEL itself is an **open source platform** and the same open source releases are deployed to our cloud service. With that you are able to analyze and validate the code of our application. We even go beyond that and publish the results of our [penetration tests](https://zitadel.com/blog/pentest-results-h1-2021) done by external auditors, as soon as we have mitigated any issues.

Despite it excelling in terms of security and convenience, the pay-as-you-go subscription method of SaaS allows for a **relatively low total cost of ownership**.

There are certain weaknesses relying on a SaaS deployment, which are easily outweighed by the convenience of a pay-as-you-go subscription for most customers. While most customers are satisfied with our infrastructure in terms of cloud provider and data location options, some want to **choose their own infrastructure providers or data location**. In this case self-hosting is a good option or a **dedicated instance of ZITADEL**, which is operated by us with respect to the custom terms and conditions of the client. Both options are also viable in case a customer requires **more flexibility of upgrade cycles or backup frequencies**.

A newly arose weak point in today's software is supply chain risk, where our **OpenSaaS model provides extraordinary transparency** of code, dependencies, and processes, yet a customer still relies on the quality of our technical and organizational measures to manage information security. We are continuously improving our information security and working towards a ISO27001 certification by the end of this year. In case you **want to have more control over the technical and organizational measures**, you should choose to **self-host ZITADEL** and get technical support through us.

Lastly, a further weak point in the SaaS deployment method lies in its **limited customization options**. While companies mostly offer a wide variety of templates to choose from, their number can&apos;t compete with the infinite customization possibilities that come with building your own platform. We do not recommend building your own identity management system, rather we **promote the platform approach** of ZITADEL, where customers can easily extend functionality of the platform by **loosely coupling new components**. This is supported by ZITADEL&apos;s API-first approach, SDK&apos;s in various languages, and **programmatic extensibility** through ZITADEL Actions.

**The summed-up benefits of SaaS include:**

- Receive a pre-configured and implemented platform – no need to bother with updates, backups, maintenance, and troubleshooting
- Operational security provided
- Availability guarantees and automatic scaling
- “Pay as you go” model with low total cost of ownership (TCO)
- Global and region specific deployment options
- Technical support - we are here to help

## Self-hosted – For the need for full control

As the name suggests, unlike the SaaS solutions which are operated by a third-party provider, self-hosted deployment is **hosted by you** on your infrastructure. In the case of ZITADEL, companies or individuals can deploy our software on their preferred cloud provider or install it as an on-premise solution; Both of these options allow them to take **full control over all aspects of their software**, instead of having to rely on our infrastructure and our technical and organizational processes. ZITADEL is based on **cloud-native principles** and is designed to be deployed as containers, which makes it straightforward to run and operate on almost any platform.

Self-hosting is an excellent choice if you have the resources to set up and **host your own instances** of ZITADEL on **custom infrastructure** with your company's needs in mind. If implemented correctly, the features of a self-hosted platform even have the **potential to surpass the security possibilities of SaaS**, making it an ideal alternative for firms working with sensitive data. However, since the **responsibility of adequately hosting the platform lies solely in the hands of the company**, a lot more effort and risk-taking is required for the implementation and operation of the platform. To lift some of this weight off your shoulders, **ZITADEL offers self-hosters commercial technical support with an SLA**.

Since the setup cost and maintenance are the most obvious downsides of self-hosting, we recommend choosing this solution if your company **already possesses internal resources to handle the hosting** **and is ready to pay the investment and upkeep**. Should your firm struggle with some technical aspects of self-hosting, our community or our team, respectively, is happy to aid regarding any of these issues.

With this said, we strongly discourage self-hosting your identity platform without in-depth IT-knowledge; since the security measures must be manually installed and maintained, **mistakes in the implementation can potentially lead to inadequate protection from intruders**.

**The summed-up benefits of self-hosting include:**

- Manage your platform with full control in your own cloud or hardware
- Be in control of your technical and organizational measures
- Fully customizable platform
- Self-hosters can get commercial technical support with an SLA
- Highest possible security, if implemented accordingly

## Which option to choose?

In conclusion, while both deployment options have their respective advantages, the **self-hosted alternative will most likely only benefit companies that aim to fulfill some very specific requirements**. Should your organization lack an internal staff with in-depth IT knowledge, the serious dangers of faulty implementation are most likely not worth risking. Accordingly, **the advantages of SaaS outweigh those of self-hosted options for most organizations** and are therefore generally the recommended path to take. Should you be on the fence regarding your choice, we created **this chart as a guide**:

<div className="dark:hidden">
  ![](/blog/2022-04-13-saas-vs-self-hosted-01-light.png)
</div>
<div className="hidden dark:block">
  ![](/blog/2022-04-13-saas-vs-self-hosted-01-dark.png)
</div>

## The Takeaway

Whether SaaS or self-hosting is the better choice for your organization, ZITADEL ensures **the best possible deployment experience** with its flexible pricing options, generous range of features, guaranteed high security and unlimited identities for all options.

Should you have questions regarding SaaS, self-hosting or any other related (or unrelated) topics, feel free to contact us anytime on our ZITADEL [Discord Server](https://zitadel.com/chat). Alternatively, you can reach us on our [Twitter](https://twitter.com/zitadel), [Linkedin](https://www.linkedin.com/company/zitadel/) or [Github](https://github.com/zitadel/zitadel) pages or on our [Website](https://zitadel.com/contact).

If you like the project, don&apos;t forget to [give us a star over on GitHub](https://github.com/zitadel/zitadel/stargazers). Thanks for the support.


We discuss our Software as a Service (SaaS) deployment option alongside our self-hosted alternative to help you find the right implementation for your business.

SaaS vs Self-hosted – How to Choose the Right Deployment Option


## Definition of serverless

When people talk about serverless it is oftentimes not clear what they mean exactly. So let&apos;s begin with shining a light on what we think of when we talk about serverless.

For us, serverless is the possibility to run ZITADEL without the need to manage the underlying computing, networking and storage.

From our perspective there are two options we would classify as serverless: Firstly, function as a service (FaaS) offerings and secondly container as a service (CaaS) or you can call the latter serverless containers. Some serverless containers are run on top of managed Kubernetes offerings with the help of Knative.

## Why we think serverless is a thing

Since our early days we committed ourselves to containers and Kubernetes to run and deploy ZITADEL. Be it with customers or our public cloud offering. In the last few months three points, which needed to be addressed, did come to our attention because we asked ourselves how we could reduce our operation expenses while still being able to scale.

### Easier global scaling

As mentioned earlier, we run ZITADEL distributed across the globe to give our customers the best latency available. But with the rising need for new points of presence, we experienced that the management (updating, scaling, …) of multiple Kubernetes clusters gets quite annoying. Not even taking into account that we also needed to deploy our observability toolings and ZITADEL at scale as well.

### Easier deployment for developers

Many of our users did ask us, if it is possible to run ZITADEL without Kubernetes, especially for small deployments or developers who want to run ZITADEL locally.
We totally understand that it is not feasible for many people to operate Kubernetes. Even with platforms like Ranchers k3s and kubeadm, alongside the hyperscalers offerings from Google&apos;s GKE over Amazon&apos;s EKS to Microsoft's AKS.

### Kubernetes compatibility

While we want to provide alternatives to Kubernetes usage we still want our customers to have the option of running ZITADEL on their existing clusters.

With those three points in mind we set off to create a solution that can improve the way somebody can run and scale ZITADEL to new heights.

## How we are (working on) harnessing serverless

Although we are not yet running our production with a serverless service, we have been testing one for many months with our internal environments. We chose to thoroughly test Google's serverless containers offering which is compatible with Knative which is called “Google Cloud Run”. This, because it allowed us to address all of the three goals which triggered this journey.

**Scaling**: We can deploy ZITADEL across the globe (> 26 Regions) with a few lines of Terraform within mere minutes

**Deployment**: We can run a dedicated ZITADEL with little fixed cost with “Google Cloud Run” and “CockroachDB Cloud serverless” offering

**Compatibility**: While being fully serverless, ZITADEL still stays completely compatible with Kubernetes

Customers that wish to self-host ZITADEL can either choose to leverage the Google Cloud Run setup, as we use it in our cloud service, or use any of the alternatives, namely running on any CNCF-compliant Kubernetes or even as binary.

## The challenges

To make ZITADEL run great on serverless offerings we needed to address some challenges.

**Scheduled Tasks:** Some of the processes of an IAM happen on a scheduled basis and we need a way to address this without relying on an external system. So as of today we recommend keeping at least one instance of ZITADEL running. With Cloud Run this can be easily solved by setting the “minimal instance” property to something like > 0.

**Async Tasks:** When ZITADEL is invoked some of the requests are run asynchronously. To cater for this it makes sense to tell the serverless platform to allow CPU usage after a request finished. With Cloud Run you can enable “always-on” CPU allocation. This allows ZITADEL to finish certain tasks. For example writing traces, calculating read models and so on.

## The gains

**Observability:** Although not serverless specific, the integration of Cloud Run in Google's observability stack is impressive. For example out of the box opentracing works and provides the traces from the load balancer towards ZITADEL.

**Scaling:** Cloud Run allows you to scale horizontally (more containers) and/or vertical (more CPU/Memory) in combination with the cloud load balancer it even allows to create multiple deployments in parallel to even further scale either inside or across multiple regions.

**Worldwide:** As already mentioned with a few lines of Terraform it is possible to run ZITADEL across multiple regions with ease. All of this without the need to manage the deployment target.

**Testing:** Cloud Run already allows A/B testing where a percentage of requests are steered towards a newer version. While this is useful we use this feature in conjunction with the load balancers capabilities to route certain domains to a specific release.

**Cost:** Even though ZITADEL is configured to be always running with at least one container, Cloud Run makes for a cost effective solution. This is because the initial cost of running a new datacenter is relatively low (less than $60 per region).

## What will improve with ZITADEL v2

As you might be aware, [we are currently working on a major update of ZITADEL](/blog/six-ways-zitadel-will-improve-2022). Some of that work is specifically geared towards improving ZITADEL for serverless containers as well as the option to run it locally without any containers as self-contained binary.

With the release of v2 we will add support for the following features:

- Serverless Deployment to Google Cloud Run
- Support for [CockroachDB serverless](https://www.cockroachlabs.com/get-started-cockroachdb/) DB

To improve the life of developers who want to run a local ZITADEL we also release the following improvements

- Self-Contained Binary so that ZITADEL works without running in a container
- Additional CPU Architectures (ARM64)
- Additional OS support (MacOS, Windows)

## When is v2 due to release

The initial release of v2 is just around the corner and is aimed towards the end of April - early May.

If you are interested in participating in our early adopter program and the new pricing, [please send us a message](/contact).

## What&apos;s next

We will soon publish the new pricing and some more blogs and information about the v2 of ZITADEL on our website that we will also link in this section. So stay tuned.

If you want to catch us live you will find us at the following events in the near future:

- [Swiss Cyber Security Days](https://swisscybersecuritydays.ch/), April 6./7. 2022, Fribourg, Switzerland
- [Deutscher Startup Pokal](https://www.eventbrite.de/e/deutscher-startup-pokal-digitales-2-halbfinale-security-tickets-164279774227), April 7. 2022, Online
- [Cloud Native Computing Switzerland](https://www.meetup.com/Cloud-Native-Computing-Switzerland/events/279925165/), May 12 2022, Zurich, Switzerland

Of course if you want to get in touch, feel free to [contact us](/contact) or join [our chat](/chat).


With the rise of serverless and our need to scale, we wanted to explore the possibilities and values that modern serverless platform provides.

A serverless future


## Description

The ZITADEL team gives an overview of what happend over the last months and what our roadmap for 2022. This is a highlight video from a [livestream](https://youtu.be/IyJrAf9JOJc) on February 24, 2022.

We will talk about Actions, Personal Access Tokens, E2E Testing, SAML2.0, and of course our rehaul of our cloud offering "V2" - and many more topics.

<br />
<div className="my-4">
  <YouTubeExtended
    videoId={"3Cu_on1GzGY"}
    containerClassName={"youtube-container"}
    stopsTitle="Topics covered"
    stopList={[
      { name: "General Updates", time: "0:15" },
      { name: "Personal Access Tokens (and Demo)", time: "1:15" },
      { name: "ZITADEL Actions (and Demo)", time: "3:24" },
      { name: "Query Side / Event sourcing", time: "4:26" },
      { name: "Issues: User Register Flow", time: "5:20" },
      { name: "Issues: Global Organization", time: "7:10" },
      { name: "End-to-End testing", time: "8:24" },
      { name: "Roadmap: V2 of ZITADEL", time: "9:40" },
      { name: "Roadmap: Developing ZITADEL / Community", time: "13:49" },
      { name: "Roadmap: UI overhaul of Console", time: "14:38" },
      { name: "Roadmap: SAML2.0", time: "16:39" },
      { name: "Roadmap: Reporting", time: "17:41" },
      { name: "Roadmap: Login providers", time: "18:09" },
    ]}
  ></YouTubeExtended>
</div>

## References

- Watch the [full recording](https://youtu.be/IyJrAf9JOJc) of the livestream
- Explore our [roadmap](https://zitadel.com/roadmap)
- More about our plans for 2022 in our Blog ["6 New ways ZITADEL IAM will improve in the year 2022"](/blog/six-ways-zitadel-will-improve-2022)
- Read about ["New Personal Access Tokens (PAT): A game changer for Service Users"](/blog/new-personal-access-token)
- Our blog about ["SAML vs OIDC: Which Protocol is Best for Your Organization?"](/blog/saml-vs-oidc)
- Find a link to the new [Rust SDK](https://zitadel.com/docs/sdk-examples/introduction#libraries)
- Track the progress of the initial release of [ZITADEL CLI](https://github.com/zitadel/zitadel/issues/3182)


Meet the team behind ZITADEL. We share what we have done over the last months and our plans for 2022. Highlights from our livestream on Feb 24, 2022.

Blog.