What to ship: policy modes of disabled, optional, required-for-admins, required-for-all. Enforce server-side on every login. Surface a clear admin UI. For high-assurance contexts, require step-up to AAL2 (per NIST 800-63B Rev 4) for sensitive actions like billing changes or API key creation.
Honest tradeoff: users complain. The customer admins who set "required-for-all" eat the support load, which is why this should be configurable, not blanket.
3. Use Argon2id for Password Hashing
If you still store passwords, hash them with Argon2id, not bcrypt or PBKDF2. OWASP ASVS V5 names Argon2id as the preferred algorithm, with bcrypt as the acceptable legacy option. The parameters that pass an audit in 2026 are roughly: 19 MB memory, 2 iterations, 1 degree of parallelism (the OWASP cheat sheet has the exact numbers; tune for your hardware).
Honest tradeoff: bcrypt is still acceptable. Migrating an existing hash table to Argon2id is a rehash-on-next-login pattern that takes one quarter of a sprint. If you have less critical work, do it; if you are mid-deal-close, ship the deal first and migrate after.
4. Account Lockout and Exponential Backoff
Account lockout protects against online brute force. The pattern that passes audit is: 5 to 10 failed attempts in a rolling window, exponential backoff (1s, 4s, 16s, lockout), CAPTCHA fallback after lockout, automatic unlock after a fixed window (commonly 15 to 60 minutes). Permanently locking accounts creates a different problem (denial of service against legitimate users), so almost no one does permanent lockout in B2B SaaS anymore.
5. Rate Limit Every Authentication Endpoint
Rate limit by IP, by username, and by tenant. Auth endpoints under attack see traffic spikes from 100x normal that look nothing like normal user load. OWASP ASVS V5 names this as a required control at Level 1.
What to ship: sliding window limiters in front of /login, /register, /forgot-password, /reset-password, /verify-email, /oauth/token, and any device code endpoint. Keep limits tight (10 to 30 attempts per minute per IP per username is normal). Log every block.
6. SAML 2.0 / OIDC SSO for Enterprise Tenants
Single sign-on via SAML 2.0 or OIDC is non-negotiable for enterprise customers. The G2 B2B SaaS Buyer Report 2024 found that more than 80% of deals above 100,000ドル ARR now require SSO as a hard procurement gate, and the Okta Businesses at Work Report 2024 measured the average enterprise running 93 SaaS apps with SSO required for the high-value ones.
What to ship: native SAML 2.0 with Okta, Microsoft Entra ID, Google Workspace, OneLogin, and Ping Identity. OIDC for newer IdPs. Just-in-time (JIT) provisioning on first login. Audit log every assertion. If you do not want to own the SAML protocol surface yourself, our B2B SSO providers guide compares the managed brokers that handle this for you.
Honest tradeoff: SAML is heavy to own end to end. Teams below 30 enterprise customers can usually hand-roll it; above that, a managed broker pays for itself in cert rotation alone.
7. SCIM 2.0 Provisioning and Deprovisioning
SCIM 2.0 closes the loop between the IdP and your app. When IT deprovisions a user in Okta, SCIM tells your app to deactivate the matching user within minutes, not at the next manual review. SOC 2 CC6.3 requires "logical access removal upon termination," and SCIM is how enterprises actually evidence it. The IBM Cost of a Data Breach Report 2024 measured insider-driven incidents at 4ドル.99 million average cost, and dormant accounts are how most of those happen.
What to ship: SCIM 2.0 endpoints (/Users, /Groups) with full CRUD plus PATCH support. Map active: false to immediate deactivation. Audit log every SCIM event. The SCIM 2.0 directory sync product page lists the operational details if you want a benchmark.
8. Short-Lived JWTs with Refresh Token Rotation
Access tokens should live 15 to 60 minutes, refresh tokens 1 to 30 days with one-time-use rotation. Reuse detection (server sees the same refresh token twice) revokes the entire token family. This pattern, in the OAuth 2.0 Security Best Current Practice, is the standard answer in 2026.
What to ship: short access tokens, rotating refresh tokens, atomic token-pair updates in the client, reuse detection on the server, family revocation on suspicion.
9. Sign and Algorithm-Pin Every Token
Reject every JWT whose header alg field does not match what your validator expects. alg=none accepting libraries is a CVE family older than half my career, and it keeps coming back when teams switch frameworks. The OWASP Authentication Cheat Sheet treats algorithm validation as the first check in any JWT validation pipeline.
What to ship: allow-list of algorithms (RS256, ES256, EdDSA) at the validator level. Hard-reject none, HS256 when you expect asymmetric, and any unexpected variant. Fetch public keys from JWKS endpoints with caching and short refresh intervals. Validate iss, aud, exp, nbf, iat on every token.
10. Secure Session Cookies
Session cookies must be HttpOnly, Secure, SameSite=Strict (or Lax only when cross-site forms are explicitly needed). The Cookie name should start with __Host- to enforce that the cookie was set over HTTPS and not scoped to a parent domain. Most modern frameworks default to most of these; the failure mode is teams overriding the defaults without thinking through the implications.
11. Session Timeout and Absolute Lifetime
Idle session timeout: 30 to 60 minutes for normal contexts, 5 to 15 minutes for high-assurance tenants. Absolute session lifetime: 8 to 24 hours, after which a re-authentication is required regardless of activity. NIST 800-63B Revision 4 sets the timeline bands for AAL2 contexts.
12. Audit Log Every Authentication Event
Every login, every failed login, every password reset, every MFA challenge, every SCIM event, every privileged action. Enterprise procurement asks for export to S3 or to their SIEM. SOC 2 CC7.3 evidence requires this. The G2 B2B SaaS Buyer Report 2024 found that more than 80% of enterprise deals above 100,000ドル ARR treat SSO and audit logging as hard procurement gates.
What to ship: structured logs (JSON with stable schema), immutable retention (90 days minimum, often 1 to 7 years for regulated tenants), tenant-scoped filtering, signed export. Surface a self-serve admin UI so customers can pull their own evidence.
13. Anomaly Detection on Login Patterns
Impossible travel (two logins from different continents inside an hour). New device. New IP. Unusual time of day. Brute force from a residential proxy network. The Microsoft Digital Defense Report 2024 measured identity-based attacks at more than 600 million per day, and anomaly-driven challenges (step-up MFA, email confirmation, admin alert) are how managed identity providers blunt them.
What to ship: at minimum, impossible-travel detection and new-device email notifications. At maximum, ML-driven risk scoring with adaptive step-up. Most B2B SaaS teams ship the minimum themselves and let a managed broker handle the maximum.
14. Breach Detection and Forced Reset
Check user passwords against breach corpora (Have I Been Pwned's range API is the de-facto answer; it never sees the full password). On match, force a reset on next login and notify the user. The Verizon DBIR 2024 keeps credential reuse from prior breaches as one of the top three initial vectors year after year; this control is the cheapest way to blunt it.
How Should You Sequence the 14 Best Practices on a Roadmap?
Most teams cannot ship all fourteen in one quarter, and even if they could, they should not. The sequence that survives a SOC 2 Type II audit and unblocks enterprise deals first:
-
Sprint 1 (auth hygiene): Argon2id hashing, account lockout, rate limiting, secure session cookies. Cheap, audit-visible, unlock nothing.
-
Sprint 2 (token discipline): short-lived JWT, refresh rotation with reuse detection, alg-pinned validation, JWKS fetch with caching.
-
Sprint 3 (enterprise gate): SAML 2.0 SSO with at least Okta, Microsoft Entra ID, and Google Workspace; SCIM 2.0 provisioning; audit logging with export.
-
Sprint 4 (MFA + passwordless): MFA policy modes, WebAuthn signup, passkey support. Enable per-tenant.
-
Ongoing: anomaly detection, breach corpus checks, session lifetime tuning.
The sprint-3 bundle is where most procurement gates open. If you are weighing whether to keep building SAML and SCIM yourself or hand the broker layer off, the B2B authentication provider comparison walks the make-or-buy math against named alternatives.
A practitioner note from twenty SOC 2 audits I have sat in on: auditors care about evidence, not architecture. If your audit logging surfaces every authentication event with timestamps and tenant IDs, you can claim CC7.3 even if your underlying stack is more modest than the audit would suggest. Conversely, the most elegant WebAuthn implementation in the world will not save you if you cannot produce the audit log on demand. Build evidence first.
Frequently Asked Questions
What is the most important user authentication best practice for B2B SaaS in 2026?
If you have to pick one control to invest in first, it is enforced MFA at the policy level, not the user level. The Microsoft Digital Defense Report 2024 measured MFA blocking more than 99% of identity-based attacks when properly enforced. Most breaches happen because MFA was optional, not because MFA failed; making it server-side mandatory for high-value tenants closes the biggest gap.
Are passwords going away in 2026?
Passwords are not gone, but passwordless is the new default for greenfield B2B SaaS. WebAuthn and passkeys are mature enough that "default to passwordless, fallback to password" is what most new auth stacks ship. Existing apps usually keep passwords as a legacy option while making WebAuthn the primary path; full removal of passwords is a multi-year migration most teams do not finish.
What is the difference between MFA and passwordless authentication?
MFA combines two or more authenticators (something you know, have, or are) on top of a password. Passwordless replaces the password entirely with a cryptographic credential, usually a WebAuthn passkey or a hardware authenticator. Passwordless is strictly stronger because the most common attack vector (stolen credentials) does not exist when there are no credentials to steal.
Do I need SAML SSO or is OIDC enough?
Most enterprise customers in 2026 still ask for SAML 2.0 specifically, even though OIDC is technically the modern protocol. Microsoft Entra ID, Okta, and Google Workspace all support both, but procurement security questionnaires almost always say "SAML 2.0 SSO" by name. Plan to support both, with SAML as the protocol that wins enterprise deals and OIDC for newer IdPs and your own developer-facing flows.
How long should access tokens and session cookies last in B2B SaaS?
Access tokens (JWTs) should live 15 to 60 minutes with refresh token rotation. Session cookies should idle out at 30 to 60 minutes with an absolute lifetime of 8 to 24 hours. High-assurance tenants (financial services, healthcare) often want both bands cut in half. Make the lifetimes configurable per tenant so the customer's security policy can override your defaults.
Does SOC 2 require specific authentication controls?
SOC 2 does not prescribe specific algorithms but requires evidence that you implemented logical access controls (CC6.1), authentication (CC6.2), and access removal (CC6.3). In practice, auditors expect MFA for privileged users, password complexity or passwordless equivalents, session timeouts, audit logging (CC7.3), and SCIM-driven deprovisioning. The 14-item checklist in this article maps to all of those.
Final Thoughts
The fourteen controls above are the floor for B2B SaaS in 2026, not the ceiling. The teams I see clear enterprise security reviews on the first pass treat authentication as a product surface they own deliberately, with policy modes, audit evidence, and tenant-level configuration. The teams that struggle treat auth as plumbing the framework happens to provide.
If you are ready to add enterprise SSO without rebuilding your auth, start a 30-day free trial of SSOJet and go live in days.