Skip to main content

Permissions

Add user
Done

Start your AI search

AI search
Outbound call compliance Gamification for customer service Outsourcing services

How to write an RFP for authentication

Requirements, questions, and evaluation criteria specific to authentication procurement

7 min read

Authentication solutions are the linchpin of modern cybersecurity, making the RFP process exceptionally critical. A poorly chosen or implemented system can lead to catastrophic breaches and operational disruptions. Therefore, a detailed and targeted RFP is essential to ensure alignment with organizational needs and security posture.

What makes authentication RFPs different

Authentication RFPs differ significantly from other software procurements due to the high stakes involved and the intricate technical landscape. These projects often touch every application within the enterprise, requiring deep integration and careful planning to avoid "identity sprawl".

The rapid evolution of threats, from phishing to AI-driven attacks, necessitates a focus on future-proof solutions, including post-quantum cryptography and agentic AI support.nnRegulatory compliance adds another layer of complexity, as authentication systems are central to meeting standards like PCI-DSS, HIPAA, and SOX. Furthermore, the user experience is paramount, as cumbersome authentication processes can lead to user frustration and circumvention of security controls.

Balancing robust security with user-friendly access is a key challenge that must be addressed in the RFP.nnFinally, the rise of decentralized identity and the need to govern non-human AI agents require a forward-thinking approach. Legacy systems often lack the adaptability to meet these emerging demands, making a comprehensive evaluation of vendor innovation and roadmap essential.

  • Phishing-resistant MFA: Ensure the solution provides robust protection against modern phishing techniques.
  • Adaptive, risk-based authentication: The system should dynamically adjust authentication requirements based on real-time risk assessments.
  • Identity orchestration: Look for solutions that allow for custom authentication workflows without extensive coding.
  • Post-quantum readiness: Verify the vendor's roadmap includes support for post-quantum cryptography.

RFP vs RFI vs RFQ

Here's when to use each document type when procuring authentication software.

RFI

Request for Information

Use early in your search to understand what vendors offer and narrow your list. Gather general capabilities, company background, and high-level pricing ranges.

RFP

Request for Proposal

Use when you know your requirements and want detailed vendor solutions and pricing. This is your main evaluation document for shortlisted vendors.

RFQ

Request for Quote

Use when requirements are fixed and you just need final pricing. Often used after RFP when you're ready to negotiate with finalists.

When procuring authentication solutions, an RFI is useful for initial market research and understanding vendor capabilities. An RFP is crucial for detailed technical and security evaluations, while an RFQ is generally unsuitable due to the complexity and customization required.

Technical requirements checklist

Use this checklist when defining your RFP scope.

Authentication Methods

  • Passwordless authentication (FIDO2/WebAuthn)
  • Multi-factor authentication (MFA) with various factors (hardware tokens, biometrics, push notifications)
  • Adaptive authentication based on risk factors
  • Single sign-on (SSO) support (SAML, OIDC)

Integration Capabilities

  • Integration with existing identity providers (Active Directory, Okta)
  • API integration for custom applications
  • Support for various authentication protocols (LDAP, RADIUS)
  • Integration with SIEM and EDR/XDR solutions

Security Features

  • Identity Threat Detection and Response (ITDR) capabilities
  • Fraud detection and prevention mechanisms
  • Post-quantum cryptography support
  • Agentic AI identity management

Compliance Requirements

  • Support for PCI-DSS compliance
  • Support for HIPAA compliance (if applicable)
  • SOC 2 Type II certification
  • GDPR compliance

Deployment Options

  • Cloud-based deployment
  • On-premise deployment
  • Hybrid deployment
  • Support for multi-cloud environments

Questions to include in your RFP

Architecture & Deployment

  • Describe your solution's architecture, including data storage and processing locations.
    Understanding the architecture helps assess scalability and security.
  • What deployment models do you support (cloud, on-premise, hybrid), and what are the requirements for each?
    Ensures the solution fits your infrastructure capabilities.
  • How does your solution ensure high availability and disaster recovery?
    Critical for business continuity in case of outages.
  • Describe your approach to data isolation and multi-tenancy in a cloud environment.
    Essential for maintaining data privacy and security.

Authentication Methods & Features

  • Detail your support for passwordless authentication methods (FIDO2/WebAuthn).
    Passwordless is more secure and improves user experience.
  • What MFA factors do you support (hardware tokens, biometrics, push notifications), and how are they managed?
    Provides flexibility and caters to different user preferences.
  • Describe your adaptive authentication capabilities, including risk scoring and policy enforcement.
    Allows for dynamic security based on user behavior and context.
  • How does your solution handle user self-service account recovery?
    Reduces help desk burden and improves user satisfaction.
  • Explain your approach to preventing MFA fatigue attacks.
    Mitigates a common social engineering tactic.

Integration & Compatibility

  • What pre-built integrations do you offer for common applications (e.g., Salesforce, Microsoft 365)?
    Reduces integration effort and time to value.
  • Describe your API and SDK for custom integrations.
    Allows for extending the solution to less common applications.
  • How does your solution integrate with existing identity directories (Active Directory, LDAP)?
    Ensures seamless user management and synchronization.
  • Can you provide examples of successful integrations with other security tools (SIEM, EDR)?
    Demonstrates interoperability and enhances threat detection.

Security & Compliance

  • Describe your Identity Threat Detection and Response (ITDR) capabilities.
    Essential for detecting and responding to credential-based attacks.
  • How does your solution detect and prevent lateral movement and privilege escalation?
    Mitigates the impact of compromised accounts.
  • What compliance certifications do you hold (SOC 2, ISO 27001, FedRAMP)?
    Demonstrates adherence to industry best practices.
  • Describe your approach to post-quantum cryptography and crypto-agility.
    Ensures long-term security against future threats.
  • How does your solution handle data privacy and GDPR compliance?
    Protects user data and avoids legal penalties.

Agentic AI & Future-Proofing

  • How does your solution manage and govern identities for AI agents?
    Addresses the growing need to secure non-human entities.
  • What is your roadmap for incorporating new authentication technologies and standards?
    Ensures the solution remains relevant and effective over time.
  • Describe your support for decentralized identity (DCI) and verifiable credentials.
    Provides users with greater control over their identity data.
  • How does your solution adapt to evolving threat landscapes and emerging attack vectors?
    Demonstrates a proactive approach to security.

Pricing & Licensing

  • Provide a detailed breakdown of your pricing model, including all potential costs.
    Avoids hidden fees and unexpected expenses.
  • What licensing options are available (per-user, per-device, concurrent users)?
    Ensures the licensing model aligns with your organization's needs.
  • Are there any additional costs for implementation, training, or support?
    Factors these costs into the total cost of ownership.
  • Do you offer volume discounts or special pricing for educational institutions or non-profits?
    Can significantly reduce costs for eligible organizations.
  • Explain any usage-based charges or overage fees.
    Prevents unexpected billing surprises.

Compliance and security requirements

Depending on your industry, you may need to require proof of these certifications and standards.

PCI-DSS

Required if handling payment card data. If applicable, request current PCI-DSS compliance certificate and Attestation of Compliance (AOC).

HIPAA

Required for healthcare data. If applicable, request a Business Associate Agreement (BAA) template and HIPAA compliance documentation.

SOC 2 Type II

Required generally applicable for saas providers. If applicable, request a copy of their latest SOC 2 Type II report.

GDPR

Required if processing personal data of eu citizens. If applicable, request information on their GDPR compliance measures and data processing agreements.

FedRAMP

Required if working with us federal government data. If applicable, request their FedRAMP authorization status and documentation.

Evaluation criteria

Here is the suggested weighting for authentication RFPs.

Functionality Fit How well the solution meets the stated requirements.
25%
Security Features The strength and breadth of security capabilities, including ITDR and post-quantum readiness.
20%
Integration Capabilities
15%
Total Cost of Ownership Implementation, licensing, and ongoing costs.
15%
Vendor Stability and Roadmap The vendor's financial health and commitment to future innovation.
10%
Deployment Flexibility Support for various deployment models (cloud, on-premise, hybrid).
10%
Compliance and Certifications Possession of relevant industry certifications (SOC 2, ISO 27001).
5%

Some weights were adjusted based on your priorities.

  • Increase if replacing a highly customized legacy system.
  • Increase if complex integration landscape exists.

Red flags to watch

  • Vague pricing responses

    Vendors who can't provide clear pricing often have hidden costs or complex fee structures that inflate TCO.

  • No customer references in your industry

    Lack of relevant references suggests limited experience with your specific requirements and use cases.

  • Hesitation to disclose data storage locations

    Lack of transparency about data residency raises concerns about compliance and security.

  • Missing security certifications (SOC 2, ISO 27001)

    Indicates a lack of commitment to security best practices.

  • Overly aggressive sales tactics

    Pressuring you to commit before fully evaluating the solution can be a sign of a problematic vendor.

Key metrics to request

Ask vendors to provide benchmarks from similar customers.

Implementation timeline for similar customers

Helps set realistic expectations and identify potential delays.

Average time to first value

Indicates how quickly you'll see ROI from the investment.

MFA adoption rate among existing customers

Reflects user acceptance and ease of use.

Reduction in password-related help desk tickets

Demonstrates the effectiveness of passwordless or MFA solutions.

Mean time to detect (MTTD) anomalous logins

Measures the speed and accuracy of threat detection capabilities.