Methodology
Last updated June 2026.
Every vendor profile is scored against the same published 10-dimension capability matrix, each dimension rated 0 to 5. We publish the matrix openly so you can see exactly what we scored and weigh it against your own priorities.
What we score
- Authentication: Password, passwordless, passkeys, biometrics, and adaptive/risk signals.
- SSO & Federation: SAML, OIDC, social login, and cross-domain federation breadth.
- Authorization: RBAC, ABAC, ReBAC/FGA, and policy decisioning depth.
- Lifecycle & Provisioning: Self-service, SCIM, joiner-mover-leaver automation.
- MFA & Passwordless: Factor range, phishing resistance, and enrollment/recovery.
- Governance & Audit: Access reviews, certifications, separation of duties, audit logs.
- Developer Experience: SDKs, APIs, documentation, and quickstarts.
- Deployment Flexibility: SaaS, self-hosted, hybrid, and data-residency options.
- Pricing Transparency: How clear, predictable, and public the pricing is.
- Support & Ecosystem: Support quality, integrations, and community/partner depth.
How we source it
Scores are the community team's independent assessment, drawn from vendor and product documentation, public pricing, standards and analyst material, hands-on experience where we have it, and input from practitioners in the community. They are informed opinions, not statements of fact, and they reflect the typical buyer rather than every edge case.
We take no vendor sponsorship and accept no payment to add, rank, change, or remove a profile. See the disclaimer for the full picture on sourcing and accuracy.
Dating and confidence
Every profile carries an author byline, the date it was last evaluated, a next-review date, and a confidence level (high, medium, or low) that reflects how much evidence sits behind the assessment. We re-review on a rolling, best-effort cadence and when something material changes.
Suggesting a correction
Markets move fast and we get details wrong sometimes. If you spot an inaccuracy, email [email protected] with a source where possible. Sourced corrections from practitioners go to the front of the queue.