Every vendor profile follows a fixed 30-capability matrix scored 0–5. Scores are based on hands-on testing, customer interviews, and public documentation. Each profile is dated, signed, and re-reviewed quarterly.

Capability categories

• Authentication: passwords, passwordless, passkeys, MFA breadth, biometric, SSO, social, federation.
• Authorization: RBAC, ABAC, FGA, ReBAC, policy engine.
• User lifecycle: self-signup, provisioning, deprovisioning, SCIM, progressive profiling.
• Developer experience: SDK coverage, API completeness, documentation, quickstarts.
• Enterprise readiness: SLA, support, audit logs, custom domains, data residency.
• Compliance: SOC2, ISO 27001, FedRAMP, HIPAA, PCI DSS, GDPR.

Confidence levels

Every verdict carries a confidence level (high, medium, low) reflecting how much evidence is behind the assessment.