How Checkr scales authentication best practices and minimizes engineering effort


business user logins handled each month

5-person team

empowered to develop new services instead of managing Identity

20 FTEs

engineering time saved in building identity vs. an home-grown solution

“We spend minimal engineering effort on Customer Identity Cloud, as opposed to the 15 to 20 full-time engineers we’d have needed to build and maintain our in-house Identity solution. This would not have been cost-effective or sustainable.”

Matt Palermo, Director of Engineering

Checkr, a high-growth tech startup, is on a mission to increase fair chance hiring – that is, enabling equal hiring opportunities for all qualified applicants, regardless of their criminal background. Background check and screening solutions inherently require a great deal of sensitive personal identifiable information (PII) about candidates. “We have to take care of that information to build trust with the candidates and build trust with our customers,” explains Checkr’s Director of Engineering, Matt Palermo.

The Checkr engineering team started small, but as they have grown, they have built on AWS and refined their security and development processes. With a goal to strengthen their end-to-end security posture, authentication became a core consideration. “Our expertise isn't authentication,” Palermo says. “We want to be proficient at it, but we don't want to split our focus between building an authentication platform and focusing on our core business at the same time.”

In sharpening this focus, Checkr identified moving beyond their homebuilt username/password solution as critical to scaling up for best practices, specifically around generating and securing tokens, and providing different types of sign-in options and enterprise connections for customers.

Finding a platform that “checks all the boxes”

While Checkr’s homegrown solution followed security best practices, the company recognized its limitations for performing at scale and found maintenance of both the solution and its supporting infrastructure too time consuming. To find a dedicated authentication provider, Checkr performed an analysis across its different requirements, such as available SAML, enterprise, and social connections, uptime and SLA guarantees, and the estimated amount of effort Checkr engineers would have to spend managing the solution. After looking at a range of options, Palermo felt that Okta Customer Identity Cloud, powered by Auth0, “checked all of our boxes.”

With this technology, Checkr has enabled a wider range of login methods for their customers depending on the size of the customer and use case. For example, smaller businesses that run a handful of background checks often use username/password or social logins via Google and Github. Mid-sized customers often authenticate via a partner, so the partner’s application is connected to Checkr. In cases where larger customers use their own Identity provider, Checkr uses a SAML connection. Customer Identity Cloud makes all these methods possible across the approximately 24,000 business user logins Checkr handles each month.

Additionally, deploying in a private cloud environment increases flexibility and security. For Checkr, the importance of data security means ensuring that their data does not get mixed in with anyone else’s data and being able to segment their data effectively. “Private Cloud gives us extra peace of mind, knowing that we are working with our own dataset, and we can have a bit more control over our SLA and uptime,” says Palermo.

Checkr has also found flexibility helpful in other areas of Customer Identity Cloud. For example, they have internal systems that they need to connect to during authentication to find out whether a user exists in more than one place or system, which they have a Rule setup to do. Another favorite feature is brute force protection, which allows Checkr to respond to anomalous activity. “We’re generally more aware of potential attacks,” Palermo observes. “We’ve definitely caught some things and were able to take action before they caused any harm.”

Focus on expertise delivers ROI

Being able to devote the majority of the engineering team’s time to developing core services that influence the bottom line means that an external authentication provider more than pays for itself. Checkr engineering effort not spent on managing Identity has been spent on developing new packages and screening services, and even creating an automated billing system that reins in manual effort and helps collect revenue more efficiently. The five-person team managing Identity internally does not need to be dedicated to it exclusively, and can contribute directly to achieving business goals.

“We don’t have to think about how to structure Identity – we connect to Customer Identity Cloud, and it just works,” Palermo explains. “We spend minimal engineering effort on it, as opposed to the 15 to 20 full-time engineers we’d have needed to build and maintain our in-house Identity solution. This would not have been cost-effective or sustainable.”

Moving forward, Checkr plans to continue leveraging Customer Identity Cloud to support their internal teams, as well as their customers.

“It’s an industry leader, anticipating both the features customers want and security we need,” says Palermo. “We really value the proactive approach to threats and providing plug-and-play solutions, so we don’t have to worry or spend a lot of time integrating. We can securely offer our customers what they need, and it will be easy for us to expand the possibilities with Customer Identity Cloud.”

About Customer

Checkr’s mission is to build a fairer future by designing technology to create opportunities for all. Its platform makes it easy for thousands of customers to hire millions of people every year. Using Checkr’s advanced background check technology, companies of all sizes can better understand the dynamics of the changing workforce, bring transparency and fairness to their hiring, and ultimately build a better future for workers.