Back to Blog
internal-tools security operations

Why most companies don't want to create a new login system for a small internal tool

Building a custom login system for an internal tool creates ongoing maintenance, security risk, and a parallel user directory. Here's why most teams avoid it.

G
GoodTaco Team
|

In short:

  • A custom login system creates a parallel user directory that duplicates what your identity provider already handles — adding ongoing work for onboarding, offboarding, and access management.
  • Authentication carries real security risk that’s easy to underestimate — password storage, session management, MFA, and attack prevention all become your responsibility.
  • The simplest path is using your existing identity provider so access control, auditing, and security policies carry over automatically without turning a small tool into a full auth project.

 

When someone builds a small internal tool, the first version is usually simple. It might be a form that creates a Jira ticket, a lightweight interface for field reps to log notes in Salesforce, or a fast way to capture operational data without clicking through a full SaaS UI.

At that stage, the tool often works fine. Then the next question comes up: “How do we let the team use it?”

That’s where many projects slow down, because “letting the team use it” quickly turns into “we need login.” And most companies don’t want to create a new login system for something small and internal.

A new login system is rarely the actual goal

For an internal tool, the job is usually straightforward: make one workflow faster or more consistent. The login screen isn’t part of that value. It’s just a requirement that shows up once you try to share the tool with real users.

If the tool is meant for employees, contractors, or specific partners, the expectation is simple: people should sign in with the account they already use at work. Anything else feels like extra friction for users and extra maintenance for the company.

The first problem is user management

The moment you create a separate login system, you’ve created a parallel user directory. Even if it starts with ten users, it tends to grow into a steady stream of small tasks:

  • Adding new hires
  • Removing people who leave
  • Updating access when roles change
  • Handling password resets
  • Deciding what “admin” means
  • Keeping track of who has access to what

Most companies already have a system that solves this: Google Workspace, Azure AD, Okta, or something similar. It’s already tied to HR processes. It’s already the source of truth for who works at the company. Creating a second system is usually a step backward.

The second problem is security risk

Authentication is one of those areas where “good enough” is rarely good enough. It’s not just about checking a password. You also end up owning a set of security decisions that can be easy to underestimate:

  • How passwords are stored
  • How sessions expire
  • How reset links work and how long they’re valid
  • How multi-factor authentication is handled (or not handled)
  • How to prevent common attacks (credential stuffing, brute force attempts, session hijacking)
  • How to log access and detect suspicious behavior

If a small internal tool touches business systems or customer data, the company doesn’t want security to depend on a custom login system that was built quickly and rarely revisited.

The hidden trap

This is one reason internal tools often end up stuck. The tool itself is simple, but the security bar for accessing it is not.

The third problem is access control and permissions

Once you have login, the next question is usually, “Who should be allowed to do what?”

Internal tools are often role-based. A field rep might only need to submit information. A manager might need reporting. An admin might need configuration.

If you build your own auth system, you also have to build the permission model around it. Even if the permission model is basic, it adds design work, testing, and long-term upkeep. Then you need a way to change permissions later without redeploying every time someone needs access.

Companies generally prefer to use their existing directory groups for this: “everyone in Sales,” “Ops Supervisors,” “Engineering Managers,” and so on. Those groups are already maintained and audited in the identity provider.

The fourth problem is ongoing maintenance that doesn’t feel worth it

A small internal tool is often meant to be lightweight. It might even be a “mini app” that solves a problem for one team, and maybe it gets replaced later. Or it might be used regularly, but still doesn’t justify a lot of operational overhead.

A custom login system creates a maintenance obligation that doesn’t scale down nicely. You can’t half-maintain authentication. It has to keep working, stay secure, and handle edge cases, even if the tool itself is small.

If something breaks, it’s usually urgent, because it blocks a team from doing work. And the person who built the internal tool often becomes the default owner of login issues too, whether or not they want that responsibility.

The better default: use the identity system you already have

This is why most companies prefer internal tools to use existing authentication through the company’s identity provider. It keeps the user experience straightforward and keeps the ownership model clean:

  • People sign in with their work account
  • Access can be tied to existing groups and roles
  • Onboarding and offboarding automatically apply
  • Security policies like MFA can carry over
  • Auditing and access logs stay centralized

From an IT and operations perspective, it’s less about convenience and more about risk reduction and consistency.

How this shapes deployment choices

This is also where “general hosting” versus “internal tool deployment” starts to look different.

Platforms like Vercel, Railway, and similar tools are great at hosting apps, but they generally assume you’re handling authentication and access control yourself. You can absolutely integrate Google or Azure login, and you can wire up role-based access, but it becomes part of your build and deployment work.

For teams building small internal tools, that’s often the turning point. They don’t want to spend their time becoming experts in auth flows and security edge cases just to ship a simple workflow improvement.

That’s one of the reasons tools like GoodTaco exist. The goal is to make internal app sharing and authentication the default, not an extra project you have to bolt on after the app is built.

Takeaway

Most companies don’t want a new login system for a small internal tool because it creates ongoing work and ongoing risk. It introduces a second user directory, adds security responsibilities that are easy to underestimate, and forces you to solve permissions and access management from scratch.

For internal tools, the simplest and most practical approach is usually the same one people already expect: use the company’s existing identity provider, keep access controlled, and avoid turning a small workflow improvement into a full authentication project.

Get Started

Ready to build faster?

Start building internal tools in minutes, not months. Free to start.

Start Building Free