logoalt Hacker News

whalesaladtoday at 4:12 PM5 repliesview on HN

Auth is not hard to roll yourself. Crypto: don't do it. Auth? Easy peasy.


Replies

mooredstoday at 4:28 PM

Oh man, it really depends(tm). If you are building a small internal app, sure, but you'd often still be better off leveraging a social provider or employee directory.

I work in the auth space (for FusionAuth) and we run into plenty of folks that started out rolling auth themselves. Just username and password right? A bit of hashing, salting and leveraging a built-in crypto library.

But then you need to add account recovery. And then MFA. And then registration. And then progressive registration. And then webhook integration. And then passkeys. And then SAML integration. And the delegated SAML setup. And then and then and then.

You're distracted from your core application by feature requests for your login system.

You have lots of options nowadays. Use a library provided by your framework (Rails, Spring, and Django have them), use a tool like Better Auth, use a third party system like FusionAuth or Auth0. But don't build undifferentiated functionality that impacts your user experience.

PS Of course, where I stand depends on where I sit, but I firmly believe that you should not build an auth system the same way you should not build a database.

show 1 reply
sandeepkdtoday at 4:38 PM

Unfortunately its a common misconception, it feels easy, however auth is a lot more harder to do it right, specially when it comes to recovery. A simple example, protocol like TOTP (time based OTP) uses the concept of shared secret and almost every implementation stores the secret as it is in their databases

show 1 reply
niccetoday at 4:27 PM

Rolling auth by yourself is very messy. Storing tokens correctly, rotating and using correct tokens, with correct parameters and so on. Endless footguns.

show 1 reply
djfobbztoday at 4:44 PM

Correct! As a Ruby dev, I started using rodauth and never looked back! https://rodauth.jeremyevans.net/

esafaktoday at 5:13 PM

Authentication or authorization? Why do people keep conflating them?

show 1 reply