Why you shouldn't create your own authentication system

Nguyen Kim Son - Sep 13 '19 - - Dev Community

Implementing correctly an authentication system is hard.

If you start creating your website/application now, please use a third party authentication. Third party authentication can be social login (e.g. the ubiquitous Login with Facebook button) or identity management tools like Auth0 or Okta.

It's not just about storing username/password in the database. In a standard web application, an authentication system needs to:

  • store password hash instead of password in cleartext. And each user should have their own salt. And the hash function should be expensive to compute. For all this, you would need a very good understanding on Rainbow tables, Bcrypt, Hash algorithms and salts.
  • have email verification and reset-password features. For that you might need to generate and store a temporary, short-lived token that is used to activate an account or to reset password. And this is the simple part. Making sure that your email doesn't fall into the Spam folder is much harder.

On the front-end side, the app needs to have a decent UI: a login form that at least validates the email and password, a sign-up form, a reset-password form. Not to mention modern authentication expects support for MFA and soon (hopefully) WebAuthn.

More importantly, your users don't want to go through a lengthy registration process and create yet another username/password. Without a proper password manager (which probably 99% users don't use), they tend to reuse the same password which is bad in terms of security!

So why choosing the hard path and face the risk of password leaks, database hackings and above all, inferior user experience? Of course some applications need to have their own authentication system (banking app is an example but that's also changing with PSD2) but they are rather minority.

So which 3rd-party verification should my app use?

This really depends on your app. If getting user's Facebook feed can be a big plus to your app, then you should probably go with Login with Facebook. If having access to user's Twitter feed is valuable, then Login with Twitter is more appropriate. If your app only requires user basic information like email, name, avatar picture then I would suggest Login with SimpleLogin, a developer-friendly login solution. Disclaimer: I happen to be SimpleLogin co-founder so this advice is obviously subjective 😅.

We should all stop requiring users to choose a username and password. There are better alternatives.

Please let username/password rest in peace ⚰️.

Image
You can hire a hacker and recover all your stolen digital currency or cryptocurrency without upfront fee

bitcoin, cryptocurrency, recovery, blockchain
Image
Deploying a Node.js project to Netlify
Image
Implementing Unit of Work Pattern in EF Core

programming, dotnet, efcore, database
Image
How to Effortlessly Integrate JFrog Artifactory with Packer for Seamless Docker Image Management
Image
Easily Test your Local RTB Scripts on Production Without Deploying
Image
useCallback

webdev, frontend, react
Image
Formatting and Linting Your Python Codes with GitHub Actions
Image
Integrating Real-Time Speech Translation API with Python
Image
Accelerating Open Source Impact: Harnessing the Power of Cloud Development
Image
Watch Sheila Thompson leak Video trending
Image
Introduction to custom Babel plugins

webdev, javascript, programming, babel
Image
A Critical Look at AWS Lambda Extensions: Pros, Cons, and Recommended Use Cases
Image
Top Android App Development Courses to Enroll in This Year
Image
Getting Started with Express.js: Build Your First Web Server in Minutes!
Image
Dafnekeen video leak , anne hathaway
Image
Why Local Date and Time Matter
Image
Boost Your Brand with Digital Marketing Agency in Derby
Image
Apple Unveils Exciting New Products: Apple Watch Series 10, AirPods 4, and iPhone 16
Image
Key Tools for GIS Software Development
. . . . . . . .
Terabox Video Player