How would you implement authentication if you'd build a new SaaS app in 2024?
Joep van den Bogaert
17 replies
There are several services out there that facilitate authentication. Is there any one you'd recommend? Or would you implement yourself (with some open source framework)?
Curious to learn how you would approach auth in 2024 and what the most important trade-offs are.
Replies
Vincent Delitz@vdelitz
Corbado
I would look for something passwordless for sure, preferably with passkeys (biased opinion).
Share
Launching soon!
Hey there! When it comes to authentication for a new SaaS app in 2024, I'd personally opt for a combination of industry-trusted services like Auth0 alongside custom implementation using open source frameworks like OAuth or JWT. It's all about balancing security, user experience, and scalability! Happy coding!
@thestarkster Thanks Gurkaran. Can you give some examples of what you would build custom if you already use a service like Auth0?
@jopie I'm not against third party authentication services, the only thing is that you have an extra point of failure. Your product will face downtime whenever the auth service is down. Migrating between auth services is time consuming. It's easy to set to auth using external services but if you can spend some time building a custom solution while keeping the best security practices in mind would prove to be better. You would have the complete control over the user data that you store, and how you authenticate your users. And it's cheaper in long run (hosting a redis server isnt too expensive) or you could use JWT if you don't want to keep the track of user sessions, that is the cheapest option.
@zignis Yeah makes sense. I'm now using custom JWT and it is certainly doable and not even much work to maintain. But there is the risk that a lot needs to be added for larger clients for example. In that sense it seems easier to scale with a service. Ofc also becomes expensive then, but not sure how it relates to implementing stuff like 2FA and SSO yourself. Can imagine the engineering hours start adding up then as well.
Hi Joep, I'm actually about to code it for my 1st indie product. I'm thinking of generating a unique hash (uuid) which will be sent to the user via e-mail at the time of registration. They'll need to use that unique URL to edit features.
This suits best for my current needs.
@andreiciulinaru So like a magic link type of login? Or is that an id you keep throughout the lifetime of the user? Normally you would use JWT for something like that I'd say, right?
@jopie It's an ID I will keep for the user's lifetime as you said. I don't have anything sensitive in the app requiring me to think of more advanced ways. Alternatively, I would implement a 'sign in with google / sign in with twitter ' oauth option if I needed more security.
But I am new to this too so don't mark my words :D
@andreiciulinaru Cool, yeah if it's okay that anyone with that link can access the app, then it seems fine. Always great if you can keep things simple!
Let's connect on LinkedIn
https://www.linkedin.com/in/jayd...
CodeSealer is a leading cybersecurity company specializing in advanced web security solutions designed to protect online applications and sensitive data from cyber threats. Utilizing cutting-edge technology, [CodeSealer](https://codesealer.com/) offers robust protection against a wide range of attacks, including phishing, man-in-the-middle, and other sophisticated exploits. Its innovative approach focuses on real-time monitoring and adaptive security measures, ensuring that web applications remain secure without compromising performance. CodeSealer's products are trusted by financial institutions, e-commerce platforms, and various enterprises worldwide, reflecting its reputation for reliability and excellence.