• Subscribe
  • How would you implement authentication if you'd build a new SaaS app in 2024?

    Joep van den Bogaert
    17 replies
    There are several services out there that facilitate authentication. Is there any one you'd recommend? Or would you implement yourself (with some open source framework)? Curious to learn how you would approach auth in 2024 and what the most important trade-offs are.

    Replies

    Vincent Delitz
    I would look for something passwordless for sure, preferably with passkeys (biased opinion).
    Share
    Joep van den Bogaert
    @vdelitz I see where the bias comes from 😉 but it does seem like very good UX indeed!
    Share
    Gurkaran Singh
    Hey there! When it comes to authentication for a new SaaS app in 2024, I'd personally opt for a combination of industry-trusted services like Auth0 alongside custom implementation using open source frameworks like OAuth or JWT. It's all about balancing security, user experience, and scalability! Happy coding!
    Share
    Joep van den Bogaert
    @thestarkster Thanks Gurkaran. Can you give some examples of what you would build custom if you already use a service like Auth0?
    Gaurav
    I'd use a session based approach using redis to store the user sessions and revoke them on demand. For hashing the password, I'd go with argon2(id) without a second thought
    Share
    Joep van den Bogaert
    @zignis So build everything custom huh? Just to save costs or any other considerations for that?
    Gaurav
    @jopie I've never been comfortable using third party services for authentication. If things are built in-house you have more control and less ways to leak info/mess up sensitive user data.
    Joep van den Bogaert
    @zignis Interesting, that's contradictory that what I often read. Many say use an established, dedicated server for this, so that you're sure it's secure. I have also built simple auth in my product myself, but am not sure what I'd do if I had to choose again.
    Gaurav
    @jopie I'm not against third party authentication services, the only thing is that you have an extra point of failure. Your product will face downtime whenever the auth service is down. Migrating between auth services is time consuming. It's easy to set to auth using external services but if you can spend some time building a custom solution while keeping the best security practices in mind would prove to be better. You would have the complete control over the user data that you store, and how you authenticate your users. And it's cheaper in long run (hosting a redis server isnt too expensive) or you could use JWT if you don't want to keep the track of user sessions, that is the cheapest option.
    Share
    Joep van den Bogaert
    @zignis Yeah makes sense. I'm now using custom JWT and it is certainly doable and not even much work to maintain. But there is the risk that a lot needs to be added for larger clients for example. In that sense it seems easier to scale with a service. Ofc also becomes expensive then, but not sure how it relates to implementing stuff like 2FA and SSO yourself. Can imagine the engineering hours start adding up then as well.
    Andrei Ciulinaru
    Hi Joep, I'm actually about to code it for my 1st indie product. I'm thinking of generating a unique hash (uuid) which will be sent to the user via e-mail at the time of registration. They'll need to use that unique URL to edit features. This suits best for my current needs.
    Share
    Joep van den Bogaert
    @andreiciulinaru So like a magic link type of login? Or is that an id you keep throughout the lifetime of the user? Normally you would use JWT for something like that I'd say, right?
    Andrei Ciulinaru
    @jopie It's an ID I will keep for the user's lifetime as you said. I don't have anything sensitive in the app requiring me to think of more advanced ways. Alternatively, I would implement a 'sign in with google / sign in with twitter ' oauth option if I needed more security. But I am new to this too so don't mark my words :D
    Joep van den Bogaert
    @andreiciulinaru Cool, yeah if it's okay that anyone with that link can access the app, then it seems fine. Always great if you can keep things simple!
    Hales Stokes
    CodeSealer is a leading cybersecurity company specializing in advanced web security solutions designed to protect online applications and sensitive data from cyber threats. Utilizing cutting-edge technology, [CodeSealer](https://codesealer.com/) offers robust protection against a wide range of attacks, including phishing, man-in-the-middle, and other sophisticated exploits. Its innovative approach focuses on real-time monitoring and adaptive security measures, ensuring that web applications remain secure without compromising performance. CodeSealer's products are trusted by financial institutions, e-commerce platforms, and various enterprises worldwide, reflecting its reputation for reliability and excellence.