Thee shall not buildeth an authentication system

Hey, like this? Why not share it with a buddy?

Sambit Basu


The most important piece of information a site holds about its users are the users’ login credentials. It is the doorkeeper for everything else inside. It is a time consuming and high-effort feature to build and maintain an authentication module. There are many good solutions to outsource this task.

Long Hand

If you have been around the tech scene as long as I have, you have seen the (g)olden days of the internet, which some call ‘Wild West of Internet’ and others ‘the Age of Innocence’. I think both are true.

The Pitch

My first startup experience was to build an authentication system. Since then, I have built quite a few authentication systems in my career, more than what I would have liked. Over the years, things have changed and matured. It definitely became more secure, but way more complex. For example, the first authentication system I built used a naive transpose map for password storing in the database. In a transpose map, you transpose each character by a certain number. For example, if your shift quotient is 4, A becomes D, B becomes E, … X becomes A etc. Even for that time, it was too naive. But we never got compromised. It was a micale, but also a sign of the time.

Fast forward another 20 years, my team was building another authentication system. There we use Jasypt library with Bouncy Castle with a sophisticated encryption algorithm with unique salt for each password with thousands of iterations of encryption for digesting. The basic premise was that sooner or later the system will be compromised. Hence design it in a way that it becomes computationally expensive to crack passwords, thereby minimizing the breadth of impacted accounts.

Today, when I build authentication systems, I do not go into all these trouble. I use a third-party cloud authentication service, e.g. Firebase from Google. There are so many advantages, for a small cost, often free:

  1. Just with a configuration you can add other oAuth provider login (aka ‘Social logins’)
  2. The service is used by million, if not billion, users. Hence scaling is not an issue. Chances are extremely high that your implementation will never reach (or need to reach) that level of scalability.
  3. Used by so many users, hence it is thoroughly field tested to be robust na secure.
  4. You can never match the engineering bandwidth these providers can dedicate to solve this problem.
  5. The turn-around time has to match the published SLA, these providers will be much quicker in fixing any vulnerability that may be detected in the field.
  6. It will be much faster to integrate than to build.
  7.  Overall, it will be much cheaper than building and maintaining in-house.


There is no reason to build a custom authentication system for your app. If you have one that you have already built, it is better to throw that away (sunk cost) and jump on a bandwagon of apps that use third party authentication service. You will sleep much better.