Why you shouldn't create your own authentication system

September 13, 2019 · written by Author Image Son Nguyen Kim

Implementing correctly an authentication system is hard.

If you start creating your website/application now, please use a third party authentication. Third party authentication can be social login (e.g. the ubiquitous Login with Facebook button) or identity management tools like Auth0 or Okta.

It’s not just about storing the username/password in the database. In a standard web application, an authentication system needs to:

On the front-end side, the app needs to have a decent UI: a login form that at least validates the email and password, a sign-up form, a reset-password form. Not to mention modern authentication expects support for MFA and soon (hopefully) WebAuthn.

More importantly, your users don’t want to go through a lengthy registration process and create yet another username/password. Without a proper password manager (which probably 99% users don’t use), they tend to reuse the same password which is bad in terms of security!

So why choose the hard path and face the risk of password leaks, database hacking and above all, inferior user experience? Some applications do need to have their authentication system (banking app is an example but that’s also changing with PSD2) but they are rather a minority.

So which 3rd-party verification should my app use?

This depends on your app. If getting a user’s Facebook feed can be a big plus to your app, then you should probably go with Login with Facebook. If having access to a user’s Twitter feed is valuable, then Login with Twitter is more appropriate. If your app only requires user basic information like email, name, avatar picture then Sign in with SimpleLogin is probably the easiest choice.

We should all stop requiring users to choose a username and password. There are better alternatives.

Please let username/password rest in peace ⚰️.