
You shouldn't create your own authentication system - nguyenkims
https://simplelogin.io/blog/do-not-create-own-auth-system/
======
stephenr
This is that weird combination of spam, and completely misleading information.

~~~
nguyenkims
Could you elaborate more please?

~~~
stephenr
It’s a company site for an external authentication system, advising people use
an external authentication system, and grossly overstating the effort involved
to do it internally.

Their claims about the required knowledge to use bcrypt password hashing, one
use tokens and of all things - sending fucking emails - is flat out deception.

Essentially “It’s way to complex to do X yourself, you should use a third
party service. Oh hey we happen to provide X. Give us teh moneys plz”

~~~
nguyenkims
Actually saying that it's easy to implement your own authentication system is
more dangerous, especially to people who haven't worked long enough on the
topic.

The article also mentioned MFA and WebAuthn that not all people are familiar
with. More importantly I think the main point is it's better to not spend too
much time on the authentication and concentrate on the main business instead.

From my own experiences, sending emails _correctly_ is not that easy. And
using services like mailchimp or sendgrid isn't enough.

IMO it's normal that a company does marketing on its own blog as long as it's
not over-exaggerating.

~~~
stephenr
Every language I know has an easy to use wrapper/functionality for strong
password hashing.

The pricing model of this business means there’s a likely 50/50 chance of it
closing in ~12 months because not enough customers choose the paid option.

It _is_ normal to promote yourself on the company blog. It’s not normal to
submit that as “news”.

~~~
nguyenkims
> The pricing model of this business means there’s a likely 50/50 chance of it
> closing in ~12 months because not enough customers choose the paid option.

I think we went too far from the initial point. Nevertheless the cost of such
service is low enough that it can be maintained easily, even without a
significant revenue number.

> It’s not normal to submit that as “news”.

It depends on the definition of news I guess. The article brings another point
of view, though discutable. The promotion happens only at the end, in a
reasonable way.

> Every language I know has an easy to use wrapper/functionality for strong
> password hashing.

Again the password hashing is just an aspect of an authentication system.

~~~
stephenr
Your business model is part of why I think it’s bad advice: every third party
service used is an operational liability. The less standardised the
integration, the harder it is to swap to a competitor if required. The more
standardised the integration, the easier it is.

To use your email argument earlier: if a company doesn’t want to handle its
own mail servers (which is a common choice these days) the cost of moving
between vendors can be pretty low. A few DNS records and some
config/environment vars, and voila. It’s very possible to do it with zero
downtime.

~~~
nguyenkims
I’m not sure to follow your points. The technology is based on oauth2/openid
standard which would allow developers to switch quite easily.

The business model is subscription based which is pretty standard.

Sending email is not just about « clean » ip address or passing by a third
party provider.For example some email clients can display the emails
differently so one need to take this into account.

Anw I don’t think the discussion will lead to anything. Again the article
represents a point of view that some will not agree and I totally understand.

