0x01E - Auth as a Service 🛡️

Auth as a Service
Or Managed Authentication, AaaS
- Full-stack developers
- CTOs/VP R&Ds with architecture decision-making
TL;DR:
- Problem: Authentication is hard to implement quickly (and correctly).
- Solution: Get an out-of-the-box Auth solution.
- In Sum: Tons of players here, but costs and vendor lock-in are big concerns.

How does it work?💡
You usually just add some wrapper code on your frontend, add some environment variables, set up redirect URLs, and you're good to go with Auth as a Service. They take care of the rest for you (forgot password, registration, all the required SSO integrations, etc…)
What’s new?
- WebAuthn - a standard to allow passwordless logins (physical keys and biometrics), which most providers already support by now and allow you to add it as a login option.
- Many Auth as a Service providers add the ability to manage users and permissions from their dashboard. Some also provide UI for your users to make it easier to manage their users.
- I’ll dive deeper into this later, but some providers also tackle machine-to-machine authentication and authorization.
- Some players even integrate billing/payments - when a user signs up via the AaaS they can also add a billing method and pay for your product via the AaaS. Especially useful for usage-based pricing as it "abstracts away" a layer of complexity for you by attaching the main user identity (that "uses" the product) to the billing information.
Questions ❔
- Is this a trend? Definitely. Many new players are fighting each other in this space, and more and more developers understand they can’t just “roll their own” auth. My hunch is that most players are eating away from Auth0 after their security incidents. Pricing plays a big role too. The push of WebAuthn is also a force in this trend.
Why? 🤔
- Time to market: Time to market: Plugging in a full-featured auth service can slash your time to market. Especially for security-conscious buyers, which brings us to point number 2:
- Compliance: Most of these services give you a big head start with everything compliance-related (as you essentially get standardization for SOC2 and the likes faster and with less effort).
- Enterprise users: Having SSO/MFA… out of the box makes your software much more “enterprise-ready”.
Why not? 🙅
- Pricing: The pricing varies from service to service, but expect to pay more than you’d pay running your own auth (assuming your auth works perfectly and requires no maintenance). Heads up: Some vendors don’t even post pricing. Double-check before committing.
- Vendor locking: If you are dealing with libraries or unique code scenarios that aren’t proliferated on the web, LLMs might still be generating crap because they weren’t trained on your data or the scenario you’re dealing with.
- Security incidents: Some providers (looking at you, Auth0) have had issues. With this kind of product, that can be a dealbreaker. Google around and see how they handled it before diving in.
Tools & players 🛠️
- Kinde - generous pricing auth as a service.
- Descope - focused on passwordless auth.
- WorkOS - enterprise-oriented Auth as a Service.
- Stytch - a bit more focused on fraud prevention.
- Supertokens - an open source auth provider.
- Clerk - yet another Auth as a Service (had a security incident but DX is great).
- Frontegg - focused on user management.
- AWS Cognito - AWS’s Auth as a Service (pricing is good, but less DX).
- GCP Identity Platform - same as Congnito for GCP.
- AWS Amplify - has some auth pre-built.
- Auth.dev - previously Next Auth.
- Better-Auth - yet another open source auth.
- Eartho - auth integrated with payments.
- Supabase Auth - kind of makes you doubly-locked into the Supabase world.
- Firebase Authentication - same as Supabase, you’re stuck in one ecosystem.
- Auth0 - cost and security incidents didn’t even probe me to research more.
- Keycloak - an open-source IAM tool for modern applications with SSO and LDAP support.
- Okta - enterprise-grade IAM with MFA, SSO, and extensive integrations (also has a security incident).
- Web3 Auths - Privy, Dynamic, Web3 Auth.
- (Update) Hanko - dev-first, with reasonable pricing.
- (Update) FusionAuth - includes also some security addons.
- (Update) Corbado - passkey-first authentication with integration to major frameworks.
Forecast 🧞
- Cloud provider DX: Cloud providers will probably double down on improving the DevEx of their Auth as a Service solutions since most integration pain comes from there. That’s what the players in the field are betting on. I would prefer Cognito if AWS wasn’t such a UI/UX mess.
- Acquisitions: I think some big security players and cloud providers will probably buy some of the companies I listed - it just makes sense, especially if they are making a shift-left move (i.e. trying to get closer to developers).
- More Granular Authentication Features: I expect to see more specialized features tailored to specific industries. Think healthcare-compliant solutions, fintech-grade security, or even solutions that cater to tiny niche markets like IoT devices with specialized auth flows.
Extra ✨
Additional information that is related:
- Notable mention: pocketbase open source backend as a service with Auth.
- Lucia - open source auth, was recently deprecated.
Thanks 🙏
I wanted to thank Tom Granot (who edits every issue, and owns a technical content consultancy for deep-tech startups). Elie for the last minute review (creator of Inbox Zero and “Learn from open source” highly recommended!).
EOF
(Where I tend to share unrelated things).
I started using sst.dev and I love it, if you deal with AWS, I think you should check it out (not sponsored).