\ Darin Cassler, Author at Strive Consulting, LLC. All Rights Reserved.

Practical Microservices: User Authentication

Unless you’re explicitly in the identity management or security industry – you probably shouldn’t bother building your own user management tools.

We’ve seen a growing interest in microservice architecture from our clients over the past few years. Likewise, we find ourselves recommending a microservice approach for an ever expanding list of categories. Seeing this shift as an opportunity, a number of products and services have emerged that seek to bootstrap development in a microservice context.

The benefits of a microservice approach are myriad. Today, I’d like to talk about one of those benefits that product managers ought to consider – the flexibility to let third-party services fill in your requirements. We’ll examine a typical development roadmap for user management support and compare that to using a services such as Okta or Auth0 to fill those needs.

Common Requirements

Let’s say you’re the product owner tasked with planning the roadmap for a new product. As usual, a user management feature is among the epics. For a fairly straightforward user management workflow, your team might be given base requirements approximately along these lines.

  • Safely store and manage a list of users.
  • Ability to manage, edit and admin that user list.
  • Access control and/or user roles.
  • Secure method for storing password data.
  • Reliable method of generating new passwords.
  • Enforcement of password complexity rules.
  • Credential reset workflow via email / SMS / push notifications.
  • Regulatory compliance (HIPAA, KYC)
  • Login forms / Authentication workflows
  • SSO not included (budget)
  • 2FA not included (budget)

Some Shaky Deliverables

Experienced scrum master or product owner may already be feeling uneasy. Here we have a set of base requirements that – depending on team size and capability – can eat up large portions of your timeline. What may have felt like a simple ask becomes weeks or months of work. If all goes well, you are left with these burdens:

  • Security and maintenance overhead for all of the above.
  • Liability for all of the above, potential civil/legal liability. 
  • Repetitional and fiduciary  risks from all of the above.
  • Limited ability to evaluate actuary risk from the above.
  • Inconsistent user experience. 
  • Lower conversion rates as a result.
  • Increased developer costs.

Oh, and don’t forget that users need to learn the nuance of your system… and that’s a great way to shed users before they ever become active.

Tweet from @_jayphelps: "It should be illegal to prevent pasting into a password input field."
Don’t set yourself up for this kind of user feedback.

A Practical Alternative

Unless you’re explicitly in the identity management or security industry – or your application architecture prohibits it – you probably shouldn’t be building your own user management tools. As I mentioned at the top; it might better to forego all of this and instead implement a low-code solution from a third party.

Enter Auth0

In March of 2021, Okta announced they would acquire Auth0 for $6.5 billion – expanding their suite of enterprise identity tools. At its core, Auth0 calls itself “a user authentication and authorization platform”. They provide an extensive set of functionality that allows you to integrate with hundreds of identity and access management providers. What’s more, Auth0 offers an excellent set of SDKs developer APIs which make integrating all these features into your app dead simple.

“Simple documentation about how to integrate – 15-minutes and we were up and running with a proof of concept.”

It’s true, I can testify from personal experience. When I first tried working with Auth0 – I was able to establish a new account, skim the documentation, integrate with Strive’s internal directory and implement full user support in a React application without breaking a sweat. It was just as straightforward to do this in iOS with Swift and in Spring Boot. In just an afternoon I was able to put together prototypes on all three of these platforms.

Just think about that for a moment. There’s a version of this timeline where an entire scrum team takes multiple sprints to implement user management for a single platform. With Auth0 it took about 45 minutes!

Building A Business Cases

At this point, you may already have a clear picture of the business case for using a provider like Auth0 rather than rolling your own user management. We understand that it can be difficult to gain support from fellow stakeholders for even the strongest ideas. With that in mind, here are a few bullet points you can steal:

  • Faster time to market
  • Reduced cost of development
  • Reduced complexity of development
  • Reduced fixed operating overhead
  • Reduced likelihood of defects / liability therein
  • Increased user registration / conversion

Wrapping Up

Ultimately this is about creating as much value as possible from limited resources. Engineering work is expensive, and developers are a finite resource. Since software companies often live and die by the efficacy of their developers, it’s critical that you allocate their efforts effectively.

Based on decades of combined experience while serving startups, Fortune 500 and everywhere in between. Generally, Strive believes that user authentication is a solved problem. Rather than dedicate resources to re-solve it, we find that it’s often wisest to instead stand on the shoulders of giants.

Further Reading

Subscribe

Categories: Technology Enablement, Thought Leadership