Practical Microservices: User Authentication
Unless you’re explicitly in the identity management or security industry – you probably shouldn’t bother building your own user management tools.
We’ve seen a growing interest in microservice architecture from our clients over the past few years. Likewise, we find ourselves recommending a microservice approach for an ever expanding list of categories. Seeing this shift as an opportunity, a number of products and services have emerged that seek to bootstrap development in a microservice context.
The benefits of a microservice approach are myriad. Today, I’d like to talk about one of those benefits that product managers ought to consider – the flexibility to let third-party services fill in your requirements. We’ll examine a typical development roadmap for user management support and compare that to using a services such as Okta or Auth0 to fill those needs.
Let’s say you’re the product owner tasked with planning the roadmap for a new product. As usual, a user management feature is among the epics. For a fairly straightforward user management workflow, your team might be given base requirements approximately along these lines.
- Safely store and manage a list of users.
- Ability to manage, edit and admin that user list.
- Access control and/or user roles.
- Secure method for storing password data.
- Reliable method of generating new passwords.
- Enforcement of password complexity rules.
- Credential reset workflow via email / SMS / push notifications.
- Regulatory compliance (HIPAA, KYC)
- Login forms / Authentication workflows
- SSO not included (budget)
- 2FA not included (budget)
Some Shaky Deliverables
Experienced scrum master or product owner may already be feeling uneasy. Here we have a set of base requirements that – depending on team size and capability – can eat up large portions of your timeline. What may have felt like a simple ask becomes weeks or months of work. If all goes well, you are left with these burdens:
- Security and maintenance overhead for all of the above.
- Liability for all of the above, potential civil/legal liability.
- Repetitional and fiduciary risks from all of the above.
- Limited ability to evaluate actuary risk from the above.
- Inconsistent user experience.
- Lower conversion rates as a result.
- Increased developer costs.
Oh, and don’t forget that users need to learn the nuance of your system… and that’s a great way to shed users before they ever become active.
A Practical Alternative
Unless you’re explicitly in the identity management or security industry – or your application architecture prohibits it – you probably shouldn’t be building your own user management tools. As I mentioned at the top; it might better to forego all of this and instead implement a low-code solution from a third party.
In March of 2021, Okta announced they would acquire Auth0 for $6.5 billion – expanding their suite of enterprise identity tools. At its core, Auth0 calls itself “a user authentication and authorization platform”. They provide an extensive set of functionality that allows you to integrate with hundreds of identity and access management providers. What’s more, Auth0 offers an excellent set of SDKs developer APIs which make integrating all these features into your app dead simple.
“Simple documentation about how to integrate – 15-minutes and we were up and running with a proof of concept.”
It’s true, I can testify from personal experience. When I first tried working with Auth0 – I was able to establish a new account, skim the documentation, integrate with Strive’s internal directory and implement full user support in a React application without breaking a sweat. It was just as straightforward to do this in iOS with Swift and in Spring Boot. In just an afternoon I was able to put together prototypes on all three of these platforms.
Just think about that for a moment. There’s a version of this timeline where an entire scrum team takes multiple sprints to implement user management for a single platform. With Auth0 it took about 45 minutes!
Building A Business Cases
At this point, you may already have a clear picture of the business case for using a provider like Auth0 rather than rolling your own user management. We understand that it can be difficult to gain support from fellow stakeholders for even the strongest ideas. With that in mind, here are a few bullet points you can steal:
- Faster time to market
- Reduced cost of development
- Reduced complexity of development
- Reduced fixed operating overhead
- Reduced likelihood of defects / liability therein
- Increased user registration / conversion
Ultimately this is about creating as much value as possible from limited resources. Engineering work is expensive, and developers are a finite resource. Since software companies often live and die by the efficacy of their developers, it’s critical that you allocate their efforts effectively.
Based on decades of combined experience while serving startups, Fortune 500 and everywhere in between. Generally, Strive believes that user authentication is a solved problem. Rather than dedicate resources to re-solve it, we find that it’s often wisest to instead stand on the shoulders of giants.
- “Kiva Eliminates 22,000 Lines of Legacy Code by Implementing Auth0”
- “Forrester consulting calculates 548% ROI (using Auth0) and millions in savings.”
- Build vs. Buy: Guide to Evaluating Identity Management
- Auth0 Quickstart documentation for dozens of languages and platforms
- Supported enterprise identity providers (OpenID, Azure, LDAP, SAML ADFS and more)
- Support for API Protected resources