I have a very vested interest in this (founder Clerk.dev) - but the exact opposite experience is what led us to start Clerk.
Auth was easy when it was just email verification and choosing the right hashing algorithm. I used to pull Devise off the shelf and get it going in 30 minutes.
But these days, the simple solution is far from complete. I grew most frustrated trying to setup the rest...
- Single sign-on / Oauth with proper de-duping so users can always sign in regardless of how they signed up
- 2fa so users can better secure their accounts
- Integrations with a leaked password corpus (haveibeenpwned) to prevent credential stuffing attacks
- Active device tracking and remote session revocation
You can launch without these things, but it's definitely impacting your overall security and the conversion rates through your sign up and sign in flows.
I found these features quite simple to implement. What gave me a headache was advanced anomaly detection (both from the per-account and per-requester perspectives) and handling. For me, there is no bottom of the well on those things, and they are the killer features of auth as a service.
I have a very vested interest in this (founder Clerk.dev) - but the exact opposite experience is what led us to start Clerk.
Auth was easy when it was just email verification and choosing the right hashing algorithm. I used to pull Devise off the shelf and get it going in 30 minutes.
But these days, the simple solution is far from complete. I grew most frustrated trying to setup the rest...
- Single sign-on / Oauth with proper de-duping so users can always sign in regardless of how they signed up
- 2fa so users can better secure their accounts
- Integrations with a leaked password corpus (haveibeenpwned) to prevent credential stuffing attacks
- Active device tracking and remote session revocation
You can launch without these things, but it's definitely impacting your overall security and the conversion rates through your sign up and sign in flows.