Knowing and protecting your user is key to providing personalized services, but building your own authentication framework can be a maintenance and security headache – How should I store passwords? Should I even use passwords? Do I need both authentication (who I am) and authorization (what can I do)? Fortunately, multiple vendors come to the rescue allowing you to offload this responsibility. But which should you choose? First, let’s review the current state of authentication.
The industry is currently amid a paradigm shifting transition away from passwords. Forrester’s The State Of Consumer Authentication In 2020 gives us insights as to why – passwords are inherently insecure. Even as password complexity grows, user password habits aren’t keeping up. 49% of respondents said they reused passwords across multiple websites and most choose to keep them in their head or write them down somewhere instead of using a password manager. While these users do show an increased interest in improving their password habits, why not take it out of their hands? Adding multi-factor authentication (MFA) is another layer of protection, but the ultimate goal is to remove the attack vector entirely and go passwordless. This is still an uphill battle as most users prefer to use their own passwords or think their passwords are strong enough. Not to mention the business and regulatory changes needed to fully support such a system (GDPR, HIPAA, etc.). Full migration to a passwordless system is an important topic, but outside the scope of this article.
With an idea of where the industry is going, let’s look at which partners can get us there. While there is a plethora of identity providers, we’ll be going over a well-rounded set of them in this article – Azure AD B2C, Cognito from AWS, Okta, Auth0, and Firebase Authentication. For each partner we will look at feature set, extensibility, availability of web and API flows, interface customization, and overall experience of the team implementing it. Bear in mind, these partners were evaluated in July 2022, so these features and limitations could vary in the future.