Auth: Build vs Open Source vs Buy

Let's face it, nobody except for the CTO at FusionAuth and maybe one or two of you out there wake up in the morning excited to build an authentication system. Right? It's a little bit like getting pumped to put a lock on your front door. Not necessarily thrilling, but necessary for the safety of you and your family, or in this case your customers. In addition to that, logging in to your application is often your user's first experience with it. It needs to be seamless, secure, and scalable.

Basically, you have three approaches to this problem. You can build it, buy it, or use open source. Hi, I'm Mark Robustelli. I'm the Developer Relations Engineer with FusionAuth. I've been developing for over 25 years, and I love helping developers reduce the overhead of development so they can focus on the things that bring value to their application. So why authentication matters? Is anyone going to use your application just because of the great login experience? Probably not.

However, authentication is a core, critical component of any system. Whether it's an app, a website, or an API, ensuring only the right users can access the right resources is at the core of digital security. Data breaches, unauthorized access, privacy violations, these are just some of the costly consequences of a weak or flawed authentication system. How costly? $100 billion. Just kidding. On average, for a global security breach, we're talking about 4 million euros. The question isn't if you need authentication, it's how you're going to implement it.

Let's start with the build option. This is like cooking your own meal. You can season it, make it exactly how you want it, right? You control everything from the user experience, the workflows, to the security mechanisms. But let's be honest, it's not easy. There's a lot of things to get right. Password management, multifactor authentication, session handling, encryption, and more. Plus, it doesn't stop after the initial build. Just like you can't stop maintaining a house after it's built, you have to maintain your authentication system. Now let's talk about purchasing authentication. This is a bit like ordering from a reliable restaurant. You don't have to spend all day in the kitchen cooking the perfect meal, picking out the ingredients, hoping to get safe, because a professional is doing it for you. When you buy an authentication system, you get a ready-made, secure, and scalable solution maintained by experts whose sole function is to focus on security.

This is particularly important when you think about the complexities of modern security. Stuff like multifactor authentication, single sign-on, password list, these aren't real easy just to whip up yourself. Systems available for purchase feature enterprise-level security features and the flexibility that developers need. While developers may have to learn a new tool, it's generally pretty easy to integrate it into your existing system and then customize it for your business requirements and trust that security patches, feature enhancements are all handled by a dedicated team.

Now let's talk about the third option, open source. This is a bit like a community potluck. If you don't know what a potluck is, it's where everyone brings a dish to the meal and you all share. And it's great, you get to try a lot of different food and it's free. And the open source community has built a lot of powerful, flexible authentication frameworks. Stuff like OAuth, OpenID Connect, these are widely used and trusted. With open source, you have the flexibility to modify the system however you want.

But open source isn't without its challenges. While the initial cost may be low, there's still the need for internal expertise to manage and secure and maintain it. Moreover, when something goes wrong, there's not necessarily a dedicated support team to help you out. Just like a potluck, if someone forgets a main dish, in this case a security update, you're left scrambling to patch things up. Now in deciding between buy, building and using open source, cost is a key factor. Building your own authentication can seem like a good idea initially, but it's high with the upfront development costs.

On top of that, you have maintenance, scaling costs, this can grow into a job or several jobs. It's estimated about 1 to 2 million euro over five years for maintenance. Buying solution generally operates on a subscription, which means a predictable price. Now while there is a price tag associated with it, you're buying peace of mind.

The maintenance, security updates, scaling, all handled for you. Now a bit of a caveat here, when you're comparing costs, make sure you compare for usage now six months, a year, five years from now, you don't want to be caught off guard when your application is wildly successful. And open source can often look like the most effective, cost-effective solution, because there's no licensing fee.

But remember, nothing comes for free, right? Free isn't beer. You can drink it, but you're responsible for it. You still need to maintain it, have internal expertise, security experts, and the costs can add up quickly. So after weighing the options, what's the right choice? The truth is, only you can decide. Different companies have different priorities, resources, and needs when it comes to security, scalability, and maintenance.