Auth: Build vs Open Source vs Buy

This ad is not shown to multipass and full ticket holders
JSNation US
JSNation US 2025
November 17 - 20, 2025
New York, US & Online
JS stars in the US biggest planetarium
Learn More
In partnership with Focus Reactive
Upcoming event
JSNation US 2025
JSNation US 2025
November 17 - 20, 2025. New York, US & Online
Learn more
Bookmark
Rate this content

Starting a new application? Have an existing application that is growing? Choosing the right authentication solution can make or break your product. Should you buy a solution, build your own from scratch, or try an open-source project? The pros and cons of each approach will be discussed. Whether you are a startup founder, product manager or developer, this session will equip you with the insights needed to make an informed choice that aligns with your business goals and technical requirements. 

This talk has been presented at JSNation 2025, check out the latest edition of this JavaScript Conference.

FAQ

Authentication is crucial because it ensures only the right users can access the right resources, which is essential for digital security. A weak authentication system can lead to costly consequences such as data breaches and unauthorized access.

The three approaches are building your own system, purchasing a ready-made solution, or using open source frameworks.

Building your own system allows you to control everything from the user experience to security mechanisms. However, it requires significant effort to get it right, including password management, multifactor authentication, and encryption.

Buying an authentication solution provides a ready-made, secure, and scalable system maintained by experts. It offers enterprise-level security features and reduces the burden on your team, as security patches and feature enhancements are handled by a dedicated team.

Open source solutions offer flexibility and low initial costs but require internal expertise to manage and secure them. There may be no dedicated support team, and unexpected issues can arise if security updates are missed.

Building your own system has high upfront and maintenance costs. Buying a solution offers predictable subscription pricing, while open source solutions may appear cost-effective but require investment in internal expertise and maintenance.

FusionAuth is a viable choice as it offers the advantages of a ready-made solution with a free edition and support. It runs locally or in the cloud and has open source repositories for issue tracking and feature requests.

Consider your company's priorities, resources, and needs for security, scalability, and maintenance. Building offers control, buying provides support and scalability, and open source offers flexibility but needs internal expertise.

Purchasing a system saves time, reduces risk, and allows you to focus on your core business, making it an ideal choice for many companies.

Mark Robustelli
Mark Robustelli
7 min
12 Jun, 2025

Comments

Sign in or register to post your comment.
Video Summary and Transcription
Authentication is crucial for system security, with options including building, buying, or using open source. Modern security complexities are addressed by purchasing systems with enterprise-level security features. Cost considerations in authentication highlight maintenance and scaling costs, with buying solutions providing peace of mind and predictable costs.

1. Importance of Authentication in Development

Short description:

Authentication is crucial for system security. Options include building, buying, or using open source. Building requires expertise and ongoing maintenance. Buying offers a ready-made secure solution maintained by experts.

Let's face it, nobody except for the CTO at FusionAuth and maybe one or two of you out there wake up in the morning excited to build an authentication system. Right? It's a little bit like getting pumped to put a lock on your front door. Not necessarily thrilling, but necessary for the safety of you and your family, or in this case your customers. In addition to that, logging in to your application is often your user's first experience with it. It needs to be seamless, secure, and scalable.

Basically, you have three approaches to this problem. You can build it, buy it, or use open source. Hi, I'm Mark Robustelli. I'm the Developer Relations Engineer with FusionAuth. I've been developing for over 25 years, and I love helping developers reduce the overhead of development so they can focus on the things that bring value to their application. So why authentication matters? Is anyone going to use your application just because of the great login experience? Probably not.

However, authentication is a core, critical component of any system. Whether it's an app, a website, or an API, ensuring only the right users can access the right resources is at the core of digital security. Data breaches, unauthorized access, privacy violations, these are just some of the costly consequences of a weak or flawed authentication system. How costly? $100 billion. Just kidding. On average, for a global security breach, we're talking about 4 million euros. The question isn't if you need authentication, it's how you're going to implement it.

Let's start with the build option. This is like cooking your own meal. You can season it, make it exactly how you want it, right? You control everything from the user experience, the workflows, to the security mechanisms. But let's be honest, it's not easy. There's a lot of things to get right. Password management, multifactor authentication, session handling, encryption, and more. Plus, it doesn't stop after the initial build. Just like you can't stop maintaining a house after it's built, you have to maintain your authentication system. Now let's talk about purchasing authentication. This is a bit like ordering from a reliable restaurant. You don't have to spend all day in the kitchen cooking the perfect meal, picking out the ingredients, hoping to get safe, because a professional is doing it for you. When you buy an authentication system, you get a ready-made, secure, and scalable solution maintained by experts whose sole function is to focus on security.

2. Considerations in Authentication Methods

Short description:

Modern security complexities: purchasing systems offer enterprise-level security features. Open source like a community potluck, offers flexibility but requires internal expertise for maintenance. Cost is a key factor in deciding between building, buying, or using open source.

This is particularly important when you think about the complexities of modern security. Stuff like multifactor authentication, single sign-on, password list, these aren't real easy just to whip up yourself. Systems available for purchase feature enterprise-level security features and the flexibility that developers need. While developers may have to learn a new tool, it's generally pretty easy to integrate it into your existing system and then customize it for your business requirements and trust that security patches, feature enhancements are all handled by a dedicated team.

Now let's talk about the third option, open source. This is a bit like a community potluck. If you don't know what a potluck is, it's where everyone brings a dish to the meal and you all share. And it's great, you get to try a lot of different food and it's free. And the open source community has built a lot of powerful, flexible authentication frameworks. Stuff like OAuth, OpenID Connect, these are widely used and trusted. With open source, you have the flexibility to modify the system however you want.

But open source isn't without its challenges. While the initial cost may be low, there's still the need for internal expertise to manage and secure and maintain it. Moreover, when something goes wrong, there's not necessarily a dedicated support team to help you out. Just like a potluck, if someone forgets a main dish, in this case a security update, you're left scrambling to patch things up. Now in deciding between buy, building and using open source, cost is a key factor. Building your own authentication can seem like a good idea initially, but it's high with the upfront development costs.

Check out more articles and videos

We constantly think of articles and videos that might spark Git people interest / skill us up or help building a stellar career

The State of Passwordless Auth on the Web
JSNation 2023JSNation 2023
30 min
The State of Passwordless Auth on the Web
Passwords are terrible and easily hacked, with most people not using password managers. The credential management API and autocomplete attribute can improve user experience and security. Two-factor authentication enhances security but regresses user experience. Passkeys offer a seamless and secure login experience, but browser support may be limited. Recommendations include detecting Passkey support and offering fallbacks to passwords and two-factor authentication.
Server-side Auth with Remix, Prisma, and the Web Platform
Node Congress 2022Node Congress 2022
34 min
Server-side Auth with Remix, Prisma, and the Web Platform
Top Content
This Talk is about server-side authentication with Remix, Prisma, and the web platform. It covers adding authentication to a Remix app, troubleshooting and login setup, handling user login and session creation, creating user sessions and redirects, handling user ID retrieval and validation, and working with cookies in Remix. The speaker emphasizes that Remix is ready for production and suitable for enterprise apps. Remix simplifies the mental model and improves performance by bridging the network gap between the front end and back end.
GraphQL Authentication and Authorization at Scale
GraphQL Galaxy 2021GraphQL Galaxy 2021
22 min
GraphQL Authentication and Authorization at Scale
This talk discusses the implementation of GraphQL Authentication and Authorization at scale at Unity. The speaker explains how they use GraphQL Federation to expose business functionality through a centralized schema and the challenges they faced in handling auth at scale. They describe how they simplified configuration and scaling using Mercurius and implemented hooks and an Orth plugin. The implementation at Unity involves a Unity Orth endpoint and a central Unity Orth directive definition. The talk also covers the implementation of AuthPolicyHandler and AuthDirective for downstream services and showcases different access levels. The Mercurius Auth plugin provides a scalable approach to authentication and ongoing improvements include adding support for a filter schema.
Who Are Vue? Authn In Vue, The Important Parts
Vue.js Live 2024Vue.js Live 2024
23 min
Who Are Vue? Authn In Vue, The Important Parts
This Talk introduces authentication in Vue.js and emphasizes that it is not as difficult as it may seem. The speaker explains the concept of authentication and its importance. A code example is used to demonstrate how to implement authentication in Vue.js, including separate UI parts for login, home, and dashboard views. The Talk also covers handling authentication in the Vue.js router, including defining routes, accessing user credentials, and making requests to the backend.

Workshops on related topic

Authentication Beyond Passwords
React Day Berlin 2023React Day Berlin 2023
127 min
Authentication Beyond Passwords
WorkshopFree
Juan Cruz Martinez
Juan Cruz Martinez
Passwords have long been the keys to our kingdoms. However, they often become the weak points in our armor — forgotten, misused, or exploited. Our Next apps often make use of passwords to authenticate users, but what would a world with no passwords look like? And how we can start driving into that future today?
0 to Auth in an hour with ReactJS
React Summit 2023React Summit 2023
56 min
0 to Auth in an hour with ReactJS
WorkshopFree
Kevin Gao
Kevin Gao
Passwordless authentication may seem complex, but it is simple to add it to any app using the right tool. There are multiple alternatives that are much better than passwords to identify and authenticate your users - including SSO, SAML, OAuth, Magic Links, One-Time Passwords, and Authenticator Apps.
While addressing security aspects and avoiding common pitfalls, we will enhance a full-stack JS application (Node.js backend + React frontend) to authenticate users with OAuth (social login) and One Time Passwords (email), including:- User authentication - Managing user interactions, returning session / refresh JWTs- Session management and validation - Storing the session securely for subsequent client requests, validating / refreshing sessions- Basic Authorization - extracting and validating claims from the session token JWT and handling authorization in backend flows
At the end of the workshop, we will also touch other approaches of authentication implementation with Descope - using frontend or backend SDKs.
0 to Auth in an Hour Using NodeJS SDK
Node Congress 2023Node Congress 2023
63 min
0 to Auth in an Hour Using NodeJS SDK
WorkshopFree
Asaf Shen
Asaf Shen
Passwordless authentication may seem complex, but it is simple to add it to any app using the right tool.
We will enhance a full-stack JS application (Node.JS backend + React frontend) to authenticate users with OAuth (social login) and One Time Passwords (email), including:- User authentication - Managing user interactions, returning session / refresh JWTs- Session management and validation - Storing the session for subsequent client requests, validating / refreshing sessions
At the end of the workshop, we will also touch on another approach to code authentication using frontend Descope Flows (drag-and-drop workflows), while keeping only session validation in the backend. With this, we will also show how easy it is to enable biometrics and other passwordless authentication methods.
Table of contents- A quick intro to core authentication concepts- Coding- Why passwordless matters
Prerequisites- IDE for your choice- Node 18 or higher
0 To Auth In An Hour For Your JavaScript App
JSNation 2023JSNation 2023
57 min
0 To Auth In An Hour For Your JavaScript App
WorkshopFree
Asaf Shen
Asaf Shen
Passwordless authentication may seem complex, but it is simple to add it to any app using the right tool.
We will enhance a full-stack JS application (Node.js backend + Vanilla JS frontend) to authenticate users with One Time Passwords (email) and OAuth, including:
- User authentication – Managing user interactions, returning session / refresh JWTs- Session management and validation – Storing the session securely for subsequent client requests, validating / refreshing sessions
At the end of the workshop, we will also touch on another approach to code authentication using frontend Descope Flows (drag-and-drop workflows), while keeping only session validation in the backend. With this, we will also show how easy it is to enable biometrics and other passwordless authentication methods.
Managing Authentication in Next.js
Node Congress 2022Node Congress 2022
155 min
Managing Authentication in Next.js
Workshop
Michele Riva
Michele Riva
Next.js is a compelling framework that makes many tasks effortless providing many out-of-the-box solutions. But when it comes to authentication and user security, it's our mission to make it reliable, secure, and efficient. In this workshop, we'll focus on different user authentication and session management approaches, starting from a custom authentication strategy (that we will build together), and ending learning how to identify and integrate the right auth provider (Auth0, Firebase, etc.) for any app.
Table of contents:- A brief introduction to Next.js- Building an authentication mechanism from scratch- Why we should avoid custom authentication- How to identify the proper authentication mechanism and provider- Integrating NextAuth.js, Auth0, Firebase, or any other provider
Building a Realtime App with Remix and Supabase
Remix Conf Europe 2022Remix Conf Europe 2022
156 min
Building a Realtime App with Remix and Supabase
Workshop
Jon Meyers
Jon Meyers
Supabase and Remix make building fullstack apps easy. In this workshop, we are going to learn how to use Supabase to implement authentication and authorization into a realtime Remix application. Join Jon Meyers as he steps through building this app from scratch and demonstrating how you can harness the power of relational databases!