Disclamer: I am not associated any of these companies as of writing.
Authentication Services
Authentication has always posed challenges, whether in terms of security, user experience, or integration. Here is the table of comparison for those who have the same concern:
| Name | Firebase Auth | Supabase | Auth0 | Clerk | Cognito |
|---|---|---|---|---|---|
| Website | https://firebase.google.com/products/auth | https://supabase.com/ | https://auth0.com/ | https://clerk.com/ | https://aws.amazon.com/pm/cognito/ |
| Characteristics | Google, thus reliable Good pricing (free 50k MAU) Best to pair with other Google/Firebase services | Series B Startup backed by YC Reasonable Pricing AWS-based PostgreSQL-based AuthUI available and handles email confirmation Supports React Native / Expo 19 Social Logins (source) | Exist from 2013, acquired by Okta in 2022 Easy integration Universal Login Extensive Functionality | Series A Startup Easy integration Pre-built components Rich B2B features | AWS, thus reliable Cognito IAM makes it a great choice to integrate with other AWS services Good pricing |
| Drawback | Limited OAuth provider FirebaseUI is no longer supported from SDK V9 US-only services | See Supabase Auth Review: Impressive, But Not Without Issues. 500MB Postgres pauses after 7 days of inactivity on Free plan | Expensive pricing Limited tenant regions (ref) | Expensive pricing | Not appealing when using other cloud providers |
Above is a high-level comparison of various authentication services, focusing on features like ease of use, security protocols, and pricing.
Libraries
The SDK may be sufficient, but you may want to use different libraries for custom features. Here are some suggestions:
| Name | NextAuth | Iron-Session | Lucia-auth | Passport |
|---|---|---|---|---|
| Website | https://next-auth.js.org/ | https://github.com/vvo/iron-session | https://lucia-auth.com/ | https://www.passportjs.org/ |
| Characteristic | Extensive OAuth Provider (59+). V5 (beta) is app router first. | V8 is app-router-compatible Simply built for session management | Less “bloated and opinionated” than NextAuth Extensive OAuth Provider (26+) | Express-compatible authentication middleware for Node.js Lightweight |
| Drawback | Made for NextJS: cannot use it on React Native Opinionated, complex DX. Discourage password login (“credentials”) for security reasons. | Meant for session, not the actual auth. | Still early-phase IMO | Backend solution, not made for NextJS Need extra work (i.e. password reset, 2FA, …) |
Authentication is a complex aspect of software development, often demanding a balance between security and user convenience. While some services come with a higher price tag, they may offer advanced functionalities that justify the cost. However, it’s important to remember that there is no one-size-fits-all, out-of-the-box solution. Each project may require a different approach, and I hope this article helps you in identifying the right fit for your needs.
Going Passwordless
The authentication landscape is rapidly evolving, moving away from traditional username and password systems. This shift is largely driven by a growing preference for passwordless solutions. Such solutions, including OAuth protocols, magic links, and SMS-based authentication, offer a unique blend of security and user convenience.
Honorable Mention: Session-based Authentication
While the solutions mentioned above might or might not align with your specific goals, it’s crucial to highlight the potential of session-based storage. Often, this approach can be a simpler and more effective authentication solution, even preferable to JWT. This is particularly true when complementing the passwordless methods already in use.
For implementation, express-session offers versatility, allowing you to choose the most suitable storage option, like Redis or a database of your choice.
For more insights, the OWASP Session Management Cheat Sheet provides valuable guidelines and best practices in this area.
Leave a Reply