Ask HN: How do you currently solve authentication?

Depends on the project:

Firebase Authentication[1] is an excellent easy add on for apps (both Web and Mobile) that I want to get running quickly. It's free, scales, supports lots of social auth providers and can take care of email verification etc.

When I'm building a website it really depends. Wordpress and Django have excellent inbuilt authentication and authorization systems. Djangos can be quickly expanded to support social providers with `django-allauth`[2]

For everything else I use KeyCloak[3] - Red Hats open source Identity Provider/Single Sign On which supports oAuth2.0, OpenID Connect, SAML, themes etc. Documentation and support is relatively good but can be quite overwhelming especially if you're not used to the relevant standards (knowing the different flows in oAuth2.0 and which one you want to use).

[Self plug]: I'm building a KeyCloak-as-a-Service for those who don't want control of their authentication without the hassle of setting up their own cluster. We're in closed Beta at the moment but if you're interested you can search for "Tromsso keycloak"[4] and leave an email to be invited in.

[1] https://firebase.google.com/docs/auth/

[2] https://github.com/pennersr/django-allauth

[3] https://keycloak.org/

[4] https://tromsso.com/

Firebase Authentication.

I can't say enough good things about this service as it has been a game changer for me productivity wise.

-Supports most of the popular OAuth providers natively or you can add any custom OAuth system via custom tokens.

-SMS Auth, passwordless login (aka magic links)

-Excellent and well maintained client/server SDKs for most of the languages. Makes user management very convenient, including neat things like revoking tokens, cookie session management, linking accounts of users with multiple providers, RBAC via web tokens.

-Tight integration with Firestore. Can have fine grained security controls on which users can read/write what documents etc.

What takes the cake is Custom Tokens [1]. This is really useful for seamlessly integrating with another authentication system. Would recommend anyone to take a look if they're exploring an auth service.

[1] https://firebase.google.com/docs/auth/admin/create-custom-to...

I'm storing hashed password in the database. I'm writing POST http handler and storing user info in the session information. I don't know why would I use framework or even service, it's just few dozens of simple lines of code. I don't use frameworks for simple things. I guess it might make sense when one need to support login via Google, Facebook, etc, I'm working on enterprise websites which don't need that.

Last time AWS Cognito, and at least initially, Amplify.

I'd never write it from scratch. It's always a PITA, there's always significant compromises - do you make people sign up, do you let them use Google/every other available federated login provider, what 2FA options, will it work on a locked down network, etc.

Warning: this post is about a speculative design unproven in production. Definitely use the de facto standard framework in any production code you write!

I get so depressed with authentication complexity. Seems to me there are two ways to avoid it: first, write a service that doesn't care about user identity (it is a fun exercise to think of such a thing!), and second, secure messages, not connections or sessions.

Securing messages with public/private key encryption, I believe, is the best possible general approach. Thinking in messages yields the programmer great benefits, not just inside code (it is the cornerstone of the OOP paradigm, after all), but outside of code (message passing is also the cornerstone of distributed programming). Even if you are building a webapp it helps to think in terms of something more general. HTTP becomes just another channel over which messages move. Your app can (and probably will) become sensitive to other channels: email, SMS, webhooks, etc. If you embrace message-level security then you can ignore the channel and deal with the message. Channels may change, but your application code doesn't need to.

For an SPA, the key problem (no pun intended) is that a users private key is on the users browser, in the simplest implementation, accessible by everything on the page. If you're not end-to-end encrypted and don't use 3rd party resources at all (its possible!) then the naive solution is fine. The most robust solution is to use a browser extension to isolate the private key. The site requests encryption services from the extension.

Another fun and interesting problem is the multi-device user. Do we allow copying the private key, and if not, how do we associate private keys together? I think this is a fun problem from lots of angles, particularly the prospect of your own devices inviting each other to share an identity.

I use bcrypt to hash the user password and then store it in a database. When the user wants to log in I use the compare function of the bcrypt library. If the hashes match I set a session cookie.

I suppose if I worked on projects that wanted to support OAuth I would use Passport.js, but I don't know how much I would trust the any but the largest packages for that.

I use Auth0. Works well enough

I use https://www.pomerium.io/ for my internal services with Google oauth. I like it because unlike oauth-proxy I can define which users are allowed to which (sub)domains. I run this in Kubernetes and it supports forward authentication, so adding a new service is editing a configmap to let pomerium know about the domain and its allowed users (support for defining this in the ingress is coming), and adding a few ingress annotations.

In some Rails projects i use Device gem, or simpler version made by my own (salted passwords in database, and user_id as jwt in session store).

I use keycloak. It's just like auth0 except it's self hosted and I run it alongside all my other instances.

I'm not currently solving it that way but my next side project definitely is going to try out metamask as the mean of authenticating the user.

A friend of mine showed me some "dapps"(decentralized apps) that he uses (uniswap.io, axieinfinity.com and some other i forgot). They all used metamask as the "login platform". The point is that you have your key in this metamask plugin that is stored in your browser and you can sign things. That means you get a challenge from the server and metamask then asks you if you want to sign that challenge. The hole onboarding experience was super easy and you theoretically could use that to pay for some premium features of a service.

I thought that is really cool because you don't need to enter email, username, password and whatnot. You just click authorize and you're in.

I use Django’s included authentication.

Simple: Don't. Developing a secure authentication service is actually more difficult than it would seem on the surface. I've come to rely on an external authentication service (or, if necessary, a reputable library/framework specifically designed for it). These days my go-to is Keycloak (https://keycloak.org). It supports pretty much everything: standard username/password, MFA, SAML, OIDC, etc. Plus, it's easily deployable within a Docker container so standing it up is a breeze.

I have been implementing different methods for oauth: - building my own handling with hashed passwords stored in the database - using the fantastic sorcery [0] gem for Rails. It's a light-weight auth solution that allows me to customize many different aspects of auth while providing a solid structure. It also has many sub modules that can be added for oauth, resetting password or stronger application security.

[0] https://github.com/sorcery/sorcery/

My users send their password over TLS. I check the password using bcrypt. I assume further communication over the same connection comes from the user.

Laravel built in auth, Socialite for social logins.

I am working on a hyper-open, hyper-compatible, and hyper-accessible forum system with accessibility by historic browser included in the spec.

I use a multi-layer authentication system with various levels of compatibility, security, and accessibility.

* The default mode is unauthenticated, which allows the user to post plaintext. Optionally, this can be backed by a device fingerprint, which would group all of this user's posts together. This is supported by all post-Mosaic browsers, except perhaps Mosaic 1.0, which does not support HTML forms. (For Mosaic, there is a fallback writing mode, of the form http://example.com/your+message+here)

* There is also a cookie-based authentication system, in which the user asks for a new ID, and the server sets cookies for user id and checksum. The checksum is checked against a server secret via hashing, so no storage of account data is needed on the server. This works with all cookie-supporting browsers.

* The other authentication system is based on PGP, and allows the user to either use in-browser PGP (insecure) or client-based PGP (less insecure) to sign their messages. These messages can be both client verified and grouped together into a profile on the server.

If I use a an external framework or library to let me users login via Google or say outlook, do I need to have my own outlook or Google account? Do I need some authorization to do this if say my company uses outlook for their emails and I want to let my co-workers use their account info to sign in through outlook?

Spring Security for the logic and password storage. I usually build my own pages for password resets and logins