8 comments

[ 1.0 ms ] story [ 26.8 ms ] thread
This is that weird combination of spam, and completely misleading information.
Could you elaborate more please?
It’s a company site for an external authentication system, advising people use an external authentication system, and grossly overstating the effort involved to do it internally.

Their claims about the required knowledge to use bcrypt password hashing, one use tokens and of all things - sending fucking emails - is flat out deception.

Essentially “It’s way to complex to do X yourself, you should use a third party service. Oh hey we happen to provide X. Give us teh moneys plz”

Actually saying that it's easy to implement your own authentication system is more dangerous, especially to people who haven't worked long enough on the topic.

The article also mentioned MFA and WebAuthn that not all people are familiar with. More importantly I think the main point is it's better to not spend too much time on the authentication and concentrate on the main business instead.

From my own experiences, sending emails correctly is not that easy. And using services like mailchimp or sendgrid isn't enough.

IMO it's normal that a company does marketing on its own blog as long as it's not over-exaggerating.

Every language I know has an easy to use wrapper/functionality for strong password hashing.

The pricing model of this business means there’s a likely 50/50 chance of it closing in ~12 months because not enough customers choose the paid option.

It is normal to promote yourself on the company blog. It’s not normal to submit that as “news”.

> The pricing model of this business means there’s a likely 50/50 chance of it closing in ~12 months because not enough customers choose the paid option.

I think we went too far from the initial point. Nevertheless the cost of such service is low enough that it can be maintained easily, even without a significant revenue number.

> It’s not normal to submit that as “news”.

It depends on the definition of news I guess. The article brings another point of view, though discutable. The promotion happens only at the end, in a reasonable way.

> Every language I know has an easy to use wrapper/functionality for strong password hashing.

Again the password hashing is just an aspect of an authentication system.

Your business model is part of why I think it’s bad advice: every third party service used is an operational liability. The less standardised the integration, the harder it is to swap to a competitor if required. The more standardised the integration, the easier it is.

To use your email argument earlier: if a company doesn’t want to handle its own mail servers (which is a common choice these days) the cost of moving between vendors can be pretty low. A few DNS records and some config/environment vars, and voila. It’s very possible to do it with zero downtime.

I’m not sure to follow your points. The technology is based on oauth2/openid standard which would allow developers to switch quite easily.

The business model is subscription based which is pretty standard.

Sending email is not just about « clean » ip address or passing by a third party provider.For example some email clients can display the emails differently so one need to take this into account.

Anw I don’t think the discussion will lead to anything. Again the article represents a point of view that some will not agree and I totally understand.