Reminder when rolling out custom auth
Table of Contents
Things you may need to implement or at least think about when deciding to roll-out custom auth, in no specific order:
- Registration flow
- Login flow
- Email change
- Password recovery
- Account activation
- One-Time Links (activation, recovery)
- Email system:
- Account activation
- Password resert links
- 2FA (not the best, but a valid option)
- Untrusted Logins
- MFA (Multi Factor Authentication)
- PII storage (Personal Identifiable Information)
- Password requirements
- Password hashing, storage, and validation
- Retries, timeouts, exponential backoff
- Tokens, JWT, Sessions, Cookies
- Device tokens, trusted devices
- Token invalidation
- Distributed Auth
- Secret rotation
- IP Lock, Region lock, other kind of locks
- OAuth
- SSO
- SAML
- Logging (careful!)
- Metrics
Good luck!