Years ago your team decided to use a third-party auth system to avoid the time and cost of building one in-house. But now a better option has hit the market and you’re wanting to make the switch. Except, hold on, your old system is so deeply ingrained into your organization that you’re practically locked-in to your current vendor.

How can you avoid this?

Two strategies that work are:

This blog post is an excerpt from Avoiding Authentication System Lock-in.

Insulate your application

When implementing an authentication system (and various other services provided by third-party vendors, such…

Authentication is an integral part of your application, and as such the acquisition of your auth vendor isn’t like other acquisitions. It could mean many things for your business, and you’ll have to decide how to respond accordingly.

This blog post is an excerpt from What to Do When Your Auth System Vendor Gets Acquired.

Will your new provider give you the same support? Pricing? Integration options? All of these might change for better or for worse.

While clearly an acquisition is cause for concern, it might not be all bad. …

Software applications regularly need to gain access to data from other services on behalf of their users. An application may need to grab a list of user’s contacts from a third-party service, such as their Google contacts. Or it might need to access a user’s calendar so the application can create calendar entries for the user. Larger organizations often require employees to have passwordless access to all the applications and services needed to do their jobs.

This blog post is an excerpt from The Value of Standards-Compliant Authentication.

How can you make sure your systems are giving proper access to…

Given the increase of data beaches in the past few years, it’s more important than ever for software engineering leaders to prioritize security, quality development practices, and robust governance controls. Your customers’ trust is on the line-and that’s the lifeblood of any business that wants to keep growing.

This blog post is an excerpt from Common Authentication Implementation Risks and How to Mitigate Them.

Your authentication system is one of the areas of your software system that you absolutely have to ensure is secure. …

The Implicit grant is part of the OAuth 2 RFC, but is one of the features omitted in the OAuth 2.1 specification. With this grant, you don’t have to write server side code. Instead of having to exchange an authorization code for an access token, you are provided an access token on redirect.

This is convenient if you are working in the JAMstack or in another situation where you don’t want to run a server.

However, it is horribly insecure, broken, deprecated, and should never, ever be used (ever). Okay, maybe that’s being a bit dramatic, but please don’t use…

Open-source authentication providers are popular because anyone can review much or all of the code that powers them. This availability can be especially helpful in evaluating whether a particular authentication provider will work for your use case. In addition, if you want the source code for any number of reasons (e.g., the provider could go out of business or get acquired), open source is basically tailor-made for that.

But while open-source providers do have some benefits over proprietary authentication providers, there are some downsides as well.

This blog post is an excerpt from Open Source vs Commercial Auth Providers.



As more of our lives and data move online, multi-factor authentication (MFA) becomes increasingly important to help keep our accounts secure. As a user, you should enable MFA on accounts with valuable data. But as a developer or software creator, you need a deeper understanding of MFA, why it’s important and when to require it.

What is multi-factor authentication (MFA)?

When a user authenticates, they are providing proof of who they are.

There are a few different categories of such types of proof:

When you’re evaluating authentication providers, one of the main building blocks of any software product, you want to make sure you won’t regret your choice a few months or years later.

It’s not enough to simply have a free trial of a potential authentication solution. For your trial to be useful, you need to run it effectively in order to be sure that you’ve tested for all of your potential use cases and gotten all the information you need to make a more informed decision.

What are steps you can take to make sure you maximize the knowledge you gain…

Migrating user data is fraught with risk. Of course, migrating any data is tough, but user accounts are even harder because any issue with the transfer affects human beings. Whether employees, customers, or potential clients, humans tend to react negatively to applications being inaccessible.

There are a few different approaches to migrating user accounts. Each of these works, but has different risks, timelines and implementation approaches.

There are three main approaches to user data migration. When you are changing how someone authenticates with your systems, you will eventually have to cut over. This is when a user authenticates with the…

Pssst. You may have heard that Auth0 was recently acquired by Okta. If this has you considering migration options, read on. This post will provide a strategy for determining if a migration makes sense, and discuss what you’ll need to consider if it does.

I’ll be using FusionAuth as an example migration destination, but the investigation and feature mapping I discuss can be used to prepare a move to any Auth0 competitor. That said, since the announcement our website has seen significantly more traffic and we’ve had dozens of people reach out to learn more about FusionAuth.

FusionAuth vs Auth0

FusionAuth and Auth0…


Auth for built for devs. Installs on any server, anywhere in the world. Integrates with any codebase.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store