As more of our lives and data move online, multi-factor authentication (MFA) becomes increasingly important to help keep our accounts secure. As a user, you should enable MFA on accounts with valuable data. But as a developer or software creator, you need a deeper understanding of MFA, why it’s important and when to require it.

What is multi-factor authentication (MFA)?

When a user authenticates, they are providing proof of who they are.

There are a few different categories of such types of proof:

When you’re evaluating authentication providers, one of the main building blocks of any software product, you want to make sure you won’t regret your choice a few months or years later.

It’s not enough to simply have a free trial of a potential authentication solution. For your trial to be useful, you need to run it effectively in order to be sure that you’ve tested for all of your potential use cases and gotten all the information you need to make a more informed decision.

What are steps you can take to make sure you maximize the knowledge you gain…

Migrating user data is fraught with risk. Of course, migrating any data is tough, but user accounts are even harder because any issue with the transfer affects human beings. Whether employees, customers, or potential clients, humans tend to react negatively to applications being inaccessible.

There are a few different approaches to migrating user accounts. Each of these works, but has different risks, timelines and implementation approaches.

There are three main approaches to user data migration. When you are changing how someone authenticates with your systems, you will eventually have to cut over. This is when a user authenticates with the…

Pssst. You may have heard that Auth0 was recently acquired by Okta. If this has you considering migration options, read on. This post will provide a strategy for determining if a migration makes sense, and discuss what you’ll need to consider if it does.

I’ll be using FusionAuth as an example migration destination, but the investigation and feature mapping I discuss can be used to prepare a move to any Auth0 competitor. That said, since the announcement our website has seen significantly more traffic and we’ve had dozens of people reach out to learn more about FusionAuth.

FusionAuth vs Auth0

FusionAuth and Auth0…

Modern authentication is built on hashing passwords using computationally expensive algorithms. Because of this intense CPU usage, there’s a push-pull relationship between robust security and scalable solutions. Since security is so critical, and frankly nonnegotiable, you’ll have to grapple with the challenges of scaling your authentication.

To be a responsible and effective software engineer, you need to know how to deal with these scalability concerns while keeping your application’s authentication secure. Let’s look at a few of these challenges, including hashing performance, chattiness, additional security, and uptime.

This blog post is an excerpt from Making Sure Your Auth System Can…

Within today’s software development ecosystem, third-party vendors are a common part of system architecture.

Specifically, Authentication-as-a-Service (AaaS) is growing fast. Their out-of-the-box capabilities enable engineering teams to focus on building features valuable to business rather than spending time and resources on reinventing the wheel of securing application access.

But outsourcing isn’t as simple as it sounds. Vendor management is time-consuming and can introduce significant risks to the business if due diligence isn’t observed.

This blog post is an excerpt from Performing Due Diligence on Authentication Vendors.

The need for due diligence

The 2017 Equifax data breach consumed many organizations, including mine where I was on…

Securing a Go Microservice with JWT

JSON Web Tokens (JWTs) offer a mechanism to share a set of claims or attributes from client to a server providing microservices in a cryptographically secure way. JWT secures the service-to-service communication and also can pass end-user context across microservices.

A JWT token can be used to carry the identity of the calling microservice, or the identity of the client or the system which initiated the request. It can be used to communicate authorization and validation attributes between multiple clients and servers. Using such attributes secures the microservices and makes sure that only authorized access occurs.

In this post, we…

Single sign-on (SSO) lets your users access two or more applications with a single set of credentials. Properly implemented, it makes your users’ lives easier; they sign in once and don’t have to log in when they switch between various applications.

Google has created a great single sign-on experience. You sign into and then visit or to access your calendar or files. The various systems know who you are without you ever re-authenticating. If you sign out from one of these applications, you’re signed out from all of them.

FusionAuth has built-in single sign-on support; this tutorial…

You lead a team of engineers, and your team is responsible for building out a new customer-facing product that could have a huge impact on the trajectory of your company. Lately you’ve been considering whether or not rolling your own authentication system is a good idea. You’ve spent a lot of time and effort carefully weighing the pros and cons, and you’ve come to the conclusion that home grown auth is not in the best interests of your company.

How do you go about talking to all the relevant stakeholders about this choice?

Not all orgs are the same, but…

Congrats to Auth0, their employees and investors on their acquisition by Okta! This validates that CIAM is a crucial part of any application and that outsourcing it to a provider like Auth0 just plain makes sense. The identity community owes a lot to Auth0, and that includes FusionAuth.

We love the way that Auth0 spreads the word about the value of outsourcing your application’s auth systems. Today app developers can focus on building their apps. They can offload the effort of implementing and securing identity, authorization and authentication to companies like Auth0 or FusionAuth.

Auth before Auth0

Before 2013, when Auth0 was founded…


Auth for built for devs. Installs on any server, anywhere in the world. Integrates with any codebase.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store