Authentication is the feature every engineer is sure they can build in a weekend, and they are right. You can build a login form, a users table, and a password-reset email by Sunday night. The weekend is real. The weekend is also not the cost. The cost is everything that arrives after it, on a schedule you do not set, for a system you can never turn off.
The part you think the job is
Email and password. A sessions table. A "forgot password" link that emails a token. Social login if you are feeling thorough. This genuinely is a weekend, and if that were the whole job, you should absolutely build it. It is not the whole job, and you know it is not, which is why you are reading a build-versus-buy article instead of just building it.
The bill you don't see coming
You now own a security surface, permanently. Password hashing, and re-hashing every user the day you realize your bcrypt cost factor was tuned for 2019 hardware. Rate limiting and account lockout. Credential stuffing, because your login endpoint joins every breach-replay list within a month of launch. And the big one: liability. The day you store credentials you become a target, and a breach stops being an abstract risk in someone else's pricing deck. It is your incident, your disclosure email, your customers' trust, and possibly your regulator.
The protocol work lands the moment you sell to anyone serious. Enterprise SSO means SAML, and SAML means XML signature verification, which is its own genre of CVE (you really do not want to meet signature wrapping in production; more on that here). SCIM means building provisioning and deprovisioning, and deprovisioning is a security control: get it wrong and a fired employee keeps their access. MFA means enrollment, recovery codes, and the support queue when someone loses their phone. Audit logs mean retention and tamper-evidence, because the customer's SOC 2 auditor will ask, and "we log to a file somewhere" is not an answer.
The operational tail never ends. Key rotation and JWKS. Session invalidation that actually works across devices. Token revocation. And on-call, for the one system in your stack that, when it is down, takes everything with it: nobody logs in, no API call authenticates, your whole product is a 500 page. Auth is tier zero. You are signing up to keep a tier-zero security system running forever, with the same headcount you were going to spend on your actual product.
The compliance tail is annual. SOC 2, ISO 27001, a prospect's security questionnaire: each one asks, in detail, about every item above. Auditors are not charmed by "we rolled our own." Buying auth lets you point at a vendor's controls; building it makes those controls yours to document, prove, and defend, every year.
When building is actually the right call
This is not a "buy, always" pitch, because that would be dishonest and you would see straight through it. Build your own auth when:
- It is a small internal tool behind a VPN, a handful of users, no compliance surface. The weekend really is the whole job.
- Auth is your product. If you are building an identity company, build identity. It is your differentiator, not your overhead.
- You have genuinely unusual requirements no provider fits, and a dedicated security team that will own the result for its entire life. Note both halves of that sentence. The team is the expensive half.
Outside those cases the math is simpler than it looks. The cost of "build" was never the first weekend. It is the perpetual ownership of a security-critical system that does not make your product any better, only more yours.
The honest reframe
Building auth does not make your product more valuable to a single customer. No one ever bought your software because you hand-rolled the SAML signature check. It just converts auth from someone else's problem into yours, forever, and spends the engineering you could have put into the thing people actually pay for.
The usual objection to buying, that auth vendors charge a fortune to switch on the enterprise features, is real. But that is an argument about which vendor, not about build versus buy. A lot of that bill is a feature tax you don't have to pay. Buy auth that includes SSO, SCIM, MFA, and audit logs without the per-connection tollbooth, and the build-versus-buy question mostly answers itself.
Before you spend a sprint on a login system, it is worth seeing exactly what enterprise customers will demand from it. Here's what's included, on every plan.
Top comments (0)