DEV Community: crytp0-nerd The latest articles on DEV Community by crytp0-nerd (@crypt0-nerd). https://dev.to/crypt0-nerd https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3929431%2F5d0984ef-7950-4b6c-8f26-cacb87351463.png DEV Community: crytp0-nerd https://dev.to/crypt0-nerd en Is "good enough" auth hiding a bigger security problem? crytp0-nerd Wed, 13 May 2026 13:50:40 +0000 https://dev.to/crypt0-nerd/is-decentralised-iam-actually-useful-3d4n https://dev.to/crypt0-nerd/is-decentralised-iam-actually-useful-3d4n <p>been following a small startup in sydney thats working on decentralised IAM / security fabric stuff, and i think im becoming a bit of a fan of the idea.</p> <p>what im trying to understand is why more people arent excited about this kind of thing, especially now that software is getting built faster with ai and security feels more chaotic than ever.</p> <p>most apps still end up with a few scary central points of trust. auth provider, secrets manager, sessions, recovery flows, admin access, user db, that kind of thing.</p> <p>if one of those gets breached or misconfigured, the blast radius can be pretty ugly.</p> <p>the idea i find interesting is not really decentralisation for the sake of it. its more like, can we avoid having one big pile of sensitive stuff sitting somewhere in the first place?</p> <p>i can imagine a few use cases where this might matter:</p> <ul> <li>apps where users own their data and choose what gets shared</li> <li>health / finance / legal apps with sensitive user data</li> <li>identity and access management</li> <li>key management / signing flows</li> <li>recovery flows where one admin or provider shouldnt have too much power</li> <li>ai-built apps where people might ship faster than they understand the security model</li> <li>apps that want security without holding all the sensitive stuff themselves</li> </ul> <p>but i can also see why people might not bother. existing tools are pretty mature, and adding another layer to auth/security is not exactly something devs do for fun.</p> <p>the questions i keep coming back to are:</p> <ul> <li>who runs the nodes?</li> <li>what happens if they go down?</li> <li>how does recovery work?</li> <li>does this make debugging painful?</li> <li>is the latency noticeable?</li> <li>does it reduce trust, or just move trust somewhere else?</li> <li>is Keycloak/Auth0/Okta/KMS already good enough for most teams?</li> </ul> <p>i think the dx is probably the make or break part. if normal devs cant understand it, debug it, or integrate it without pain, it probably wont matter how good the security model is.</p> <p>curious what people think. are there real use cases where decentralised IAM/security fabric makes sense, or is it just too much complexity for most apps?</p> <p>also keen to hear what use cases im not thinking of, because im probably missing some obvious ones.</p> discuss security software webdev