DEV Community

Vivian Voss
Vivian Voss

Posted on • Originally published at vivianvoss.net

Auth0 — The Identity Tax

#auth #security #identity #architecture

Balance scale comparing Auth0's marketing promises (free tier, enterprise security, Fortune 500 trust) against the actual costs (300% per-MAU price hike, $60M breach settlement, session tokens exposed, vendor lock-in via custom Rules).

The Invoice — Episode 18

"Authentication is hard. Don't roll your own. Use Auth0."

Splendid. Let us examine what one is actually paying for.

Auth0 was founded in 2013. Five months later, Okta's CEO Todd McKinnon made his first acquisition offer. It took eight years of courtship. In May 2021, Okta closed the deal: $6.5 billion in stock, for a company doing roughly $200 million in revenue. The arithmetic suggests the customer would eventually pay for the difference.

The Pricing Invoice

Free up to 7,500 monthly active users. Then Essentials at $35/month for 500 MAUs. Then Professional at $240/month for 1,000 MAUs. Then Enterprise (custom contract, typically $30,000 per year and upwards) once one exceeds 20,000 MAUs.

In late 2023, the per-MAU price on B2C Essentials rose by 300% in a single announcement. The free tier was generously expanded to soften the blow. The relationship between "expanded free tier" and "growth penalty at the boundary" is, by any measure, a study in price discrimination.

The Breach Invoice

January 2022. Lapsus$ compromises a support engineer's laptop. The disclosure triggers an 11% stock drop. Six billion dollars of market capitalisation, gone in a session. The securities class action was settled in July 2024 for $60 million. The incident is now a textbook case in how supply-chain access through a sub-processor (Sitel) can compromise an identity provider.

October 2023. An Okta employee signs into a personal Google profile on their work laptop and saves service account credentials there. Attackers reach the personal account. They access HAR (HTTP Archive) files in the support case management system. The HAR files contain session tokens.

The attackers harvest the tokens, hijack five customer environments. 1Password, Cloudflare, and BeyondTrust each detect suspicious administrator login attempts and notify Okta. The initial public disclosure said 134 customers were affected.

By March 2025, the scope had been quietly expanded: the threat actor had downloaded reports containing the full names and email addresses of every Okta customer, both Workforce Identity and Customer Identity. "All of them" replaced "less than 1%". One does wonder how the recalibration was decided.

The Single Point of Failure Invoice

When Okta has a bad day, every customer has a bad day. The 2023 incident ran roughly two weeks between initial compromise (28 September) and detection (13 October), with public disclosure following on 19 October. During that window, every dependent application's authentication boundary belonged, technically speaking, to the attacker.

The architecture is the cost. Centralising identity at a third party means centralising risk at the same third party.

The Lock-In Invoice

Auth0 Rules and Actions are custom JavaScript hooks. SAML and OIDC are standards; the rest of the integration is not. Migration off Auth0 means:

  • Re-implementing every Rule and Action against your new identity layer
  • Re-issuing tokens for every active user (forced re-authentication)
  • Convincing your customers that yes, this re-authentication is intentional
  • Backporting custom claims your applications now expect

This is not insurmountable. It is, however, the cost of having outsourced something that the database could have done.

The Alternative

Several mature self-hosted options exist:

  • Keycloak (Red Hat) — full IAM, Java, runs on JBoss/WildFly
  • Ory Kratos (Go) — headless, REST APIs, no UI shipped
  • Authentik — cleaner UI than Keycloak, OIDC/SAML/OAuth2
  • FusionAuth — single binary, generous free tier, developer-focused
  • Authelia — lightweight forward auth for reverse proxies
  • Lucia — Node library for application-level auth

And the unfashionable option: a users table with argon2 password hashes, a session token stored in a server-side store (Redis or Postgres), and one route handler per flow (login, register, recover, MFA setup). This pattern has been production-grade since approximately 1995. It still is.

The Pattern

One pays a third party to validate one's own users. Then one pays more when the third party is breached. Then one pays again to migrate when the pricing model changes.

The verification was always something the database could do. Argon2 is a four-line dependency. A session token is a UUID. A login form is one POST handler. The complexity that justified outsourcing was, in many cases, complexity that did not exist.

The password hash was always there. One simply decided it wasn't fancy enough.

Read the full article on vivianvoss.net →

By Vivian Voss — System Architect & Software Developer. Follow me on LinkedIn for daily technical writing.

Top comments (1)

Some comments may only be visible to logged-in visitors. Sign in to view all comments.