Authentication as a Service: Slow Progress, But Are We There Yet?
Posted by Bob Warfield on July 11, 2014
Do you really want to write code for users, forgotten passwords, permissions, and admin panels again?
To that I would add, “Do you really want to have to be a world class expert on that stuff to make sure you don’t leave some gaping security hole out of ignorance?” I think the answer is a resounding, “NO!” to both questions. Why do it in this world of Agile Development, Lean Startups, and Minimum Viable Products? It’s one of those things everyone does (and should do) pretty much the same way from a user’s perspective, so there is no opportunity for differentiation. You have to do it right because the downside of security problems is huge. You have to do it right up front to protect your customer’s data and your investment (so nobody gets to use your products for free). There’s basically very little upside to rolling your own (it’ll only slow you down) and tremendous downside. Hence, you’d like to buy a service.
I keep going around this block for my own company’s (CNCCookbook) products, and I surely would like to get off that merry g0-round. I wanted to buy this some time ago, and have written about it for quite a while. For example, in an article I wrote 4 years ago on PaaS Strategy (Platform as a Service), I suggested login would be an ideal service for a pass to offer with these world:
Stuff like your login and authentication subsystem. You’re not really going to try to build a better login and authentication system, are you?
I sound just like AuthRocket there, don’t I? I’m sure that’s not the earliest mention I’ve made, because I’ve been looking for this stuff for a long time now. As I say, I had to roll my own because I couldn’t find a good solution. I would still like to replace the solution that CNCCookbook uses with a nice Third-Party service. I only have few very generic requirements:
– It has to offer what I need. Basically that’s Email + Password login with all the account and forgotten password management interactions handled for me. It would be very nice if they do Federated Login using the other popular web services like Amazon, Facebook, Twitter, Google, or whatever. It would also be very nice if it could do 2 factor login. The latter two are optional.
– It has to work well. I judge this by who has adopted it and how it is reviewed.
– It has to be here for the long haul. I’ll judge this by size of customer base and quality of backers. AuthRocket, for example, is still at the invitation-only Beta stage. That’s too early for me. I have mature products and don’t want to have to change out this service too often.
– It has to be easy for me to access the API’s. I prefer a nice RESTful API, but I will take a platform-specific API for my chosen development platform: Adobe Flex. And no, I don’t want to debate that platform, it has worked fabulously well for me, the products are mature, and I am not looking to switch.
– It has to be easy to tie it back to securing my data in the Amazon Web Services Cloud.
– Optional Bonus: It helps me solve the problem of disconnected data access. My apps are Adobe AIR apps. You download and can run without a web connection for a period of time. This is important to my audience, but means I’ve got to use data models that keep local copies and sync with the Cloud when they get connected.
While my apps are not yet available on iOS or Android, all of those things are almost exactly the same problems any Mobile App developer faces. Therefore, this ought to be a hotbed of activity, and I guess it is, but so far, I still can never seem to find the right solution for me, and I don’t think I’m asking for anything all that crazy. But, I have yet to find a solution. Let me tell you a little bit about my 2 most recent near misses.
I was very excited to read about Amazon’s new Cognito service. At CNCCookbook we’re big Amazon believers, and use all sorts of their services. Unfortunately, at least until Cognito, they didn’t really have a good service for solving CNCCookbook’s authentication problems. They had IAM, which is a very complicated, very heavy-weight, very Big Corporate IT kind of solution. It looked kind of like maybe you could do it if you had to, but you’d still wind up writing all the darned password management stuff and it looked like it was going to be a real ordeal. Mostly, I think of IAM, as the tool used to define roles for how broad classes of users can access the various other Amazon offerings. I wanted another service of some kind to be the sort of simpler, friendlier, front end to IAM. Enter Cognito, and it sure sounded good:
Amazon Cognito lets you securely store, manage, and sync user identities and app data in the AWS Cloud, and manage and sync this data across multiple devices and OS platforms. You can do this with just a few lines of code, and your app can work the same, regardless of whether a user’s devices are online or offline.
You can use Amazon Cognito directly from your mobile app without building or maintaining any backend infrastructure. Amazon Cognito handles secure app data storage and sync, enabling you to focus on your app experiences, instead of the heavy lifting of creating and managing a user data sync solution.
A guy like me loves the part about, “You can do this with just a few lines of code” followed by “without building or maintaining any backend infrastructure.” Now that’s what I’m talking about, I gotta get me some of this!
It’s nearly all there:
– Amazon is an outfit that can be trusted for the long haul.
– REST API’s are no problem, that’s how Amazon prefers to operate.
– Tie back to other Amazon Web Services? Puh-lease, who do you think you’re talking to, of course one Amazon Service talks to the others!
– Sync? Yeah, baby, that’s what Cognito is all about. More potential time savings for yours truly.
Oops, just one little shortcoming: it only does Federated Login via Amazon, Facebook, or Google. That’s cool and all, but wheres my Email + Password login so I can seamlessly move customers over to it? Maybe I missed it, maybe it’s coming, or maybe Amazon just doesn’t think it’s important. Can I live with forcing my users to make sure they have either an Amazon, Facebook, or Google account? Yeah, I guess maybe, but we sell a B2B app and it sure seems kind of unprofessional somehow.
Amazon, can you please fill this hole ASAP?
I hear fabulous things about Firebase, I really do. People seem to love it. It’s chock full of great functionality, and on the surface of it, Firebase should fit my needs. Yet, when I dig in deep, I find that the login piece is kind of a red-headed stepchild. Yeah, they advertise Email + Password Login, and they even tell you how to do it. But there’s no RESTful API available for it. They list all the right operations: