[dewey]

> Using a short-term JWT and bcrypt to salt passwords is like maybe 10 lines of code.

You are presenting an extremely limited scope.

What you get from using an authentication provider is things like verifying email addresses, OAuth where you just have to "enable" Google, Github, Apple login possibilities. Implementing all these flows yourself is a lot more than 10 lines of code.

Then you also have to do password reset flows, resent email confirmation emails etc.

[jaeming]

Yes, that's why I said "the basics are really easy"? This was not meant to imply 10 lines of code handle the complete user experience workflow around auth. In saying that I have implemented oauth for multiple providers in not too much more lines of code. Maybe like 100.

[tppiotrowski]

Also two-factor auth via email/SMS codes

[jaeming]

Two factor is actually pretty easily solved too though?

[dewey]

If authentication isn't your core business there's little reason to handle all these things yourself.

[x1xx]

also password policies, account takeover detection/prevention, user device/session list management